The core issue is a file descriptor leak, and while we do `O_CLOEXEC` all file descriptors before executing the container code, the file descriptor is open when doing `setcwd(2)` which means that the reference can be kept alive into the container by configuring the working directory to be a path resolved through the file descriptor (and the non-dumpable bit is unset after `execve` meaning that there are multiple ways to attack this other than bad configurations). There is also an `execve`-based attack that makes simple verification unworkable was particularly hairy to fix (the patch involves doing `//go:linkname` to access Go runtime internals, because the only way to defend against it entirely is to close all unneeded file descriptors -- for the same reason that #!-based tricks meant that CVE-2019-5736 required drastic measures).
Created runc tracking bugs for this issue: Affects: fedora-all [bug 2262166]
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:0670 https://access.redhat.com/errata/RHSA-2024:0670
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Extras Via RHSA-2024:0717 https://access.redhat.com/errata/RHSA-2024:0717
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2024:0756 https://access.redhat.com/errata/RHSA-2024:0756
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:0748 https://access.redhat.com/errata/RHSA-2024:0748
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:0752 https://access.redhat.com/errata/RHSA-2024:0752
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2024:0755 https://access.redhat.com/errata/RHSA-2024:0755
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions Red Hat Enterprise Linux 8.4 Telecommunications Update Service Via RHSA-2024:0760 https://access.redhat.com/errata/RHSA-2024:0760
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2024:0757 https://access.redhat.com/errata/RHSA-2024:0757
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Extended Update Support Via RHSA-2024:0759 https://access.redhat.com/errata/RHSA-2024:0759
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Advanced Update Support Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions Red Hat Enterprise Linux 8.2 Telecommunications Update Service Via RHSA-2024:0758 https://access.redhat.com/errata/RHSA-2024:0758
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.11 Via RHSA-2024:0682 https://access.redhat.com/errata/RHSA-2024:0682
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.13 Via RHSA-2024:0662 https://access.redhat.com/errata/RHSA-2024:0662
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.11 Via RHSA-2024:0684 https://access.redhat.com/errata/RHSA-2024:0684
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.14 Via RHSA-2024:0645 https://access.redhat.com/errata/RHSA-2024:0645
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.12 Via RHSA-2024:0666 https://access.redhat.com/errata/RHSA-2024:0666
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2024:0764 https://access.redhat.com/errata/RHSA-2024:0764
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.15 Via RHSA-2023:7201 https://access.redhat.com/errata/RHSA-2023:7201
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Extras Via RHSA-2024:1270 https://access.redhat.com/errata/RHSA-2024:1270
Hi All, Seeing this vulnerability reported against the package "github.com/opencontainers/runc" which is bundled with either RedHat 8.9 minimial or OSE. Looking for a fix at the earliest as it is blocking our monthly release. Thanks & Regards, Gandhi. IBM MQ Container - Security Lead.