runc 1.0.0-rc93 and earlier are vulnerable to a symlink exchange attack whereby an attacker can request a seemingly-innocuous container configuration that actually results in the host filesystem being bind-mounted into the container (allowing for a container escape). Reference: https://github.com/opencontainers/runc/security/advisories/GHSA-c3xm-pvg7-gh7r
Acknowledgments: Name: Etienne Champetier
Statement: OpenShift Container Platform OCP 3.11 be default uses Docker from RHEL-7 extras repository. If using OCP 3.11 upgrade docker on all nodes to a fixed version from the RHEL-7 extras channel. CRI-O could be used instead of Docker on OCP 3.11 and in that case upgrade the runc version from the OCP rpm repository when it becomes available.
Created attachment 1782007 [details] Full patch set from Aleksa - patches work for rc93.
Mitigation: On OpenShift Container Platform keep SELinux in enforcing mode on the worker nodes to reduce the impact of this vulnerability.
Hi Kir, seems the attached "Backport to upstream runc-1.0.0-rc10/rc90" doesn't apply against extras-rhel-7.9's runc-1.0.0-68.rc10: + /usr/bin/cat /tmp/rh/runc/extras-rhel-7.9/0001-rootfs-add-mount-destination-validation.patch + /usr/bin/patch -p1 -s --fuzz=0 --no-backup-if-mismatch 6 out of 9 hunks FAILED -- saving rejects to file libcontainer/rootfs_linux.go.rej 1 out of 2 hunks FAILED -- saving rejects to file libcontainer/utils/utils.go.rej Can you please fix the patch for runc-1.0.0-68.rc10? Thanks!
Created attachment 1784640 [details] Backport to projectatomic/runc docker-1.13.1-rhel branch (fixed) v2: fixed to import Sirupsen/logrus rather than sirupsen/logrus
> cannot find package "github.com/sirupsen/logrus" in any of: [...] My bad. Patch updated.
Created runc tracking bugs for this issue: Affects: fedora-all [bug 1962096]
Upstream commit: https://github.com/opencontainers/runc/commit/0ca91f44f1664da834bc61115a849b56d22f595f
> it seems backports are still needed for rc5 and mainly for rc92 where patches for rc10/rc93 doesn't apply. Do you mind having a look Kir? still working on it...
For Red Hat OpenStack Platform, RHEL's packaged runc is used for containerized services via docker and podman. Note: OpenStack doesn't directly package runc. However, the impact of this flaw is reduced for OpenStack because: * SELinux policies are preconfigured and SELinux is enabled by default. * Containers that run in an OpenStack environment are trusted services. Introducing a malicious access point would take significant effort and be easy to remediate once discovered.
Created attachment 1785360 [details] Backport to upstream runc-1.0.0-rc5 This is a manual backport to runc v1.0.0-rc5. Did not do any testing other than making sure it compiles.
Created attachment 1785365 [details] Backport to upstream runc-1.0.0-rc92 Manual backport to rc92. Only testing done is to make sure it compiles.
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.7 Via RHSA-2021:1562 https://access.redhat.com/errata/RHSA-2021:1562
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-30465
Hi Kir, the rc92 patch applies cleanly - packages are now built with that patch. Thanks! There is an issue with rc5 patch: + /usr/bin/cat /tmp/rh/runc/stream-container-tools-1.0-rhel-8.5.0/0001-rc5-rootfs-add-mount-destination-validation.patch + /usr/bin/git apply --index --reject - Checking patch libcontainer/rootfs_linux.go... Hunk #4 succeeded at 183 (offset 20 lines). error: while searching for: } return nil case "tmpfs": copyUp := m.Extensions&configs.EXT_COPYUP == configs.EXT_COPYUP tmpDir := "" stat, err := os.Stat(dest) if err != nil { if err := os.MkdirAll(dest, 0755); err != nil { return err } } if copyUp { tmpDir, err = ioutil.TempDir("/tmp", "runctmpdir") if err != nil { return newSystemErrorWithCause(err, "tmpcopyup: failed to create tmpdir") } defer os.RemoveAll(tmpDir) m.Destination = tmpDir } if err := mountPropagate(m, rootfs, mountLabel); err != nil { return err } if copyUp { if err := fileutils.CopyDirectory(dest, tmpDir); err != nil { errMsg := fmt.Errorf("tmpcopyup: failed to copy %s to %s: %v", dest, tmpDir, err) if err1 := unix.Unmount(tmpDir, unix.MNT_DETACH); err1 != nil { return newSystemErrorWithCausef(err1, "tmpcopyup: %v: failed to unmount", errMsg) } return errMsg } if err := unix.Mount(tmpDir, dest, "", unix.MS_MOVE, ""); err != nil { errMsg := fmt.Errorf("tmpcopyup: failed to move mount %s to %s: %v", tmpDir, dest, err) if err1 := unix.Unmount(tmpDir, unix.MNT_DETACH); err1 != nil { return newSystemErrorWithCausef(err1, "tmpcopyup: %v: failed to unmount", errMsg) } return errMsg } } if stat != nil { if err = os.Chmod(dest, stat.Mode()); err != nil { return err error: patch failed: libcontainer/rootfs_linux.go:190 Hunk #6 succeeded at 302 (offset 46 lines). Hunk #7 succeeded at 380 (offset 46 lines). Hunk #8 succeeded at 533 (offset 47 lines). Hunk #9 succeeded at 541 (offset 47 lines). Hunk #10 succeeded at 882 (offset 82 lines). Checking patch libcontainer/utils/utils.go... error: while searching for: "crypto/rand" "encoding/hex" "encoding/json" "io" "os" "path/filepath" "strings" "unsafe" "golang.org/x/sys/unix" ) error: patch failed: libcontainer/utils/utils.go:4 Hunk #2 succeeded at 73 (offset -18 lines). Checking patch libcontainer/utils/utils_test.go... error: while searching for: t.Errorf("expected to receive '/var' and received %s", path) } } error: patch failed: libcontainer/utils/utils_test.go:152 Applying patch libcontainer/rootfs_linux.go with 1 reject... Hunk #1 applied cleanly. Hunk #2 applied cleanly. Hunk #3 applied cleanly. Hunk #4 applied cleanly. Rejected hunk #5. Hunk #6 applied cleanly. Hunk #7 applied cleanly. Hunk #8 applied cleanly. Hunk #9 applied cleanly. Hunk #10 applied cleanly. Applying patch libcontainer/utils/utils.go with 1 reject... Rejected hunk #1. Hunk #2 applied cleanly. Applying patch libcontainer/utils/utils_test.go with 1 reject... Rejected hunk #1. Can you please have a look? runc in 1.0 stream is based on runc-2abd837c8c25b0102ac4ce14f17bc0bc7ddffba7 and there are currently these patches applied on top of it: http://pkgs.devel.redhat.com/cgit/rpms/runc/tree/?h=stream-container-tools-1.0-rhel-8.5.0 Thanks, Jindrich
Created attachment 1786656 [details] Backport to rhel8.5 (runc v1.0.0-rc5-133-g2abd837c) The rc5 patch was not applicable to rhel8.5 codebase because it's closer to rc6 in fact: [kir@kir-rhat runc]$ git describe --tags --contains 2abd837c8c25b0102ac4ce14f17bc0bc7ddffba7 v1.0.0-rc6~27 [kir@kir-rhat runc]$ git describe --tags 2abd837c8c25b0102ac4ce14f17bc0bc7ddffba7 v1.0.0-rc5-133-g2abd837c The commit 62a4763a7ab490340eab59a72498c6f4a197bed8 (aka v1.0.0-rc5-133-g2abd837c) made changes to tmpfs copyup, this is why the rc5 was not applicable. Attached is the patch against rhel8.5 codebase as found at http://pkgs.devel.redhat.com/cgit/rpms/runc/tree/?h=stream-container-tools-1.0-rhel-8.5.0 (with all 5 patches from spec pre-applied).
Thanks Kir. The patch applies cleanly and is now committed into container-tools-1.0.
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.6 Via RHSA-2021:1566 https://access.redhat.com/errata/RHSA-2021:1566
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.5 Via RHSA-2021:2057 https://access.redhat.com/errata/RHSA-2021:2057
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Extras Via RHSA-2021:2144 https://access.redhat.com/errata/RHSA-2021:2144
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Extras Via RHSA-2021:2145 https://access.redhat.com/errata/RHSA-2021:2145
Created attachment 1789284 [details] Backport to projectatomic/runc docker-1.13.1-rhel branch (fixed-fixed)
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2021:2292 https://access.redhat.com/errata/RHSA-2021:2292
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:2291 https://access.redhat.com/errata/RHSA-2021:2291
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.11 Via RHSA-2021:2150 https://access.redhat.com/errata/RHSA-2021:2150
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:2371 https://access.redhat.com/errata/RHSA-2021:2371
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:2370 https://access.redhat.com/errata/RHSA-2021:2370
Container-tools:1.0 for rhel8 is out of support scope already and won't receive these fixes.