CVE-2022-29162

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-29162

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-29162.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2022-29162

Aliases

Related

Published

2022-05-17T21:15:08Z

Modified

2024-09-18T03:17:51.572714Z

Severity

7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. A bug was found in runc prior to version 1.1.2 where runc exec --cap created processes with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during execve(2). This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container's bounding set. This bug has been fixed in runc 1.1.2. This fix changes runc exec --cap behavior such that the additional capabilities granted to the process being executed (as specified via --cap arguments) do not include inheritable capabilities. In addition, runc spec is changed to not set any inheritable capabilities in the created example OCI spec (config.json) file.

References

Affected packages

Debian:11 / runc

Package

Name: runc
Purl: pkg:deb/debian/runc?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.0.0~rc93+ds1-5+deb11u2

Affected versions

1.*

1.0.0~rc93+ds1-5

1.0.0~rc93+ds1-5+deb11u1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / runc

Package

Name: runc
Purl: pkg:deb/debian/runc?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.1.3+ds1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / runc

Package

Name: runc
Purl: pkg:deb/debian/runc?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.1.3+ds1-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/opencontainers/runc

Affected ranges

Type: GIT
Repo: https://github.com/opencontainers/runc
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

d04de3a9b72d7a2455c1885fc75eb36d02cd17b5

Affected versions

v0.*

v0.0.1

v0.0.2

v0.0.3

v0.0.4

v0.0.5

v0.0.6

v0.0.7

v0.0.8

v0.0.9

v0.1.0

v0.1.1

v1.*

v1.0.0

v1.0.0-rc1

v1.0.0-rc10

v1.0.0-rc2

v1.0.0-rc3

v1.0.0-rc4

v1.0.0-rc5

v1.0.0-rc6

v1.0.0-rc7

v1.0.0-rc8

v1.0.0-rc9

v1.0.0-rc90

v1.0.0-rc91

v1.0.0-rc92

v1.0.0-rc93

v1.0.0-rc94

v1.0.0-rc95

v1.1.0

v1.1.0-rc.1