Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 790257 (CVE-2021-30465) - <app-emulation/runc-1.0.0_rc95: Container breakout via directory traversal (CVE-2021-30465)
Summary: <app-emulation/runc-1.0.0_rc95: Container breakout via directory traversal (C...
Status: RESOLVED FIXED
Alias: CVE-2021-30465
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://github.com/opencontainers/run...
Whiteboard: B4 [glsa+ cve]
Keywords:
: 791064 (view as bug list)
Depends on:
Blocks: CVE-2021-21334
  Show dependency tree
 
Reported: 2021-05-14 18:35 UTC by Thomas Deutschmann (RETIRED)
Modified: 2021-07-10 02:57 UTC (History)
4 users (show)

See Also:
Package list:
app-emulation/containerd-1.4.6 amd64 arm64 ppc64 app-emulation/docker-20.10.7 amd64 arm64 ppc64 app-emulation/docker-cli-20.10.7 amd64 arm64 ppc64 app-emulation/docker-proxy-0.8.0_p20210525 amd64 arm64 ppc64 app-emulation/runc-1.0.0_rc95 amd64 arm64 ppc64 sys-process/tini-0.19.0 ppc64
Runtime testing required: ---
nattka: sanity-check-

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann (RETIRED) gentoo-dev 2021-05-14 18:35:48 UTC 
Incoming details.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-05-28 03:09:47 UTC 
Description:
"runc before 1.0.0-rc95 allows a Container Filesystem Breakout via Directory Traversal. To exploit the vulnerability, an attacker must be able to create multiple containers with a fairly specific mount configuration. The problem occurs via a symlink-exchange attack that relies on a race condition."
Comment 3 Georgy Yakovlev archtester gentoo-dev 2021-06-11 01:01:25 UTC 
ppc64 done
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-06-11 01:16:39 UTC 
*** Bug 791064 has been marked as a duplicate of this bug. ***
Comment 5 William Hubbs gentoo-dev 2021-06-11 16:28:16 UTC 
amd64 done.
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-06-13 22:36:27 UTC 
arm64 done

all arches done
Comment 7 Georgy Yakovlev archtester gentoo-dev 2021-06-14 00:33:15 UTC 
cleanup done
Comment 8 NATTkA bot gentoo-dev 2021-06-15 02:08:22 UTC 
Unable to check for sanity:

> no match for package: sys-process/tini-0.19.0
Comment 9 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-10 00:27:48 UTC 
GLSA request filed.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2021-07-10 02:57:24 UTC 
This issue was resolved and addressed in
 GLSA 202107-26 at https://security.gentoo.org/glsa/202107-26
by GLSA coordinator John Helmert III (ajak).