CVE-2019-16884

Name	CVE-2019-16884
Description	runc through 1.0.0-rc8, as used in Docker through 19.03.2-ce and other products, allows AppArmor restriction bypass because libcontainer/rootfs_linux.go incorrectly checks mount targets, and thus a malicious Docker image can mount over a /proc directory.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-3322-1, DLA-3369-1
Debian Bugs	942026, 942027

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
golang-github-opencontainers-selinux (PTS)	buster (security), buster, buster (lts)	1.0.0~rc1+git20170621.5.4a2974b-1+deb10u1	fixed
	bullseye	1.8.0-1	fixed
	bookworm	1.10.0+ds1-1	fixed
	sid, trixie	1.11.1-1	fixed
runc (PTS)	stretch (security), stretch (lts), stretch	0.1.1+dfsg1-2+deb9u3	vulnerable
	buster (security), buster, buster (lts)	1.0.0~rc6+dfsg1-3+deb10u3	fixed
	bullseye	1.0.0~rc93+ds1-5+deb11u5	fixed
	bullseye (security)	1.0.0~rc93+ds1-5+deb11u3	fixed
	bookworm (security), bookworm	1.1.5+ds1-1+deb12u1	fixed
	sid, trixie	1.1.15+ds1-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
golang-github-opencontainers-selinux	source	buster	1.0.0~rc1+git20170621.5.4a2974b-1+deb10u1		DLA-3322-1
golang-github-opencontainers-selinux	source	(unstable)	1.3.0-2			942027
runc	source	stretch	(unfixed)	end-of-life
runc	source	buster	1.0.0~rc6+dfsg1-3+deb10u2		DLA-3369-1
runc	source	(unstable)	1.0.0~rc9+dfsg1-1			942026

Notes

[stretch] - runc <no-dsa> (Minor issue)
https://github.com/opencontainers/runc/issues/2128
https://github.com/opencontainers/runc/commit/331692baa7afdf6c186f8667cb0e6362ea0802b3 (v1.0.0-rc9)
runc mitigation: https://github.com/opencontainers/runc/pull/2130 (v1.0.0-rc9)
golang-github-opencontainers-selinux mitigation: https://github.com/opencontainers/selinux/pull/59 (v1.3.1)