* [Buildroot] [PATCH 1/1] package/runc: security bump to version 1.0.3
@ 2021-12-10 18:13 Fabrice Fontaine
2021-12-10 20:42 ` Yann E. MORIN
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Fabrice Fontaine @ 2021-12-10 18:13 UTC (permalink / raw)
To: buildroot; +Cc: Fabrice Fontaine
Fix CVE-2021-43784: runc is a CLI tool for spawning and running
containers on Linux according to the OCI specification. In runc, netlink
is used internally as a serialization system for specifying the relevant
container configuration to the `C` portion of the code (responsible for
the based namespace setup of containers). In all versions of runc prior
to 1.0.3, the encoder did not handle the possibility of an integer
overflow in the 16-bit length field for the byte array attribute type,
meaning that a large enough malicious byte array attribute could result
in the length overflowing and the attribute contents being parsed as
netlink messages for container configuration. This vulnerability
requires the attacker to have some control over the configuration of the
container and would allow the attacker to bypass the namespace
restrictions of the container by simply adding their own netlink payload
which disables all namespaces. The main users impacted are those who
allow untrusted images with untrusted configurations to run on their
machines (such as with shared cloud infrastructure). runc version 1.0.3
contains a fix for this bug. As a workaround, one may try disallowing
untrusted namespace paths from your container. It should be noted that
untrusted namespace paths would allow the attacker to disable namespace
protections entirely even in the absence of this bug.
https://github.com/opencontainers/runc/releases/tag/v1.0.3
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
package/runc/runc.hash | 2 +-
package/runc/runc.mk | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/package/runc/runc.hash b/package/runc/runc.hash
index 365beac21d..4ef04132bf 100644
--- a/package/runc/runc.hash
+++ b/package/runc/runc.hash
@@ -1,3 +1,3 @@
# Locally computed
-sha256 6c3cca4bbeb5d9b2f5e3c0c401c9d27bc8a5d2a0db8a2f6a06efd03ad3c38a33 runc-1.0.2.tar.gz
+sha256 0eaf2f6606d72f166a5e7138a8a8d4d8f85d84e43448c08c66a1c93ead17a574 runc-1.0.3.tar.gz
sha256 552a739c3b25792263f731542238b92f6f8d07e9a488eae27e6c4690038a8243 LICENSE
diff --git a/package/runc/runc.mk b/package/runc/runc.mk
index e77ef8111e..c4e45a00a9 100644
--- a/package/runc/runc.mk
+++ b/package/runc/runc.mk
@@ -4,7 +4,7 @@
#
################################################################################
-RUNC_VERSION = 1.0.2
+RUNC_VERSION = 1.0.3
RUNC_SITE = $(call github,opencontainers,runc,v$(RUNC_VERSION))
RUNC_LICENSE = Apache-2.0
RUNC_LICENSE_FILES = LICENSE
--
2.33.0
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/runc: security bump to version 1.0.3
2021-12-10 18:13 [Buildroot] [PATCH 1/1] package/runc: security bump to version 1.0.3 Fabrice Fontaine
@ 2021-12-10 20:42 ` Yann E. MORIN
2021-12-12 7:24 ` Christian Stewart via buildroot
2022-01-14 16:06 ` Peter Korsgaard
2 siblings, 0 replies; 4+ messages in thread
From: Yann E. MORIN @ 2021-12-10 20:42 UTC (permalink / raw)
To: Fabrice Fontaine; +Cc: buildroot
Fabrice, All,
On 2021-12-10 19:13 +0100, Fabrice Fontaine spake thusly:
> Fix CVE-2021-43784: runc is a CLI tool for spawning and running
> containers on Linux according to the OCI specification. In runc, netlink
> is used internally as a serialization system for specifying the relevant
> container configuration to the `C` portion of the code (responsible for
> the based namespace setup of containers). In all versions of runc prior
> to 1.0.3, the encoder did not handle the possibility of an integer
> overflow in the 16-bit length field for the byte array attribute type,
> meaning that a large enough malicious byte array attribute could result
> in the length overflowing and the attribute contents being parsed as
> netlink messages for container configuration. This vulnerability
> requires the attacker to have some control over the configuration of the
> container and would allow the attacker to bypass the namespace
> restrictions of the container by simply adding their own netlink payload
> which disables all namespaces. The main users impacted are those who
> allow untrusted images with untrusted configurations to run on their
> machines (such as with shared cloud infrastructure). runc version 1.0.3
> contains a fix for this bug. As a workaround, one may try disallowing
> untrusted namespace paths from your container. It should be noted that
> untrusted namespace paths would allow the attacker to disable namespace
> protections entirely even in the absence of this bug.
I personally do not see the point in having the full CVE details exposed
in the commit log. I kept it, though.
Applied to master, thanks.
Regards,
Yann E. MORIN.
