Security update for docker-runc SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2019:0362-1 Final 1 1 2019-02-13T12:31:58Z current 2019-02-13T12:31:58Z 2019-02-13T12:31:58Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for docker-runc This update for docker-runc fixes the following issues: Security issue fixed: - CVE-2019-5736: Effectively copying /proc/self/exe during re-exec to avoid write attacks to the host runc binary, which could lead to a container breakout (bsc#1121967) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Image SLES15-OCI-BYOS-2019-362,Image SLES15-SAP-OCI-BYOS-2019-362,Image SLES15-SP1-OCI-BYOS-2019-362,Image SLES15-SP1-SAP-OCI-BYOS-2019-362,Image SLES15-SP2-Azure-Basic-2019-362,Image SLES15-SP2-Azure-Standard-2019-362,Image SLES15-SP2-EC2-ECS-HVM-2019-362,Image SLES15-SP2-GCE-2019-362,Image SLES15-SP2-HPC-Azure-2019-362,SUSE-2019-362,SUSE-SLE-Module-Containers-15-2019-362,SUSE-SLE-Module-Development-Tools-OBS-15-2019-362 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2019/suse-su-20190362-1/ Link for SUSE-SU-2019:0362-1 https://lists.suse.com/pipermail/sle-security-updates/2019-February/005113.html E-Mail link for SUSE-SU-2019:0362-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1121967 SUSE Bug 1121967 https://www.suse.com/security/cve/CVE-2019-5736/ SUSE CVE CVE-2019-5736 page Image SLES15-OCI-BYOS Image SLES15-SAP-OCI-BYOS Image SLES15-SP1-OCI-BYOS Image SLES15-SP1-SAP-OCI-BYOS Image SLES15-SP2-Azure-Basic Image SLES15-SP2-Azure-Standard Image SLES15-SP2-EC2-ECS-HVM Image SLES15-SP2-GCE Image SLES15-SP2-HPC-Azure SUSE Linux Enterprise Module for Containers 15 docker-runc-1.0.0rc5+gitr3562_69663f0bd4b6-6.9.1 docker-runc-kubic-1.0.0rc5+gitr3562_69663f0bd4b6-6.9.1 docker-runc-kubic-test-1.0.0rc5+gitr3562_69663f0bd4b6-6.9.1 docker-runc-test-1.0.0rc5+gitr3562_69663f0bd4b6-6.9.1 docker-runc-1.0.0rc5+gitr3562_69663f0bd4b6-6.9.1 as a component of Image SLES15-OCI-BYOS docker-runc-1.0.0rc5+gitr3562_69663f0bd4b6-6.9.1 as a component of Image SLES15-SAP-OCI-BYOS docker-runc-1.0.0rc5+gitr3562_69663f0bd4b6-6.9.1 as a component of Image SLES15-SP1-OCI-BYOS docker-runc-1.0.0rc5+gitr3562_69663f0bd4b6-6.9.1 as a component of Image SLES15-SP1-SAP-OCI-BYOS docker-runc-1.0.0rc5+gitr3562_69663f0bd4b6-6.9.1 as a component of Image SLES15-SP2-Azure-Basic docker-runc-1.0.0rc5+gitr3562_69663f0bd4b6-6.9.1 as a component of Image SLES15-SP2-Azure-Standard docker-runc-1.0.0rc5+gitr3562_69663f0bd4b6-6.9.1 as a component of Image SLES15-SP2-EC2-ECS-HVM docker-runc-1.0.0rc5+gitr3562_69663f0bd4b6-6.9.1 as a component of Image SLES15-SP2-GCE docker-runc-1.0.0rc5+gitr3562_69663f0bd4b6-6.9.1 as a component of Image SLES15-SP2-HPC-Azure docker-runc-1.0.0rc5+gitr3562_69663f0bd4b6-6.9.1 as a component of SUSE Linux Enterprise Module for Containers 15 runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe. CVE-2019-5736 Image SLES15-OCI-BYOS:docker-runc-1.0.0rc5+gitr3562_69663f0bd4b6-6.9.1 Image SLES15-SAP-OCI-BYOS:docker-runc-1.0.0rc5+gitr3562_69663f0bd4b6-6.9.1 Image SLES15-SP1-OCI-BYOS:docker-runc-1.0.0rc5+gitr3562_69663f0bd4b6-6.9.1 Image SLES15-SP1-SAP-OCI-BYOS:docker-runc-1.0.0rc5+gitr3562_69663f0bd4b6-6.9.1 Image SLES15-SP2-Azure-Basic:docker-runc-1.0.0rc5+gitr3562_69663f0bd4b6-6.9.1 Image SLES15-SP2-Azure-Standard:docker-runc-1.0.0rc5+gitr3562_69663f0bd4b6-6.9.1 Image SLES15-SP2-EC2-ECS-HVM:docker-runc-1.0.0rc5+gitr3562_69663f0bd4b6-6.9.1 Image SLES15-SP2-GCE:docker-runc-1.0.0rc5+gitr3562_69663f0bd4b6-6.9.1 Image SLES15-SP2-HPC-Azure:docker-runc-1.0.0rc5+gitr3562_69663f0bd4b6-6.9.1 SUSE Linux Enterprise Module for Containers 15:docker-runc-1.0.0rc5+gitr3562_69663f0bd4b6-6.9.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2019/suse-su-20190362-1/ https://www.suse.com/security/cve/CVE-2019-5736.html CVE-2019-5736 https://bugzilla.suse.com/1121967 SUSE Bug 1121967 https://bugzilla.suse.com/1122185 SUSE Bug 1122185 https://bugzilla.suse.com/1173421 SUSE Bug 1173421