MGASA-2019-0068

See a problem?
Please try reporting it to the source first.

Source

https://advisories.mageia.org/MGASA-2019-0068.html

Import Source

https://advisories.mageia.org/MGASA-2019-0068.json

JSON Data

https://api.osv.dev/v1/vulns/MGASA-2019-0068

Related

CVE-2019-5736

Published

2019-02-13T11:08:25Z

Modified

2019-02-13T10:37:14Z

Summary

Updated opencontainers-runc packages fix security vulnerability

Details

Not using pivot_root(2) leaves the host /proc around in the mount namespace so that it is possible to mount another /proc without any other submount, even if /proc in the container is not fully visible. This flaw allows an attacker to read and modify some parts of the Linux kernel memory (rhbz#1663068).

runc through 1.0-rc6 allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: a new container with an attacker-controlled image, or an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe (CVE-2019-5736).

References

Credits

- Mageia - COORDINATOR
- - https://wiki.mageia.org/en/Packages_Security_Team

Affected packages

Mageia:6 / opencontainers-runc

Package

Name: opencontainers-runc
Purl: pkg:rpm/mageia/opencontainers-runc?distro=mageia-6

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.0.0rc5-3.2.mga6

Ecosystem specific

{
    "section": "core"
}