| Name | CVE-2024-21626 |
| Description | runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem ("attack 2"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run ("attack 1"). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes ("attack 3a" and "attack 3b"). runc 1.1.12 includes patches for this issue. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-3735-1, DSA-5615-1 |
| Debian Bugs | 1062532 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| runc (PTS) | stretch (security), stretch (lts), stretch | 0.1.1+dfsg1-2+deb9u3 | vulnerable |
| buster | 1.0.0~rc6+dfsg1-3 | vulnerable | |
| buster (security) | 1.0.0~rc6+dfsg1-3+deb10u3 | fixed | |
| bullseye (security), bullseye | 1.0.0~rc93+ds1-5+deb11u3 | fixed | |
| bookworm (security), bookworm | 1.1.5+ds1-1+deb12u1 | fixed | |
| sid, trixie | 1.1.12+ds1-2 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| runc | source | buster | 1.0.0~rc6+dfsg1-3+deb10u3 | DLA-3735-1 | ||
| runc | source | bullseye | 1.0.0~rc93+ds1-5+deb11u3 | DSA-5615-1 | ||
| runc | source | bookworm | 1.1.5+ds1-1+deb12u1 | DSA-5615-1 | ||
| runc | source | (unstable) | 1.1.12+ds1-1 | 1062532 |
https://www.openwall.com/lists/oss-security/2024/01/31/6
https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv
https://github.com/opencontainers/runc/commit/937ca107c3d22da77eb8e8030f2342253b980980
https://github.com/opencontainers/runc/commit/8e1cd2f56d518f8d6292b8bb39f0d0932e4b6c2a
https://github.com/opencontainers/runc/commit/f2f16213e174fb63e931fe0546bbbad1d9bbed6f
https://github.com/opencontainers/runc/commit/89c93ddf289437d5c8558b37047c54af6a0edb48
https://github.com/opencontainers/runc/commit/ee73091a8d28692fa4868bac81aa40a0b05f9780
https://github.com/opencontainers/runc/commit/d8edada9f252873b88043279a71099db71941dea
DLA-3735-1/buster fixes everything but additional hardening:
https://lists.debian.org/debian-lts/2024/03/msg00022.html