Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[20.10 backport] update runc binary to v1.1.2 #43589

Merged
merged 1 commit into from Jun 4, 2022
Merged

[20.10 backport] update runc binary to v1.1.2 #43589

merged 1 commit into from Jun 4, 2022

Conversation

thaJeztah
Copy link
Member

@thaJeztah thaJeztah commented May 12, 2022
edited by tianon

This is the second patch release of the runc 1.1 release branch. It
fixes CVE-2022-29162, a minor security issue (which appears to not be
exploitable) related to process capabilities.

This is a similar bug to the ones found and fixed in Docker and
containerd recently (CVE-2022-24769).

  • A bug was found in runc where runc exec --cap executed processes with
    non-empty inheritable Linux process capabilities, creating an atypical Linux
    environment. For more information, see GHSA-f3fp-gc8g-vw66 and CVE-2022-29162.
  • runc spec no longer sets any inheritable capabilities in the created
    example OCI spec (config.json) file.

@thaJeztah
update runc binary to v1.1.2
d9ed3d7 
This is the second patch release of the runc 1.1 release branch. It
fixes CVE-2022-29162, a minor security issue (which appears to not be
exploitable) related to process capabilities.

This is a similar bug to the ones found and fixed in Docker and
containerd recently (CVE-2022-24769).

- A bug was found in runc where runc exec --cap executed processes with
  non-empty inheritable Linux process capabilities, creating an atypical Linux
  environment. For more information, see GHSA-f3fp-gc8g-vw66 and CVE-2022-29162.
- runc spec no longer sets any inheritable capabilities in the created
  example OCI spec (config.json) file.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit bc0fd3f)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
@thaJeztah thaJeztah modified the milestones: 20.10.16, 20.10.17 May 12, 2022
@thaJeztah thaJeztah marked this pull request as ready for review May 12, 2022 23:10
@thaJeztah
Copy link
Member Author

actually; let's keep this as draft until there's a new containerd release (so that static packages and deb/rpm continue to have matching runs versions)

@thaJeztah thaJeztah marked this pull request as draft May 12, 2022 23:11
@thaJeztah thaJeztah mentioned this pull request Jun 4, 2022
Merged
@thaJeztah thaJeztah marked this pull request as ready for review June 4, 2022 20:35
@thaJeztah
Copy link
Member Author

Bringing this in; related containerd update is in #43692

@thaJeztah thaJeztah merged commit 678cc00 into moby:20.10 Jun 4, 2022
@thaJeztah thaJeztah deleted the 20.10_backport_bump_runc branch June 4, 2022 20:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tianon tianon tianon approved these changes

@AkihiroSuda AkihiroSuda AkihiroSuda approved these changes

Assignees
No one assigned
Labels
area/packaging area/runtime impact/changelog status/2-code-review
Projects
None yet
Milestone
20.10.17
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@thaJeztah @tianon @AkihiroSuda