-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2019-19921 re-introduction/regression #3751
CVE-2019-19921 re-introduction/regression #3751
Comments
/cc @samuelkarp @opencontainers/runc-maintainers |
CVE-2023-27561 is the new CVE. |
Thank you for reporting this, but next time please follow https://github.com/opencontainers/runc/blob/main/SECURITY.md before disclosure. |
Trying to follow the repro steps in https://gist.github.com/LiveOverflow/c937820b688922eb127fb760ce06dab9 , but still I Tested the current main branch 69225fa and v1.1.4, on Ubuntu 22.10 (kernel 5.19.0-31-generic), amd64. |
Seems reproducible on Debian 11 (kernel 5.10.0-21-amd64). Maybe related to the kernel version? |
No, I don't think it has anything to do with the kernel version, it's just because SYS_renameat2 was successfully executed through competition before the execution of readonlyPath()
|
Ps. Add the test steps that I did not modify the code v1.1.4, on Arch(kernel 6.1.9-arch1-1)
There are two things to note:
|
Why there's no advisory under https://github.com/opencontainers/runc/security/advisories ? |
Because the CVE was published by somebody outside us, and we haven't released the fix ( |
Works for me (behavior back to |
Hi,
I'm part of the Debian Long Term Support (LTS) team, and I'm currently working on an update for package runc.
As explained in #2197 (comment) , while working on fixing CVE-2019-19921, I noticed the fix was apparently broken by the one for CVE-2021-30465 (0ca91f4).
I can reproduce the issue with branch
main
, using the original reproducer from #2197 (host'sproc/sys/kernel/core_pattern
overwritten fromcontainer-2
after a few tries).Because various GNU/Linux distributions have incorporated the initial fix (or upgraded runc), and marked the security issue "fixed", I would recommend registering a new CVE to indicate that a follow-up fix is needed.
Do you confirm?
Thanks and best regards.
The text was updated successfully, but these errors were encountered: