Source: runc X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerability was published for runc. CVE-2024-45310[0]: | runc is a CLI tool for spawning and running containers according to | the OCI specification. runc 1.1.13 and earlier, as well as 1.2.0-rc2 | and earlier, can be tricked into creating empty files or directories | in arbitrary locations in the host filesystem by sharing a volume | between two containers and exploiting a race with `os.MkdirAll`. | While this could be used to create empty files, existing files would | not be truncated. An attacker must have the ability to start | containers using some kind of custom volume configuration. | Containers using user namespaces are still affected, but the scope | of places an attacker can create inodes can be significantly | reduced. Sufficiently strict LSM policies (SELinux/Apparmor) can | also in principle block this attack -- we suspect the industry | standard SELinux policy may restrict this attack's scope but the | exact scope of protection hasn't been analysed. This is exploitable | using runc directly as well as through Docker and Kubernetes. The | issue is fixed in runc v1.1.14 and v1.2.0-rc3. Some workarounds are | available. Using user namespaces restricts this attack fairly | significantly such that the attacker can only create inodes in | directories that the remapped root user/group has write access to. | Unless the root user is remapped to an actual user on the host (such | as with rootless containers that don't use `/etc/sub[ug]id`), this | in practice means that an attacker would only be able to create | inodes in world-writable directories. A strict enough SELinux or | AppArmor policy could in principle also restrict the scope if a | specific label is applied to the runc runtime, though neither the | extent to which the standard existing policies block this attack nor | what exact policies are needed to sufficiently restrict this attack | have been thoroughly tested. https://www.openwall.com/lists/oss-security/2024/09/03/1 https://github.com/opencontainers/runc/security/advisories/GHSA-jfvp-7x6p-h2pv If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-45310 https://www.cve.org/CVERecord?id=CVE-2024-45310 Please adjust the affected versions in the BTS as needed.
