Name | CVE-2019-5736 |
Description | runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe. |
Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Debian Bugs | 922050, 922169 |
The table below lists information on source packages.
Source Package | Release | Version | Status |
---|---|---|---|
lxc (PTS) | jessie, jessie (lts) | 1:1.0.6-6+deb8u6 | vulnerable |
stretch | 1:2.0.7-2+deb9u2 | vulnerable | |
buster (security), buster, buster (lts) | 1:3.1.0+really3.0.3-8+deb10u1 | fixed | |
bullseye | 1:4.0.6-2+deb11u2 | fixed | |
bookworm | 1:5.0.2-1+deb12u2 | fixed | |
sid, trixie | 1:6.0.2-1 | fixed | |
runc (PTS) | stretch (security), stretch (lts), stretch | 0.1.1+dfsg1-2+deb9u3 | fixed |
buster (security), buster, buster (lts) | 1.0.0~rc6+dfsg1-3+deb10u3 | fixed | |
bullseye | 1.0.0~rc93+ds1-5+deb11u5 | fixed | |
bullseye (security) | 1.0.0~rc93+ds1-5+deb11u3 | fixed | |
bookworm (security), bookworm | 1.1.5+ds1-1+deb12u1 | fixed | |
sid, trixie | 1.1.15+ds1-1 | fixed |
The information below is based on the following data on fixed versions.
Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
---|---|---|---|---|---|---|
lxc | source | (unstable) | 1:3.1.0+really3.0.3-4 | unimportant | 922169 | |
runc | source | stretch | 0.1.1+dfsg1-2+deb9u1 | |||
runc | source | (unstable) | 1.0.0~rc6+dfsg1-2 | 922050 |
https://www.openwall.com/lists/oss-security/2019/02/11/2
runc: Fixed by: https://github.com/opencontainers/runc/commit/0a8e4117e7f715d5fbeef398405813ce8e88558b
lxc: Fixed by: https://github.com/lxc/lxc/commit/6400238d08cdf1ca20d49bafb85f4e224348bf9d
Not considered a security issue by LXC upstream