Bug 31729 - opencontainers-runc new security issues CVE-2023-25809, CVE-2023-27561, and CVE-2023-28642
Summary: opencontainers-runc new security issues CVE-2023-25809, CVE-2023-27561, and C...
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2023-03-28 16:16 CEST by David Walser
Modified: 2023-04-06 23:21 CEST (History)
5 users (show)

See Also:
Source RPM: opencontainers-runc-1.1.4-2.mga9.src.rpm
Status comment:


Description David Walser 2023-03-28 16:16:57 CEST
Debian-LTS has issued an advisory on March 27:

Mageia 8 is also affected.
David Walser 2023-03-28 16:17:06 CEST

Status comment: (none) => Patches available from upstream and Debian
Whiteboard: (none) => MGA8TOO

Comment 1 Bruno Cornec 2023-03-29 00:18:27 CEST
I suggest that we wait for officieal 1.1.5 due to other CVE to be fixed with it: https://github.com/opencontainers/runc/issues/3789


Comment 2 Bruno Cornec 2023-03-29 10:32:39 CEST
1.1.5 submitted for cauldron and mga8 updates_testing.

Version: Cauldron => 8
CC: (none) => bruno
Whiteboard: MGA8TOO => (none)
Assignee: bruno => qa-bugs
Status comment: Patches available from upstream and Debian => (none)

Comment 3 David Walser 2023-03-29 14:49:37 CEST

from opencontainers-runc-1.1.5-1.mga8.src.rpm

Note that this is still awaiting a freeze move for Cauldron.  In fact, I don't see a request submitted to the dev ml.  Bruno?
Comment 4 Bruno Cornec 2023-03-29 19:38:36 CEST
I made the request to the sysadmin ml.
Comment 5 Len Lawrence 2023-04-01 17:32:13 CEST
Mageia8, x86_64

CLI tool for open containers.

Clean update from the previously tested version.
Referencing bug 30421.
Restarted docker and ran hello-world to check installation.
$ docker run hello-world
Hello from Docker!
This message shows that your installation appears to be working correctly.
$ docker ps -a
CONTAINER ID   IMAGE         COMMAND    CREATED          STATUS                      PORTS     NAMES
737663dbf81f   hello-world   "/hello"   24 seconds ago   Exited (0) 23 seconds ago             zealous_ride

$ docker run -it ubuntu bash
Unable to find image 'ubuntu:latest' locally
latest: Pulling from library/ubuntu
2ab09b027e7f: Pull complete 
Digest: sha256:67211c14fa74f070d27cc59d69a7fa9aeff8e28ea118ef3babc295a0428a6d21
Status: Downloaded newer image for ubuntu:latest
root@c65071eda6c0:/# exit
$ docker run -it -h cowsay debian bash
Unable to find image 'debian:latest' locally
latest: Pulling from library/debian
3e440a704568: Pull complete 
Digest: sha256:7b991788987ad860810df60927e1adbaf8e156520177bd4db82409f81dd3b721
Status: Downloaded newer image for debian:latest
root@cowsay:/# apt-get update
Fetched 8642 kB in 2s (4631 kB/s)                           
Reading package lists... Done
root@cowsay:/# /usr/games/fortune | /usr/games/cowsay
bash: /usr/games/cowsay: No such file or directory
bash: /usr/games/fortune: No such file or directory
root@cowsay:/# apt-get install ruby
<installed ruby 2.7>
Running hooks in /etc/ca-certificates/update.d...
irb(main):001:0> a = (1..21).to_a
=> [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21]
irb(main):002:0> sum = a.inject(&:+)
=> 231
irb(main):003:0> exit
root@cowsay:/# exit

Shame about cowsay.  Must have found greener grass over the hill.
Anyway, the container is functioning with docker.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => tarazed25

Comment 6 Len Lawrence 2023-04-01 17:59:07 CEST
Absolutely OT.
Fortunately we have it.
$ fortune | cowsay -t
/ The average individual's position in  \
| any hierarchy is a lot like pulling a |
| dogsled -- there's no real change of  |
\ scenery except for the lead dog.      /
        \   ^__^
         \  (--)\_______
            (__)\       )\/\
                ||----w |
                ||     ||
Comment 7 Thomas Andrews 2023-04-02 22:06:14 CEST
(OT) According to https://markets.businessinsider.com/commodities/live-cattle-price?op=1 live cattle prices to the farmer are up 80% over the last three years. If you couple that with the rising costs of feeding them it's not surprising that some cattle, even talking ones, might not be as easy to find as they once were.

But I digress from the business at hand. Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 8 Len Lawrence 2023-04-03 01:19:11 CEST
Nice one TJ!
Comment 9 David Walser 2023-04-05 02:37:08 CEST
SUSE has issued an advisory for this on April 3:

The update to 1.1.5 also fixed two other CVEs.  Good moove Bruno!  :D

Summary: opencontainers-runc new security issue CVE-2023-27561 => opencontainers-runc new security issues CVE-2023-25809, CVE-2023-27561, and CVE-2023-28642

Dave Hodgins 2023-04-06 20:46:57 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 10 Mageia Robot 2023-04-06 23:21:38 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.