Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 790257 (CVE-2021-30465)

Summary: <app-emulation/runc-1.0.0_rc95: Container breakout via directory traversal (CVE-2021-30465)
Product: Gentoo Security Reporter: Thomas Deutschmann <whissi>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: minor CC: ago, gyakovlev, sam, williamh
Priority: Normal Flags: nattka: sanity-check-
Version: unspecified   
Hardware: All   
OS: Linux   
See Also:
Whiteboard: B4 [glsa+ cve]
Package list:
app-emulation/containerd-1.4.6 amd64 arm64 ppc64 app-emulation/docker-20.10.7 amd64 arm64 ppc64 app-emulation/docker-cli-20.10.7 amd64 arm64 ppc64 app-emulation/docker-proxy-0.8.0_p20210525 amd64 arm64 ppc64 app-emulation/runc-1.0.0_rc95 amd64 arm64 ppc64 sys-process/tini-0.19.0 ppc64
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 775329    

Description Thomas Deutschmann gentoo-dev Security 2021-05-14 18:35:48 UTC
Incoming details.
Comment 1 Sam James archtester gentoo-dev Security 2021-05-28 03:09:47 UTC
"runc before 1.0.0-rc95 allows a Container Filesystem Breakout via Directory Traversal. To exploit the vulnerability, an attacker must be able to create multiple containers with a fairly specific mount configuration. The problem occurs via a symlink-exchange attack that relies on a race condition."
Comment 3 Georgy Yakovlev gentoo-dev 2021-06-11 01:01:25 UTC
ppc64 done
Comment 4 John Helmert III gentoo-dev Security 2021-06-11 01:16:39 UTC
*** Bug 791064 has been marked as a duplicate of this bug. ***
Comment 5 William Hubbs gentoo-dev 2021-06-11 16:28:16 UTC
amd64 done.
Comment 6 Sam James archtester gentoo-dev Security 2021-06-13 22:36:27 UTC
arm64 done

all arches done
Comment 7 Georgy Yakovlev gentoo-dev 2021-06-14 00:33:15 UTC
cleanup done
Comment 8 NATTkA bot gentoo-dev 2021-06-15 02:08:22 UTC
Unable to check for sanity:

> no match for package: sys-process/tini-0.19.0
Comment 9 John Helmert III gentoo-dev Security 2021-07-10 00:27:48 UTC
GLSA request filed.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2021-07-10 02:57:24 UTC
This issue was resolved and addressed in
 GLSA 202107-26 at
by GLSA coordinator John Helmert III (ajak).