Package: runc Severity: grave Tags: security upstream Justification: user security hole Control: affects -1 docker.io Control: clone -1 -2 Control: retitle -2 golang-github-opencontainers-selinux-dev: CVE-2019-16884
https://github.com/opencontainers/runc/issues/2128 runc through 1.0.0-rc8, as used in Docker through 19.03.2-ce and other products, allows AppArmor restriction bypass because libcontainer/rootfs_linux.go incorrectly checks mount targets, and thus a malicious Docker image can mount over a /proc directory. This looks should be fixed by following commits https://github.com/opencontainers/runc/commit/d463f6485b809b5ea738f84e05ff5b456058a184 https://github.com/opencontainers/runc/commit/331692baa7afdf6c186f8667cb0e6362ea0802b3 https://github.com/opencontainers/selinux/commit/03b517dc4fd57245b1cf506e8ba7b817b6d309da So we need first fix golang-github-opencontainers-selinux-dev, then runc. Finnally rebuild all reverse build depends(Mostly docker.io)