Re: runc CVEs in docker.io
On Mon 2 Aug 2021, at 11:48, Dominique Dumont <dod@debian.org> wrote:
> On Tuesday, 27 July 2021 18:07:53 CEST Gareth Evans wrote:
> > Given that these are all fixed in Bullseye (and at least the grave
> > apt-listbugs issue has been fixed in eg Ubuntu since March 2020 [1]) why
> > not also Buster?
>
> According to runc security tracker, a fixed runc is available for buster,
> albeit in buster's security repository.
Thanks Dominique, do you have a link for this please? All I can find is
https://security-tracker.debian.org/tracker/source-package/runc
which includes
"available versions
...
buster 1.0.0~rc6+dfsg1-3"
and in the section following that, the ~rc6 version is apparently vulnerable on Buster to all open issues listed (at the time of writing), including CVE-2019-16884 complained of by apt-listbugs. I can't see any reference there to a security repo version, and my system doesn't find it, even after adding the line suggested in "keeping secure" [link below] to sources.list
> I guess that security repo is missing from your /etc/apt/sources.list
>
> See https://www.debian.org/security/#keeping-secure for instructions.
I already had a couple of references to security repos (do they all point to the same thing?) but added the line suggested anyway - but no change even after reboot and a second update.
$ sudo cat /etc/apt/sources.list
deb https://deb.debian.org/debian buster contrib main non-free
deb https://deb.debian.org/debian buster-updates contrib main non-free
deb https://deb.debian.org/debian-security/ buster/updates contrib main non-free
deb https://deb.debian.org/debian buster-backports contrib main non-free
deb https://security.debian.org/ buster/updates contrib main non-free
deb https://security.debian.org/debian-security buster/updates contrib main non-free
$ sudo apt update
Hit:1 https://security.debian.org buster/updates InRelease
Hit:2 https://deb.debian.org/debian buster InRelease
Hit:3 https://linux.teamviewer.com/deb stable InRelease
Hit:4 https://security.debian.org/debian-security buster/updates InRelease
Hit:5 https://deb.debian.org/debian buster-updates InRelease
Hit:6 https://deb.debian.org/debian-security buster/updates InRelease
Hit:7 https://deb.debian.org/debian buster-backports InRelease
...
All packages are up to date.
$ sudo apt install docker.io
...
grave bugs of runc (→ 1.0.0~rc6+dfsg1-3) <Resolved in some Version>
b1 - #942026 - runc: CVE-2019-16884 (Fixed: runc/1.0.0~rc9+dfsg1-1)
Summary:
runc(1 bug)
Are you sure you want to install/upgrade the above packages? [Y/n/?/...]
Tracker still shows that CVE and two others as open security issues in Buster.
https://tracker.debian.org/pkg/runc
and
$ apt policy runc
runc:
Installed: (none)
Candidate: 1.0.0~rc6+dfsg1-3
Version table:
1.0.0~rc6+dfsg1-3 500
500 https://deb.debian.org/debian buster/main amd64 Packages
Grateful for any further advice.
Thanks,
Gareth
>
> HTH
>
> Dod
>
>
>
>
Reply to: