From d9ed3d7e285e9bc8a99bbbd807da7e772f4aff8d Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Thu, 12 May 2022 13:51:12 +0200 Subject: [PATCH] update runc binary to v1.1.2 This is the second patch release of the runc 1.1 release branch. It fixes CVE-2022-29162, a minor security issue (which appears to not be exploitable) related to process capabilities. This is a similar bug to the ones found and fixed in Docker and containerd recently (CVE-2022-24769). - A bug was found in runc where runc exec --cap executed processes with non-empty inheritable Linux process capabilities, creating an atypical Linux environment. For more information, see GHSA-f3fp-gc8g-vw66 and CVE-2022-29162. - runc spec no longer sets any inheritable capabilities in the created example OCI spec (config.json) file. Signed-off-by: Sebastiaan van Stijn (cherry picked from commit bc0fd3f617c48177e9132bb7af7d294fec8700e0) Signed-off-by: Sebastiaan van Stijn --- hack/dockerfile/install/runc.installer | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hack/dockerfile/install/runc.installer b/hack/dockerfile/install/runc.installer index 498fb58b340be..3108079e077c7 100755 --- a/hack/dockerfile/install/runc.installer +++ b/hack/dockerfile/install/runc.installer @@ -9,7 +9,7 @@ set -e # the containerd project first, and update both after that is merged. # # When updating RUNC_VERSION, consider updating runc in vendor.conf accordingly -: "${RUNC_VERSION:=v1.1.1}" +: "${RUNC_VERSION:=v1.1.2}" install_runc() { RUNC_BUILDTAGS="${RUNC_BUILDTAGS:-"seccomp"}"