29738 – opencontainers-runc new security issue CVE-2021-43784

Bug 29738 - opencontainers-runc new security issue CVE-2021-43784

Summary: opencontainers-runc new security issue CVE-2021-43784

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA8-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2021-12-07 22:53 CET by David Walser
Modified:	2021-12-10 23:20 CET (History)
CC List:	5 users (show)

See Also:
Source RPM:	opencontainers-runc-1.0.2-1.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2021-12-07 22:53:25 CET

Debian-LTS has issued an advisory on December 6:
https://www.debian.org/lts/security/2021/dla-2841

The issue is fixed upstream in 1.0.3:
https://github.com/opencontainers/runc/security/advisories/GHSA-v95c-p5hm-xq8f

Mageia 8 is also affected.

David Walser 2021-12-07 22:53:35 CET

Status comment: (none) => Fixed upstream in 1.0.3
Whiteboard: (none) => MGA8TOO

Comment 1 Bruno Cornec 2021-12-08 01:11:51 CET

1.0.3 pushed to cauldron and mga8 testing_updates

Assignee: bruno => qa-bugs
CC: (none) => bruno
Status: NEW => ASSIGNED

Comment 2 David Walser 2021-12-08 01:31:49 CET

opencontainers-runc-1.0.3-1.mga8

from opencontainers-runc-1.0.3-1.mga8.src.rpm

Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)
Status comment: Fixed upstream in 1.0.3 => (none)

Comment 3 Len Lawrence 2021-12-08 14:05:15 CET

mga8, x64

Updated the package.  
Tested in the past by running docker and using the cli.  User in docker group.
$ docker run hello-world
Hello from Docker!
This message shows that your installation appears to be working correctly.
....

$ docker run -ti ubuntu /bin/bash 
root@1274ea492638:/# ls
bin   dev  home  lib32  libx32  mnt  proc  run   srv  tmp  var
boot  etc  lib   lib64  media   opt  root  sbin  sys  usr
root@1274ea492638:/# exit
exit

 docker run -ti fedora:latest /bin/bash
[root@8ff5be948ddd /]# dnf install ruby
.......................
Transaction Summary
================================================================================
Install  11 Packages
Total download size: 4.4 M
Installed size: 16 M
Is this ok [y/N]: y
......
Installed:
  ruby-3.0.2-149.fc34.x86_64                                                    
  ruby-default-gems-3.0.2-149.fc34.noarch                                       
......
Complete!
[root@8ff5be948ddd /]# exit

$ docker images
REPOSITORY    TAG       IMAGE ID       CREATED        SIZE
ubuntu        latest    1318b700e415   4 months ago   72.8MB
fedora        latest    dce66322d647   4 months ago   178MB
mageia        latest    5d2f474d2628   8 months ago   313MB
hello-world   latest    d1165f221234   9 months ago   13.3kB

Not seeing any regressions so this can be sent on.

CC: (none) => tarazed25
Whiteboard: (none) => MGA8-64-OK

Comment 4 Thomas Andrews 2021-12-09 19:34:25 CET

Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2021-12-10 21:57:12 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 5 Mageia Robot 2021-12-10 23:20:30 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0553.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.