[pkg-go] Bug#942026: runc: CVE-2019-16884
Shengjing Zhu
zhsj at debian.org
Wed Oct 9 09:41:50 BST 2019
Package: runc
Severity: grave
Tags: security upstream
Justification: user security hole
Control: affects -1 docker.io
Control: clone -1 -2
Control: retitle -2 golang-github-opencontainers-selinux-dev: CVE-2019-16884
https://github.com/opencontainers/runc/issues/2128
runc through 1.0.0-rc8, as used in Docker through 19.03.2-ce and other
products, allows AppArmor restriction bypass because
libcontainer/rootfs_linux.go incorrectly checks mount targets, and thus
a malicious Docker image can mount over a /proc directory.
This looks should be fixed by following commits
https://github.com/opencontainers/runc/commit/d463f6485b809b5ea738f84e05ff5b456058a184
https://github.com/opencontainers/runc/commit/331692baa7afdf6c186f8667cb0e6362ea0802b3
https://github.com/opencontainers/selinux/commit/03b517dc4fd57245b1cf506e8ba7b817b6d309da
So we need first fix golang-github-opencontainers-selinux-dev, then
runc. Finnally rebuild all reverse build depends(Mostly docker.io)
More information about the Pkg-go-maintainers
mailing list