Bug 30421

Summary: opencontainers-runc new security issue CVE-2022-29162
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, bruno, davidwhodgins, sysadmin-bugs, tarazed25
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: opencontainers-runc-1.0.3-1.mga8.src.rpm CVE:
Status comment:

Description David Walser 2022-05-13 22:08:51 CEST 
Upstream has issued an advisory on May 11:
https://github.com/opencontainers/runc/security/advisories/GHSA-f3fp-gc8g-vw66

It was announced on May 12:
https://www.openwall.com/lists/oss-security/2022/05/12/1

The issue is fixed upstream in 1.1.2:
https://github.com/opencontainers/runc/releases/tag/v1.1.2

Mageia 8 is also affected.
David Walser 2022-05-13 22:09:04 CEST

Status comment: (none) => Fixed upstream in 1.1.2
Whiteboard: (none) => MGA8TOO

Comment 1 David Walser 2022-05-14 18:05:47 CEST 
Updated packages uploaded for Mageia 8 and Cauldron by Bruno.

opencontainers-runc-1.1.2-2.mga8

from opencontainers-runc-1.1.2-2.mga8.src.rpm

Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)
CC: (none) => bruno
Assignee: bruno => qa-bugs
Status comment: Fixed upstream in 1.1.2 => (none)

Comment 2 Len Lawrence 2022-05-18 09:48:43 CEST 
Mageia8, x86_64

$ rpm -q opencontainers-runc
opencontainers-runc-1.0.3-1.mga8

Clean update:
$ rpm -q opencontainers-runc
opencontainers-runc-1.1.2-2.mga8

Running a docker session to test, as done previously (e.g. bug 30279).
Restarted docker and checked status.  OK
$ docker run hello-world
Reported working docker installation.
$ docker ps -a
Reported previous sessions.
$ docker run -it ubuntu bash
root@1114b59493cf:/# exit
<That loaded immediately so must have been opening an existing container?>

$ docker run -it -h cowsay debian bash
Unable to find image 'debian:latest' locally
latest: Pulling from library/debian
67e8aa6c8bbc: Pull complete 
Digest: sha256:6137c67e2009e881526386c42ba99b3657e4f92f546814a33d35b14e60579777
Status: Downloaded newer image for debian:latest
root@cowsay:/# apt-get update
Get:1 http://deb.debian.org/debian bullseye InRelease [116 kB]
Get:2 http://security.debian.org/debian-security bullseye-security InRelease [44.1 kB]
Get:3 http://deb.debian.org/debian bullseye-updates InRelease [39.4 kB]
Get:4 http://security.debian.org/debian-security bullseye-security/main amd64 Packages [146 kB]
Get:5 http://deb.debian.org/debian bullseye/main amd64 Packages [8182 kB]
Get:6 http://deb.debian.org/debian bullseye-updates/main amd64 Packages [2596 B]
Fetched 8530 kB in 3s (3086 kB/s)                         
Reading package lists... Done
root@cowsay:/# apt-get install -y cowsay fortune
......
root@cowsay:/# /usr/games/fortune | /usr/games/cowsay
 ____________________________
< Save energy: be apathetic. >
 ----------------------------
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||
root@cowsay:/# exit

No regressions so far.  Should be OK.

CC: (none) => tarazed25
Whiteboard: (none) => MGA8-64-OK

Comment 3 Len Lawrence 2022-05-18 09:54:58 CEST 
Note added to comment 2:
Rerunning the  previous command loaded the container immediately
$ docker run -it -h cowsay debian bash
root@cowsay:/# 

but the previously installed packages did not come with it so I guess the running container needs to be saved as a new image or something like that to retain new content.
Comment 4 Thomas Andrews 2022-05-19 14:04:15 CEST 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-05-20 01:02:34 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 5 Mageia Robot 2022-05-21 10:51:28 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0192.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED