Hi,
I'm part of the Debian Long Term Support (LTS) team, and I'm currently working on an update for package runc.
As explained in #2197 (comment) , while working on fixing CVE-2019-19921, I noticed the fix was apparently broken by the one for CVE-2021-30465 (0ca91f4).
I can reproduce the issue with branch main, using the original reproducer from #2197 (host's proc/sys/kernel/core_pattern overwritten from container-2 after a few tries).
Because various GNU/Linux distributions have incorporated the initial fix (or upgraded runc), and marked the security issue "fixed", I would recommend registering a new CVE to indicate that a follow-up fix is needed.
Do you confirm?
Thanks and best regards.
Hi,
I'm part of the Debian Long Term Support (LTS) team, and I'm currently working on an update for package runc.
As explained in #2197 (comment) , while working on fixing CVE-2019-19921, I noticed the fix was apparently broken by the one for CVE-2021-30465 (0ca91f4).
I can reproduce the issue with branch
main, using the original reproducer from #2197 (host'sproc/sys/kernel/core_patternoverwritten fromcontainer-2after a few tries).Because various GNU/Linux distributions have incorporated the initial fix (or upgraded runc), and marked the security issue "fixed", I would recommend registering a new CVE to indicate that a follow-up fix is needed.
Do you confirm?
Thanks and best regards.