Re: [SECURITY] [DLA 3735-1] runc security update
Hi,
On Mon, Feb 19, 2024 at 03:28:00AM +0100, Daniel Leidert wrote:
> -------------------------------------------------------------------------
> Debian LTS Advisory DLA-3735-1 debian-lts@lists.debian.org
> https://www.debian.org/lts/security/ Daniel Leidert
> February 19, 2024 https://wiki.debian.org/LTS
> -------------------------------------------------------------------------
>
> Package : runc
> Version : 1.0.0~rc6+dfsg1-3+deb10u3
> CVE ID : CVE-2021-43784 CVE-2024-21626
> Debian Bug :
>
> runc is a command line client for running applications packaged according
> to the Open Container Format (OCF) and is a compliant implementation of
> the Open Container Project specification.
>
> CVE-2021-43784
>
> A flaw has been detected that may lead to a possible length field
> overflow, allowing user-controlled data to be parsed as control
> characters.
>
> CVE-2024-21626
>
> A flaw has been detected which allows several container breakouts
> due to internally leaked file descriptors. The patch includes fixes
> and hardening measurements against these types of issues/attacks.
>
> For Debian 10 buster, these problems have been fixed in version
> 1.0.0~rc6+dfsg1-3+deb10u3.
The DLA reservation for this update in data/DLA/list seems missing,
can you push the changes there? Otherwise there is potential that
there will be a duplicate DLA assingment apart that as well the
tracker will not show up correctly the fixing information.
Out of interest: For CVE-2024-21626 upstream mentioned in their GHSA:
Affected versions: >=v1.0.0-rc93,<=1.1.11. If this is not correct then
it might be worth pointing it out to upstream so they can adjust the
affected version range. Do you know more by chance?
Regards,
Salvatore
Reply to: