Bugzilla – Bug 1152308
VUL-0: CVE-2019-16884: runc: LSM bypass via malicious Docker image that mount over a /proc directory
Last modified: 2024-07-22 13:50:38 UTC
CVE-2019-16884 runc through 1.0.0-rc8, as used in Docker through 19.03.2-ce and other products, allows AppArmor restriction bypass because libcontainer/rootfs_linux.go incorrectly checks mount targets, and thus a malicious Docker image can mount over a /proc directory. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-16884 http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-16884.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16884 https://github.com/opencontainers/runc/issues/2128
I've already submitted Factory SRs for this. Note that we need to backport several patches for it: * https://github.com/opencontainers/runc/pull/2129 * https://github.com/opencontainers/runc/pull/2130 * https://github.com/opencontainers/selinux/pull/59
This is an autogenerated message for OBS integration: This bug (1152308) was mentioned in https://build.opensuse.org/request/show/733835 Factory / runc https://build.opensuse.org/request/show/733836 Factory / docker-runc
It should be noted this can also be used to bypass SELinux (and probably any LSM that depends on setting labels through /proc/self/attr/...).
This is an autogenerated message for OBS integration: This bug (1152308) was mentioned in https://build.opensuse.org/request/show/736405 Factory / docker-runc
SUSE-SU-2019:2787-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1152308 CVE References: CVE-2019-16884 Sources used: SUSE Linux Enterprise Module for Containers 12 (src): docker-runc-1.0.0rc8+gitr3826_425e105d5a03-1.32.1 SUSE CaaS Platform 3.0 (src): docker-runc-kubic-1.0.0rc8+gitr3826_425e105d5a03-1.32.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:2786-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1152308 CVE References: CVE-2019-16884 Sources used: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src): docker-runc-kubic-1.0.0rc8+gitr3826_425e105d5a03-6.24.1 SUSE Linux Enterprise Module for Containers 15-SP1 (src): docker-runc-1.0.0rc8+gitr3826_425e105d5a03-6.24.1 SUSE Linux Enterprise Module for Containers 15 (src): docker-runc-1.0.0rc8+gitr3826_425e105d5a03-6.24.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:2810-1: An update that solves one vulnerability and has two fixes is now available. Category: security (moderate) Bug References: 1131314,1131553,1152308 CVE References: CVE-2019-16884 Sources used: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src): runc-1.0.0~rc8-1.6.1 SUSE Linux Enterprise Module for Containers 15-SP1 (src): runc-1.0.0~rc8-1.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2019:2418-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1152308 CVE References: CVE-2019-16884 Sources used: openSUSE Leap 15.0 (src): docker-runc-1.0.0rc8+gitr3826_425e105d5a03-lp150.5.28.1
openSUSE-SU-2019:2434-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1152308 CVE References: CVE-2019-16884 Sources used: openSUSE Leap 15.1 (src): docker-runc-1.0.0rc8+gitr3826_425e105d5a03-lp151.3.9.1
SUSE-SU-2020:0035-1: An update that solves one vulnerability and has 5 fixes is now available. Category: security (moderate) Bug References: 1122469,1143349,1150397,1152308,1153367,1158590 CVE References: CVE-2019-16884 Sources used: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src): containerd-1.2.10-5.19.1, containerd-kubic-1.2.10-5.19.1, docker-19.03.5_ce-6.31.1, docker-kubic-19.03.5_ce-6.31.1, docker-runc-kubic-1.0.0rc8+gitr3917_3e425f80a8c9-6.27.1, golang-github-docker-libnetwork-0.7.0.1+gitr2877_3eb39382bfa6-4.18.1, golang-github-docker-libnetwork-kubic-0.7.0.1+gitr2877_3eb39382bfa6-4.18.1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src): containerd-1.2.10-5.19.1, docker-19.03.5_ce-6.31.1, golang-github-docker-libnetwork-0.7.0.1+gitr2877_3eb39382bfa6-4.18.1 SUSE Linux Enterprise Module for Containers 15-SP1 (src): containerd-1.2.10-5.19.1, docker-19.03.5_ce-6.31.1, docker-runc-1.0.0rc8+gitr3917_3e425f80a8c9-6.27.1, golang-github-docker-libnetwork-0.7.0.1+gitr2877_3eb39382bfa6-4.18.1 SUSE Linux Enterprise Module for Containers 15 (src): containerd-1.2.10-5.19.1, docker-19.03.5_ce-6.31.1, docker-runc-1.0.0rc8+gitr3917_3e425f80a8c9-6.27.1, golang-github-docker-libnetwork-0.7.0.1+gitr2877_3eb39382bfa6-4.18.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:0065-1: An update that solves one vulnerability and has 5 fixes is now available. Category: security (moderate) Bug References: 1122469,1143349,1150397,1152308,1153367,1158590 CVE References: CVE-2019-16884 Sources used: SUSE Linux Enterprise Module for Containers 12 (src): containerd-1.2.10-16.26.1, docker-19.03.5_ce-98.51.1, docker-runc-1.0.0rc8+gitr3917_3e425f80a8c9-1.35.1, golang-github-docker-libnetwork-0.7.0.1+gitr2877_3eb39382bfa6-28.1 SUSE CaaS Platform 3.0 (src): containerd-kubic-1.2.10-16.26.1, docker-kubic-19.03.5_ce-98.51.1, docker-runc-kubic-1.0.0rc8+gitr3917_3e425f80a8c9-1.35.1, golang-github-docker-libnetwork-kubic-0.7.0.1+gitr2877_3eb39382bfa6-28.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2020:0045-1: An update that solves one vulnerability and has 5 fixes is now available. Category: security (moderate) Bug References: 1122469,1143349,1150397,1152308,1153367,1158590 CVE References: CVE-2019-16884 Sources used: openSUSE Leap 15.1 (src): containerd-1.2.10-lp151.2.9.1, docker-19.03.5_ce-lp151.2.15.1, docker-runc-1.0.0rc8+gitr3917_3e425f80a8c9-lp151.3.12.1, golang-github-docker-libnetwork-0.7.0.1+gitr2877_3eb39382bfa6-lp151.2.9.1
done
SUSE-SU-2021:1458-1: An update that solves 9 vulnerabilities and has 23 fixes is now available. Category: security (important) Bug References: 1028638,1034053,1048046,1051429,1053532,1095817,1118897,1118898,1118899,1121967,1131314,1131553,1149954,1152308,1160452,1168481,1175081,1175821,1181594,1181641,1181677,1181730,1181732,1181749,1182451,1182476,1182947,1183024,1183397,1183855,1184768,1184962 CVE References: CVE-2018-16873,CVE-2018-16874,CVE-2018-16875,CVE-2019-16884,CVE-2019-19921,CVE-2019-5736,CVE-2021-21284,CVE-2021-21285,CVE-2021-21334 JIRA References: Sources used: SUSE Linux Enterprise Module for Containers 12 (src): containerd-1.4.4-16.38.1, docker-20.10.6_ce-98.66.1, runc-1.0.0~rc93-16.8.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.