Bug 30267

Summary: crun new security issue CVE-2022-27650
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, davidwhodgins, jean-pierre, mageia, sysadmin-bugs, tarazed25
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: crun-1.3-2.mga9.src.rpm CVE:
Status comment:

Description David Walser 2022-04-09 19:29:22 CEST 
Fedora has issued an advisory on April 8:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/HYIGABCZ7ZHAG2XCOGITTQRJU2ASWMFA/

The issue is fixed upstream in 1.4.4.

Mageia 8 is also affected.
David Walser 2022-04-09 19:29:40 CEST

Status comment: (none) => Fixed upstream in 1.4.4
Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2022-04-11 20:03:56 CEST 
Crun is nursed by Joseph, so assigning this to you.

Assignee: bugsquad => joequant

Comment 2 David Walser 2022-04-13 16:14:42 CEST 
crun-1.4.4-1.mga8 uploaded by Nicolas (committed by an apprentice).

CC: (none) => jean-pierre
Status comment: Fixed upstream in 1.4.4 => (none)

David Walser 2022-04-13 16:15:14 CEST

Assignee: joequant => qa-bugs
Version: Cauldron => 8
CC: (none) => mageia
Whiteboard: MGA8TOO => (none)

Comment 3 Len Lawrence 2022-04-13 19:16:35 CEST 
2022This looks like one of those we have to pass on a clean installation.
I spent a couple of hours exploring its origins - RedHat's C alternative to runc (written in go) and trying to get to grips with cgroup2: https://www.kernel.org/doc/Documentation/cgroup-v2.txt.  There is no hand-holding tutorial for crun although it has an extensive man page.  RedHat Enterprise offers a free 30-day introductory course on container technology.

Core version in place.
# rpm -q crun
crun-0.16-2.mga8
# mount -t cgroup2 none /cgroup
$ crun list
NAME PID       STATUS   BUNDLE PATH
$ crun --help
Usage: crun [OPTION...] COMMAND [OPTION...]
....
$ crun create qac
-04-13T16:03:00.000874506Z: error loading config.json

Updated via qarepo.
$ rpm -q crun
crun-1.4.4-1.mga8
$ crun list
NAME PID       STATUS   BUNDLE PATH                             CREATED                        OWNER
$ crun create qac
2022-04-13T17:10:38.000951841Z: error loading config.json

OK for this on the basis of a clean install and no change in behaviour for the simplest commands.

CC: (none) => tarazed25
Whiteboard: (none) => MGA8-64-OK

Comment 4 Thomas Andrews 2022-04-14 14:25:43 CEST 
Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-04-15 22:15:55 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 5 Mageia Robot 2022-04-15 23:36:39 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0141.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED