Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[release/1.5 backport] update runc binary to v1.1.2 #6935

Merged
merged 1 commit into from May 14, 2022
Merged

[release/1.5 backport] update runc binary to v1.1.2 #6935

merged 1 commit into from May 14, 2022

Conversation

thaJeztah
Copy link
Member

This is the second patch release of the runc 1.1 release branch. It
fixes CVE-2022-29162, a minor security issue (which appears to not be
exploitable) related to process capabilities.

This is a similar bug to the ones found and fixed in Docker and
containerd recently (CVE-2022-24769).

  • A bug was found in runc where runc exec --cap executed processes with
    non-empty inheritable Linux process capabilities, creating an atypical Linux
    environment. For more information, see GHSA-f3fp-gc8g-vw66 and CVE-2022-29162.
  • runc spec no longer sets any inheritable capabilities in the created
    example OCI spec (config.json) file.

Signed-off-by: Sebastiaan van Stijn github@gone.nl
(cherry picked from commit 25858d6)
Signed-off-by: Sebastiaan van Stijn github@gone.nl

@kzys kzys added this to New in Code Review via automation May 12, 2022
@kzys kzys moved this from New to Merge on Green in Code Review May 12, 2022
mikebrow
mikebrow reviewed May 13, 2022
View reviewed changes
Copy link
Member

@mikebrow mikebrow left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this vagrant https://github.com/containerd/containerd/runs/6413173243?check_suite_focus=true#step:4:901 ...

also needs Phil's fix

https://github.com/containerd/containerd/pull/6941/files#diff-1ea02434f746b6d1522cdef3d4a56e57cf2d5a72c5273927746a71eaf06d74fdR104

#6915 needs a 1.5 cherry pick

@estesp
Copy link
Member

estesp commented May 13, 2022

Should be able to rebase on release/1.5 HEAD to get the Vagrant fix for CI

@thaJeztah
update runc binary to v1.1.2
c2f7933 
This is the second patch release of the runc 1.1 release branch. It
fixes CVE-2022-29162, a minor security issue (which appears to not be
exploitable) related to process capabilities.

This is a similar bug to the ones found and fixed in Docker and
containerd recently (CVE-2022-24769).

- A bug was found in runc where runc exec --cap executed processes with
  non-empty inheritable Linux process capabilities, creating an atypical Linux
  environment. For more information, see GHSA-f3fp-gc8g-vw66 and CVE-2022-29162.
- runc spec no longer sets any inheritable capabilities in the created
  example OCI spec (config.json) file.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 25858d6)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
@thaJeztah
Copy link
Member Author

oh! thanks for the reminder; rebased 👍

@thaJeztah
Copy link
Member Author

/retest

@thaJeztah
Copy link
Member Author

still some unhappy CI 😢

@kzys
Copy link
Member

kzys commented May 14, 2022

/retest

@thaJeztah
Copy link
Member Author

jackpot 🥳 green now!

@AkihiroSuda AkihiroSuda merged commit 8dff1ce into containerd:release/1.5 May 14, 2022
Code Review automation moved this from Merge on Green to Done May 14, 2022
@thaJeztah thaJeztah deleted the 1.5_bump_runc branch May 14, 2022 12:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mikebrow mikebrow mikebrow left review comments

@kzys kzys kzys approved these changes

@AkihiroSuda AkihiroSuda AkihiroSuda approved these changes

Assignees
No one assigned
Labels
None yet
Projects
Code Review
Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@thaJeztah @estesp @kzys @AkihiroSuda @mikebrow