All runc codestreams look affected:
- SUSE:ALP:Source:Standard:1.0/runc
- SUSE:SLE-12:Update/runc
- SUSE:SLE-15:Update/runc

But I am not sure for docker-runc (both runc 1.0.0 on SLE12 and SLE15). Maybe @Aleksa can help here

docker-runc is not used for anything, it was supposed to be removed in 2021. We just need to patch runc.

The patches I attached in the announcement email should apply on top of our packages -- do you need me to make the MRs or is it okay for the security team to handle it? (I'm on vacation from the 25th and am currently on sick leave.)

MRs submitted:

 * https://build.suse.de/request/show/318443
 * https://build.suse.de/request/show/318444

Let me know if you need anything else.

public on oss

NOTE: This advisory was sent to <security-announce () opencontainers org>
two weeks ago. If you ship any Open Container Initiative software, we
highly recommend that you subscribe to our security-announce list in
order to receive more timely disclosures of future security issues. The
procedure for subscribing to security-announce is outlined here[1].

Hello,

This is a notification to vendors that use runc about a high-severity
vulnerability (CVE-2024-21626) with several exploit methods which allow
for full container breakouts due to an internal file descriptor leak.

Attached are patches which resolve this issue and provide further
hardening to prevent similar issues from happening in the future. The
provided patches apply cleanly on top of runc 1.1.11. We have also
released runc 1.1.12[3] with these patches applied.

The most severe version of this issue is assigned a CVSS of
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H (8.6 -- High severity). For
a full breakdown of the CVSS scoring for each sub-issue, please read
through the advisory[2] which describes each attack in more detail.

The core issue is a file descriptor leak, and while we do O_CLOEXEC all
file descriptors before executing the container code, the file
descriptor is open when doing setcwd(2) which means that the reference
can be kept alive into the container by configuring the working
directory to be a path resolved through the file descriptor (and the
non-dumpable bit is unset after execve(2) meaning that there are
multiple ways to attack this other than bad configurations).

There is also an execve(2)-based attack that makes simple verification
unworkable and was particularly hairy to fix (the patch involves doing
//go:linkname to access Go runtime internals, because the only way to
defend against it entirely is to close all unneeded file descriptors --
for the same reason that #!-based tricks meant that CVE-2019-5736
required drastic measures).

Aside from only running trusted images and never using "runc exec" on
containers, there are no generic workarounds for the issue and so users
are strongly advised to patch their installations as soon as possible.
Usage of user namespaces and LSMs like SELinux will reduce the impact of
a container breakout (and we recommend using them) but do not stop it
from happening entirely.

Credit for discovering and reporting the original vulnerability goes to
Rory McNamara from Snyk. In addition, credit goes to @lifubang from
acmcoder and Aleksa Sarai from SUSE for discovering how to adapt the
attacks in various ways to make them more severe and practical for real
SaaS workloads.

Please send any questions you have to <dev () opencontainers org> or open
an issue on our issue tracker[4]. If you feel the issue is
security-sensitive please send a mail to <security () opencontainers org>.

[1]: https://github.com/opencontainers/.github/blob/main/SECURITY.md#disclosure-distribution-list
[2]: https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv
[3]: https://github.com/opencontainers/runc/releases/tag/v1.1.12
[4]: https://github.com/opencontainers/runc/issues/new

SUSE-SU-2024:0295-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1218894
CVE References: CVE-2024-21626
Sources used:
openSUSE Leap Micro 5.3 (src): runc-1.1.11-150000.58.1
openSUSE Leap Micro 5.4 (src): runc-1.1.11-150000.58.1
openSUSE Leap 15.5 (src): runc-1.1.11-150000.58.1
SUSE Linux Enterprise Micro for Rancher 5.3 (src): runc-1.1.11-150000.58.1
SUSE Linux Enterprise Micro 5.3 (src): runc-1.1.11-150000.58.1
SUSE Linux Enterprise Micro for Rancher 5.4 (src): runc-1.1.11-150000.58.1
SUSE Linux Enterprise Micro 5.4 (src): runc-1.1.11-150000.58.1
SUSE Linux Enterprise Micro 5.5 (src): runc-1.1.11-150000.58.1
Containers Module 15-SP4 (src): runc-1.1.11-150000.58.1
Containers Module 15-SP5 (src): runc-1.1.11-150000.58.1
SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): runc-1.1.11-150000.58.1
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): runc-1.1.11-150000.58.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): runc-1.1.11-150000.58.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): runc-1.1.11-150000.58.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): runc-1.1.11-150000.58.1
SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): runc-1.1.11-150000.58.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): runc-1.1.11-150000.58.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): runc-1.1.11-150000.58.1
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): runc-1.1.11-150000.58.1
SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): runc-1.1.11-150000.58.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): runc-1.1.11-150000.58.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): runc-1.1.11-150000.58.1
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): runc-1.1.11-150000.58.1
SUSE Enterprise Storage 7.1 (src): runc-1.1.11-150000.58.1
SUSE CaaS Platform 4.0 (src): runc-1.1.11-150000.58.1
SUSE Linux Enterprise Micro 5.1 (src): runc-1.1.11-150000.58.1
SUSE Linux Enterprise Micro 5.2 (src): runc-1.1.11-150000.58.1
SUSE Linux Enterprise Micro for Rancher 5.2 (src): runc-1.1.11-150000.58.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

SUSE-SU-2024:0294-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1218894
CVE References: CVE-2024-21626
Sources used:
Containers Module 12 (src): runc-1.1.11-16.43.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

SUSE-SU-2024:0328-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1218894
CVE References: CVE-2024-21626
Sources used:
Containers Module 12 (src): runc-1.1.12-16.46.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

SUSE-SU-2024:0459-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1218894
CVE References: CVE-2024-21626
Sources used:
openSUSE Leap Micro 5.3 (src): runc-1.1.12-150000.61.2
openSUSE Leap Micro 5.4 (src): runc-1.1.12-150000.61.2
openSUSE Leap 15.5 (src): runc-1.1.12-150000.61.2
SUSE Linux Enterprise Micro for Rancher 5.3 (src): runc-1.1.12-150000.61.2
SUSE Linux Enterprise Micro 5.3 (src): runc-1.1.12-150000.61.2
SUSE Linux Enterprise Micro for Rancher 5.4 (src): runc-1.1.12-150000.61.2
SUSE Linux Enterprise Micro 5.4 (src): runc-1.1.12-150000.61.2
SUSE Linux Enterprise Micro 5.5 (src): runc-1.1.12-150000.61.2
Containers Module 15-SP4 (src): runc-1.1.12-150000.61.2
Containers Module 15-SP5 (src): runc-1.1.12-150000.61.2
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): runc-1.1.12-150000.61.2
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): runc-1.1.12-150000.61.2
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): runc-1.1.12-150000.61.2
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): runc-1.1.12-150000.61.2
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): runc-1.1.12-150000.61.2
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): runc-1.1.12-150000.61.2
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): runc-1.1.12-150000.61.2
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): runc-1.1.12-150000.61.2
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): runc-1.1.12-150000.61.2
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): runc-1.1.12-150000.61.2
SUSE Enterprise Storage 7.1 (src): runc-1.1.12-150000.61.2
SUSE Linux Enterprise Micro 5.1 (src): runc-1.1.12-150000.61.2
SUSE Linux Enterprise Micro 5.2 (src): runc-1.1.12-150000.61.2
SUSE Linux Enterprise Micro for Rancher 5.2 (src): runc-1.1.12-150000.61.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.