Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

update: runc #1530

Closed
dongsupark opened this issue Sep 3, 2024 · 1 comment · Fixed by flatcar/scripts#2317
Closed

update: runc #1530

dongsupark opened this issue Sep 3, 2024 · 1 comment · Fixed by flatcar/scripts#2317
Assignees
Labels
advisory security advisory cvss/LOW < 4 assessed CVSS security security concerns

Comments

@dongsupark
Copy link
Member

dongsupark commented Sep 3, 2024

Name: runc
CVEs: CVE-2024-45310
CVSSs: 3.6
Action Needed: update to >= 1.1.14

Summary: runc 1.1.13 and earlier as well as 1.2.0-rc2 and earlier can be tricked into creating empty files or directories in arbitrary locations in the host filesystem by sharing a volume between two containers and exploiting a race with os.MkdirAll. While this can be used to create empty files, existing files will not be truncated. An attacker must have the ability to start containers using some kind of custom volume configuration. Containers using user namespaces are still affected, but the scope of places an attacker can create inodes can be significantly reduced. Sufficiently strict LSM policies (SELinux/Apparmor) can also in principle block this attack -- we suspect the industry standard SELinux policy may restrict this attack's scope but the exact scope of protection hasn't been analysed.

See also https://seclists.org/oss-sec/2024/q3/237.

refmap.gentoo: TBD

@dongsupark dongsupark added security security concerns advisory security advisory labels Sep 3, 2024
@dongsupark dongsupark moved this from 📝 Needs Triage to 🪵Backlog in Flatcar tactical, release planning, and roadmap Sep 3, 2024
@dongsupark dongsupark added the cvss/LOW < 4 assessed CVSS label Sep 6, 2024
@tormath1 tormath1 self-assigned this Sep 16, 2024
@tormath1
Copy link
Contributor

Runc update is blocked by #1539 (see: https://github.com/opencontainers/runc/releases/tag/v1.1.14 -> "switch from Go 1.21.x to 1.22/23.x.")

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
advisory security advisory cvss/LOW < 4 assessed CVSS security security concerns
Projects
Development

Successfully merging a pull request may close this issue.

2 participants