Bug 30421 - opencontainers-runc new security issue CVE-2022-29162
Summary: opencontainers-runc new security issue CVE-2022-29162
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2022-05-13 22:08 CEST by David Walser
Modified: 2022-05-21 10:51 CEST (History)
5 users (show)

See Also:
Source RPM: opencontainers-runc-1.0.3-1.mga8.src.rpm
Status comment:


Description David Walser 2022-05-13 22:08:51 CEST
Upstream has issued an advisory on May 11:

It was announced on May 12:

The issue is fixed upstream in 1.1.2:

Mageia 8 is also affected.
David Walser 2022-05-13 22:09:04 CEST

Status comment: (none) => Fixed upstream in 1.1.2
Whiteboard: (none) => MGA8TOO

Comment 1 David Walser 2022-05-14 18:05:47 CEST
Updated packages uploaded for Mageia 8 and Cauldron by Bruno.


from opencontainers-runc-1.1.2-2.mga8.src.rpm

Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)
CC: (none) => bruno
Assignee: bruno => qa-bugs
Status comment: Fixed upstream in 1.1.2 => (none)

Comment 2 Len Lawrence 2022-05-18 09:48:43 CEST
Mageia8, x86_64

$ rpm -q opencontainers-runc

Clean update:
$ rpm -q opencontainers-runc

Running a docker session to test, as done previously (e.g. bug 30279).
Restarted docker and checked status.  OK
$ docker run hello-world
Reported working docker installation.
$ docker ps -a
Reported previous sessions.
$ docker run -it ubuntu bash
root@1114b59493cf:/# exit
<That loaded immediately so must have been opening an existing container?>

$ docker run -it -h cowsay debian bash
Unable to find image 'debian:latest' locally
latest: Pulling from library/debian
67e8aa6c8bbc: Pull complete 
Digest: sha256:6137c67e2009e881526386c42ba99b3657e4f92f546814a33d35b14e60579777
Status: Downloaded newer image for debian:latest
root@cowsay:/# apt-get update
Get:1 http://deb.debian.org/debian bullseye InRelease [116 kB]
Get:2 http://security.debian.org/debian-security bullseye-security InRelease [44.1 kB]
Get:3 http://deb.debian.org/debian bullseye-updates InRelease [39.4 kB]
Get:4 http://security.debian.org/debian-security bullseye-security/main amd64 Packages [146 kB]
Get:5 http://deb.debian.org/debian bullseye/main amd64 Packages [8182 kB]
Get:6 http://deb.debian.org/debian bullseye-updates/main amd64 Packages [2596 B]
Fetched 8530 kB in 3s (3086 kB/s)                         
Reading package lists... Done
root@cowsay:/# apt-get install -y cowsay fortune
root@cowsay:/# /usr/games/fortune | /usr/games/cowsay
< Save energy: be apathetic. >
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||
root@cowsay:/# exit

No regressions so far.  Should be OK.

CC: (none) => tarazed25
Whiteboard: (none) => MGA8-64-OK

Comment 3 Len Lawrence 2022-05-18 09:54:58 CEST
Note added to comment 2:
Rerunning the  previous command loaded the container immediately
$ docker run -it -h cowsay debian bash

but the previously installed packages did not come with it so I guess the running container needs to be saved as a new image or something like that to retain new content.
Comment 4 Thomas Andrews 2022-05-19 14:04:15 CEST

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-05-20 01:02:34 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 5 Mageia Robot 2022-05-21 10:51:28 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.