Skip to content

[release/1.5 backport] update runc binary to v1.1.2#6935

Merged
AkihiroSuda merged 1 commit intocontainerd:release/1.5from
thaJeztah:1.5_bump_runc
May 14, 2022
Merged

[release/1.5 backport] update runc binary to v1.1.2#6935
AkihiroSuda merged 1 commit intocontainerd:release/1.5from
thaJeztah:1.5_bump_runc

Conversation

@thaJeztah
Copy link
Copy Markdown
Member

@thaJeztah thaJeztah commented May 12, 2022

This is the second patch release of the runc 1.1 release branch. It
fixes CVE-2022-29162, a minor security issue (which appears to not be
exploitable) related to process capabilities.

This is a similar bug to the ones found and fixed in Docker and
containerd recently (CVE-2022-24769).

  • A bug was found in runc where runc exec --cap executed processes with
    non-empty inheritable Linux process capabilities, creating an atypical Linux
    environment. For more information, see GHSA-f3fp-gc8g-vw66 and CVE-2022-29162.
  • runc spec no longer sets any inheritable capabilities in the created
    example OCI spec (config.json) file.

Signed-off-by: Sebastiaan van Stijn [email protected]
(cherry picked from commit 25858d6)
Signed-off-by: Sebastiaan van Stijn [email protected]

mikebrow
mikebrow reviewed May 13, 2022
View reviewed changes
Copy link
Copy Markdown
Member

@mikebrow mikebrow left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this vagrant https://github.com/containerd/containerd/runs/6413173243?check_suite_focus=true#step:4:901 ...

also needs Phil's fix

https://github.com/containerd/containerd/pull/6941/files#diff-1ea02434f746b6d1522cdef3d4a56e57cf2d5a72c5273927746a71eaf06d74fdR104

#6915 needs a 1.5 cherry pick

@estesp
Copy link
Copy Markdown
Member

estesp commented May 13, 2022

Should be able to rebase on release/1.5 HEAD to get the Vagrant fix for CI

@thaJeztah
update runc binary to v1.1.2
c2f7933 
This is the second patch release of the runc 1.1 release branch. It
fixes CVE-2022-29162, a minor security issue (which appears to not be
exploitable) related to process capabilities.

This is a similar bug to the ones found and fixed in Docker and
containerd recently (CVE-2022-24769).

- A bug was found in runc where runc exec --cap executed processes with
  non-empty inheritable Linux process capabilities, creating an atypical Linux
  environment. For more information, see GHSA-f3fp-gc8g-vw66 and CVE-2022-29162.
- runc spec no longer sets any inheritable capabilities in the created
  example OCI spec (config.json) file.

Signed-off-by: Sebastiaan van Stijn <[email protected]>
(cherry picked from commit 25858d6)
Signed-off-by: Sebastiaan van Stijn <[email protected]>
@thaJeztah
Copy link
Copy Markdown
Member Author

thaJeztah commented May 13, 2022

oh! thanks for the reminder; rebased 👍

@thaJeztah
Copy link
Copy Markdown
Member Author

thaJeztah commented May 13, 2022

/retest

@thaJeztah
Copy link
Copy Markdown
Member Author

thaJeztah commented May 13, 2022

still some unhappy CI 😢

@kzys
Copy link
Copy Markdown
Member

kzys commented May 14, 2022

/retest

@thaJeztah
Copy link
Copy Markdown
Member Author

thaJeztah commented May 14, 2022

jackpot 🥳 green now!

@AkihiroSuda AkihiroSuda merged commit 8dff1ce into containerd:release/1.5 May 14, 2022
@thaJeztah thaJeztah deleted the 1.5_bump_runc branch May 14, 2022 12:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mikebrow mikebrow mikebrow left review comments

@kzys kzys kzys approved these changes

@AkihiroSuda AkihiroSuda AkihiroSuda approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@thaJeztah @estesp @kzys @AkihiroSuda @mikebrow