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> ---
> package/runc/runc.hash | 2 +-
> package/runc/runc.mk | 2 +-
> 2 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/package/runc/runc.hash b/package/runc/runc.hash
> index 365beac21d..4ef04132bf 100644
> --- a/package/runc/runc.hash
> +++ b/package/runc/runc.hash
> @@ -1,3 +1,3 @@
> # Locally computed
> -sha256 6c3cca4bbeb5d9b2f5e3c0c401c9d27bc8a5d2a0db8a2f6a06efd03ad3c38a33 runc-1.0.2.tar.gz
> +sha256 0eaf2f6606d72f166a5e7138a8a8d4d8f85d84e43448c08c66a1c93ead17a574 runc-1.0.3.tar.gz
> sha256 552a739c3b25792263f731542238b92f6f8d07e9a488eae27e6c4690038a8243 LICENSE
> diff --git a/package/runc/runc.mk b/package/runc/runc.mk
> index e77ef8111e..c4e45a00a9 100644
> --- a/package/runc/runc.mk
> +++ b/package/runc/runc.mk
> @@ -4,7 +4,7 @@
> #
> ################################################################################
>
> -RUNC_VERSION = 1.0.2
> +RUNC_VERSION = 1.0.3
> RUNC_SITE = $(call github,opencontainers,runc,v$(RUNC_VERSION))
> RUNC_LICENSE = Apache-2.0
> RUNC_LICENSE_FILES = LICENSE
> --
> 2.33.0
>
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/runc: security bump to version 1.0.3
2021-12-10 18:13 [Buildroot] [PATCH 1/1] package/runc: security bump to version 1.0.3 Fabrice Fontaine
2021-12-10 20:42 ` Yann E. MORIN
@ 2021-12-12 7:24 ` Christian Stewart via buildroot
2022-01-14 16:06 ` Peter Korsgaard
2 siblings, 0 replies; 4+ messages in thread
From: Christian Stewart via buildroot @ 2021-12-12 7:24 UTC (permalink / raw)
To: Fabrice Fontaine; +Cc: Buildroot Mailing List
Hi all,
On Fri, Dec 10, 2021 at 10:14 AM Fabrice Fontaine
<fontaine.fabrice@gmail.com> wrote:
> # Locally computed
> -sha256 6c3cca4bbeb5d9b2f5e3c0c401c9d27bc8a5d2a0db8a2f6a06efd03ad3c38a33 runc-1.0.2.tar.gz
> +sha256 0eaf2f6606d72f166a5e7138a8a8d4d8f85d84e43448c08c66a1c93ead17a574 runc-1.0.3.tar.gz
Reviewed-by: Christian Stewart <christian@paral.in>
Regards,
Christian Stewart
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/runc: security bump to version 1.0.3
2021-12-10 18:13 [Buildroot] [PATCH 1/1] package/runc: security bump to version 1.0.3 Fabrice Fontaine
2021-12-10 20:42 ` Yann E. MORIN
2021-12-12 7:24 ` Christian Stewart via buildroot
@ 2022-01-14 16:06 ` Peter Korsgaard
2 siblings, 0 replies; 4+ messages in thread
From: Peter Korsgaard @ 2022-01-14 16:06 UTC (permalink / raw)
To: Fabrice Fontaine; +Cc: buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> Fix CVE-2021-43784: runc is a CLI tool for spawning and running
> containers on Linux according to the OCI specification. In runc, netlink
> is used internally as a serialization system for specifying the relevant
> container configuration to the `C` portion of the code (responsible for
> the based namespace setup of containers). In all versions of runc prior
> to 1.0.3, the encoder did not handle the possibility of an integer
> overflow in the 16-bit length field for the byte array attribute type,
> meaning that a large enough malicious byte array attribute could result
> in the length overflowing and the attribute contents being parsed as
> netlink messages for container configuration. This vulnerability
> requires the attacker to have some control over the configuration of the
> container and would allow the attacker to bypass the namespace
> restrictions of the container by simply adding their own netlink payload
> which disables all namespaces. The main users impacted are those who
> allow untrusted images with untrusted configurations to run on their
> machines (such as with shared cloud infrastructure). runc version 1.0.3
> contains a fix for this bug. As a workaround, one may try disallowing
> untrusted namespace paths from your container. It should be noted that
> untrusted namespace paths would allow the attacker to disable namespace
> protections entirely even in the absence of this bug.
> https://github.com/opencontainers/runc/releases/tag/v1.0.3
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Committed to 2021.02.x and 2021.11.x, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-01-14 16:06 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-12-10 18:13 [Buildroot] [PATCH 1/1] package/runc: security bump to version 1.0.3 Fabrice Fontaine
2021-12-10 20:42 ` Yann E. MORIN
2021-12-12 7:24 ` Christian Stewart via buildroot
2022-01-14 16:06 ` Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.