SUSE has issued an advisory today (February 7): http://lists.suse.com/pipermail/sle-security-updates/2020-February/006478.html Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
openSUSE has issued an advisory for this on February 14: https://lists.opensuse.org/opensuse-updates/2020-02/msg00066.html
Fedora has issued an advisory for this on February 8: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2NWDTSREUDLT3UFYS5SBIVQBS4YRA35A/
Status comment: (none) => Fixed upstream in 1.0.0-rc10
1.0.0-rc10 pushed to cauldron.
Status: NEW => ASSIGNED
1.0.0-rc10 pushed to 7 core/updates_testing
Assignee: bruno => qa-bugsCC: (none) => bruno
Version: Cauldron => 7
Advisory: ======================== Updated opencontainers-runc package fixes security vulnerability: An attacker who controls the container image for two containers that share a volume can race volume mounts during container initialization, by adding a symlink to the rootfs that points to a directory on the volume (CVE-2019-19921). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19921 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2NWDTSREUDLT3UFYS5SBIVQBS4YRA35A/ ======================== Updated packages in core/updates_testing: ======================== opencontainers-runc-1.0.0-0.rc10.3.1.mga7 from opencontainers-runc-1.0.0-0.rc10.3.1.mga7.src.rpm
Severity: normal => majorStatus comment: Fixed upstream in 1.0.0-rc10 => (none)Whiteboard: MGA7TOO => (none)
mga7, x86_64 Updated the package. https://blog.alexellis.io/runc-in-30-seconds/ Followed the recipe there and ended up with a directory structure like this: . ├── config.json ├── #report# ├── rootfs │ ├── bin │ │ ├── ash -> /bin/busybox │ │ ├── base64 -> /bin/busybox │ │ ├── bbconfig -> /bin/busybox │ │ ├── busybox [...] │ │ ├── watch -> /bin/busybox │ │ └── zcat -> /bin/busybox │ ├── dev │ │ ├── console │ │ ├── pts │ │ └── shm [...] │ ├── usr │ │ ├── bin │ │ │ ├── [ -> /bin/busybox │ │ │ ├── [[ -> /bin/busybox │ │ │ ├── awk -> /bin/busybox [...] │ ├── spool │ │ └── cron │ │ └── crontabs -> /etc/crontabs │ └── tmp ├── rootfs.tar └── tree.txt 502 directories, 1986 files After the $ runc spec which creates the JSON file, used runc to start a replica of the docker container. Upstream says to invent a name for the container, but: $ sudo runc start node4a_repl ERRO[0000] container "node4a_repl" does not exist container "node4a_repl" does not exist. Whatever the name the result is the same. $ docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 91e91c49c0e3 mhart/alpine-node:4 "node" 18 seconds ago Exited (0) 17 seconds ago bewildered The recipe: $ docker export bewildered > rootfs.tar $ tar -xf rootfs.tar -C rootfs/ $ ls rootfs bin/ etc/ lib/ media/ proc/ run/ srv/ tmp/ var/ dev/ home/ linuxrc@ mnt/ root/ sbin/ sys/ usr/ $ runc spec $ ls config.json '#report#' report rootfs/ rootfs.tar tree.txt $ sudo runc start Rumpelstiltskin ERRO[0000] container "Rumpelstiltskin" does not exist container "Rumpelstiltskin" does not exist $ docker ps -a 91e91c49c0e3 mhart/alpine-node:4 "node" 10 minutes ago Exited (0) 10 minutes ago bewildered Cannot figure this out.
CC: (none) => tarazed25
I think a normal docker test will suffice.
OK, thanks David. Part of the recipe involves generating a docker container, which seemed to work. However I shall run through the docker newbie tests.
Continuing from comment 6: $ docker run hello-world Hello from Docker! This message shows that your installation appears to be working correctly. $ docker run -it fedora bash [root@8999f139f043 /]# exit $ docker ps -a 8999f139f043 fedora "bash" 7 minutes ago Exited (0) 58 seconds ago sad_shockley $ docker inspect sad_shockley | grep Created "Created": "2020-02-25T09:48:26.832811714Z", $ docker run -it fedora bash [root@c9b81c581eda /]# dnf install celestia [...] Complete! [root@c9b81c581eda /]# ll /bin/celestia -rwxr-xr-x 1 root root 2873744 Aug 23 2019 /bin/celestia [root@c9b81c581eda /]# rpm -qa | grep celestia celestia-1.6.1-32.fc31.x86_64 [root@c9b81c581eda /]# exit exit $ docker pull fedora:latest latest: Pulling from library/fedora 5c1b9e8d7bf7: Pull complete Digest: sha256:c97879f8bebe49744307ea5c77ffc76c7cc97f3ddec72fb9a394bd4e4519b388 Status: Downloaded newer image for fedora:latest lcl@difda:runc $ docker run -ti fedora:latest /bin/bash [root@92abb944f8e9 /]# ls bin dev home lib64 media opt root sbin sys usr boot etc lib lost+found mnt proc run srv tmp var Ran `docker rm <nameofcontainer>` several times to get rid of the backlog, leaving two containers. Used `docker images` to list local images and removed a few with `docker rmi <image-id>'. Taking David at his word and passing this for 64 bits.
Whiteboard: (none) => MGA7-64-OK
Keywords: (none) => advisory, validated_updateCC: (none) => tmb, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0103.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED