Skip to content

runc 1.1.2 -- "I should think I’m going to be a perpetual student."
Compare
Choose a tag to compare
@cyphar cyphar released this 11 May 22:44
· 1032 commits to main since this release
v1.1.2
This tag was signed with the committer’s verified signature. The key has been revoked.
cyphar Aleksa Sarai
GPG key ID: 9D94B96321B9D012
Revoked
Learn about vigilant mode.
a916309
This commit was signed with the committer’s verified signature.
kolyshkin Kir Kolyshkin
GPG key ID: 17DE5ECB75A1100E
Learn about vigilant mode.

This is the second patch release of the runc 1.1 release branch. It
fixes CVE-2022-29162, a minor security issue (which appears to not be
exploitable) related to process capabilities.

This is a similar bug to the ones found and fixed in Docker and
containerd recently (CVE-2022-24769).

  • A bug was found in runc where runc exec --cap executed processes with
    non-empty inheritable Linux process capabilities, creating an atypical Linux
    environment. For more information, see GHSA-f3fp-gc8g-vw66 and
    CVE-2022-29162.
  • runc spec no longer sets any inheritable capabilities in the created
    example OCI spec (config.json) file.

Static Linking Notices

The runc binary distributed with this release are statically linked with
the following GNU LGPL-2.1 licensed libraries, with runc acting
as a "work that uses the Library":

The versions of these libraries were not modified from their upstream versions,
but in order to comply with the LGPL-2.1 (§6(a)), we have attached the
complete source code for those libraries which (when combined with the attached
runc source code) may be used to exercise your rights under the LGPL-2.1.

However we strongly suggest that you make use of your distribution's packages
or download them from the authoritative upstream sources, especially since
these libraries are related to the security of your containers.

Assets 19