Update module github.com/opencontainers/runc to v1.1.14 [SECURITY]

[bootc-bot]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/opencontainers/runc	v1.1.12 -> v1.1.14

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2024-45310

Impact

runc 1.1.13 and earlier as well as 1.2.0-rc2 and earlier can be tricked into
creating empty files or directories in arbitrary locations in the host
filesystem by sharing a volume between two containers and exploiting a race
with os.MkdirAll. While this can be used to create empty files, existing
files will not be truncated.

An attacker must have the ability to start containers using some kind of custom
volume configuration. Containers using user namespaces are still affected, but
the scope of places an attacker can create inodes can be significantly reduced.
Sufficiently strict LSM policies (SELinux/Apparmor) can also in principle block
this attack -- we suspect the industry standard SELinux policy may restrict
this attack's scope but the exact scope of protection hasn't been analysed.

This is exploitable using runc directly as well as through Docker and
Kubernetes.

The CVSS score for this vulnerability is
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N (Low severity, 3.6).

Workarounds

Using user namespaces restricts this attack fairly significantly such that the
attacker can only create inodes in directories that the remapped root
user/group has write access to. Unless the root user is remapped to an actual
user on the host (such as with rootless containers that don't use
/etc/sub[ug]id), this in practice means that an attacker would only be able to
create inodes in world-writable directories.

A strict enough SELinux or AppArmor policy could in principle also restrict the
scope if a specific label is applied to the runc runtime, though we haven't
thoroughly tested to what extent the standard existing policies block this
attack nor what exact policies are needed to sufficiently restrict this attack.

Patches

Fixed in runc v1.1.14 and v1.2.0-rc3.

• main patches:
  • https://github.com/opencontainers/runc/pull/4359
  • opencontainers/runc@63c2908
• release-1.1 patches:
  • opencontainers/runc@8781993
  • opencontainers/runc@f0b652e

Credits

Thanks to Rodrigo Campos Catelin (@​rata) and Alban Crequy (@​alban) from
Microsoft for discovering and reporting this vulnerability.

---

Release Notes

opencontainers/runc (github.com/opencontainers/runc)

v1.1.14

Compare Source

A wizard is never late, nor is he early, he arrives precisely when he means
to.

As runc follows Semantic Versioning, we will endeavour to not make any
breaking changes without bumping the major version number of runc.
However, it should be noted that Go API usage of runc's internal
implementation (libcontainer) is not covered by this policy.

Removed

• Removed libcontainer/configs.Device* identifiers (deprecated since rc94,
  use libcontainer/devices). (#​2999)
• Removed libcontainer/system.RunningInUserNS function (deprecated since
  rc94, use libcontainer/userns). (#​2999)

Deprecated

• The usage of relative paths for mountpoints will now produce a warning
  (such configurations are outside of the spec, and in future runc will
  produce an error when given such configurations). (#​2917, #​3004)

Fixed

• cgroupv2: devices: rework the filter generation to produce consistent
  results with cgroupv1, and always clobber any existing eBPF
  program(s) to fix runc update and avoid leaking eBPF programs
  (resulting in errors when managing containers). (#​2951)
• cgroupv2: correctly convert "number of IOs" statistics in a
  cgroupv1-compatible way. (#​2965, #​2967, #​2968, #​2964)
• cgroupv2: support larger than 32-bit IO statistics on 32-bit architectures.
• cgroupv2: wait for freeze to finish before returning from the freezing
  code, optimize the method for checking whether a cgroup is frozen. (#​2955)
• cgroups/systemd: fixed "retry on dbus disconnect" logic introduced in rc94
• cgroups/systemd: fixed returning "unit already exists" error from a systemd
  cgroup manager (regression in rc94). (#​2997, #​2996)

Added

• cgroupv2: support SkipDevices with systemd driver. (#​2958, #​3019)
• cgroup1: blkio: support BFQ weights. (#​3010)
• cgroupv2: set per-device io weights if BFQ IO scheduler is available.
  (#​3022)

Changed

• cgroup/systemd: return, not ignore, stop unit error from Destroy. (#​2946)
• Fix all golangci-lint failures. (#​2781, #​2962)
• Make runc --version output sane even when built with go get or
  otherwise outside of our build scripts. (#​2962)
• cgroups: set SkipDevices during runc update (so we don't modify
  cgroups at all during runc update). (#​2994)

v1.1.13

Compare Source

A wizard is never late, nor is he early, he arrives precisely when he means
to.

As runc follows Semantic Versioning, we will endeavour to not make any
breaking changes without bumping the major version number of runc.
However, it should be noted that Go API usage of runc's internal
implementation (libcontainer) is not covered by this policy.

Removed

• Removed libcontainer/configs.Device* identifiers (deprecated since rc94,
  use libcontainer/devices). (#​2999)
• Removed libcontainer/system.RunningInUserNS function (deprecated since
  rc94, use libcontainer/userns). (#​2999)

Deprecated

• The usage of relative paths for mountpoints will now produce a warning
  (such configurations are outside of the spec, and in future runc will
  produce an error when given such configurations). (#​2917, #​3004)

Fixed

• cgroupv2: devices: rework the filter generation to produce consistent
  results with cgroupv1, and always clobber any existing eBPF
  program(s) to fix runc update and avoid leaking eBPF programs
  (resulting in errors when managing containers). (#​2951)
• cgroupv2: correctly convert "number of IOs" statistics in a
  cgroupv1-compatible way. (#​2965, #​2967, #​2968, #​2964)
• cgroupv2: support larger than 32-bit IO statistics on 32-bit architectures.
• cgroupv2: wait for freeze to finish before returning from the freezing
  code, optimize the method for checking whether a cgroup is frozen. (#​2955)
• cgroups/systemd: fixed "retry on dbus disconnect" logic introduced in rc94
• cgroups/systemd: fixed returning "unit already exists" error from a systemd
  cgroup manager (regression in rc94). (#​2997, #​2996)

Added

• cgroupv2: support SkipDevices with systemd driver. (#​2958, #​3019)
• cgroup1: blkio: support BFQ weights. (#​3010)
• cgroupv2: set per-device io weights if BFQ IO scheduler is available.
  (#​3022)

Changed

• cgroup/systemd: return, not ignore, stop unit error from Destroy. (#​2946)
• Fix all golangci-lint failures. (#​2781, #​2962)
• Make runc --version output sane even when built with go get or
  otherwise outside of our build scripts. (#​2962)
• cgroups: set SkipDevices during runc update (so we don't modify
  cgroups at all during runc update). (#​2994)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[bootc-bot]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.