Bug 24253 - opencontainers-runc new security issues fixed upstream (rhbz#1663068, CVE-2019-5736)
Summary: opencontainers-runc new security issues fixed upstream (rhbz#1663068, CVE-201...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks: 24289
  Show dependency treegraph
 
Reported: 2019-01-28 02:05 CET by David Walser
Modified: 2019-02-13 12:10 CET (History)
4 users (show)

See Also:
Source RPM: opencontainers-runc-1.0.0-0.rc6.1.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2019-01-28 02:05:19 CET
Fedora has issued an advisory on January 25:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SMFQ54VEZPJT4H2C2TBILCPDX2VMAIZ2/

They updated to a git snapshot that apparently fixed the issue.

The RedHat bug links to upstream pull request:
https://bugzilla.redhat.com/show_bug.cgi?id=1663068

Mageia 6 may also be affected.
David Walser 2019-01-28 02:05:33 CET

Whiteboard: (none) => MGA6TOO
CC: (none) => bruno

David Walser 2019-02-01 22:17:07 CET

Blocks: (none) => 24289

Comment 1 David Walser 2019-02-02 23:10:11 CET
Pull request patch added in opencontainers-runc-1.0.0-0.rc6.2.mga7 in Cauldron.

Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6

Comment 2 Bruno Cornec 2019-02-04 19:28:39 CET
Fix applied on mga6 and update pushed in updates_testing

Assignee: ngompa13 => qa-bugs
Status: NEW => ASSIGNED

Comment 3 David Walser 2019-02-05 17:08:36 CET
Advisory:
========================

Updated opencontainers-runc package fixes security vulnerability:

Not using pivot_root(2) leaves the host /proc around in the mount namespace so
that it is possible to mount another /proc without any other submount, even if
/proc in the container is not fully visible. This flaw allows an attacker to
read and modify some parts of the Linux kernel memory (rhbz#1663068).

References:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SMFQ54VEZPJT4H2C2TBILCPDX2VMAIZ2/
========================

Updated packages in core/updates_testing:
========================
opencontainers-runc-1.0.0rc5-3.1.mga6

from opencontainers-runc-1.0.0rc5-3.1.mga6.src.rpm
Comment 4 Len Lawrence 2019-02-11 17:42:56 CET
Had a quick look at this and read a little about OCI and EBNF and other things and came to the conclusion that the subject is too advanced for a QA tester with no background in container philosophy.  From what I can gather the runc command, among other things, can create a container from a "bundle" which is some kind of collection of files on disk bound together by a configuration file which follows OCI specifications.  This would include docker containers, particularly as runC was a gift from the Docker project.  pivot-root is a parameter which jails the running container process within its rootfs.

As I have no idea how to test it we shall have to be satisfied with a clean update.

Yes, that went OK.

$ runc help
gives usage, basic commands and cli options.
$ runc help <command>
provides information on individual commands.
$ runc --version
runc version 1.0.0-rc5
spec: 1.0.0

CC: (none) => tarazed25
Whiteboard: (none) => MGA6-64-OK

Comment 5 David Walser 2019-02-12 00:33:52 CET
Upstream has issued an advisory today (February 11):
https://www.openwall.com/lists/oss-security/2019/02/11/2

Advisory:
========================

Updated opencontainers-runc package fixes security vulnerabilities:

Not using pivot_root(2) leaves the host /proc around in the mount namespace so
that it is possible to mount another /proc without any other submount, even if
/proc in the container is not fully visible. This flaw allows an attacker to
read and modify some parts of the Linux kernel memory (rhbz#1663068).

runc through 1.0-rc6 allows attackers to overwrite the host runc binary (and
consequently obtain host root access) by leveraging the ability to execute a
command as root within one of these types of containers: a new container with
an attacker-controlled image, or an existing container, to which the attacker
previously had write access, that can be attached with docker exec. This
occurs because of file-descriptor mishandling, related to /proc/self/exe
(CVE-2019-5736).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5736
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SMFQ54VEZPJT4H2C2TBILCPDX2VMAIZ2/
https://www.openwall.com/lists/oss-security/2019/02/11/2
========================

Updated packages in core/updates_testing:
========================
opencontainers-runc-1.0.0rc5-3.1.mga6

from opencontainers-runc-1.0.0rc5-3.1.mga6.src.rpm

Summary: opencontainers-runc new security issue fixed upstream => opencontainers-runc new security issues fixed upstream (rhbz#1663068, CVE-2019-5736)
Severity: normal => critical
Whiteboard: MGA6-64-OK => (none)

Comment 6 Dave Hodgins 2019-02-13 04:36:58 CET
Due to the extreme criticality of this security bug, validating based on
the update installing cleanly.

Specifying the srpm opencontainers-runc-1.0.0rc5-3.2.mga6, not rc5-3.1
in the advisory for svn.

Advisory committed to svn. Validating the update.

CC: (none) => davidwhodgins, sysadmin-bugs
Keywords: (none) => advisory, validated_update
Whiteboard: (none) => MGA6-64-OK

Comment 7 Mageia Robot 2019-02-13 12:10:32 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0068.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.