{"id":"OESA-2023-1204","summary":"runc security update","details":"runc is a CLI tool for spawning and running containers according to the OCI specification.\r\n\r\nSecurity Fix(es):\r\n\r\nrunc is a CLI tool for spawning and running containers according to the OCI specification. In affected versions it was found that rootless runc makes `/sys/fs/cgroup` writable in following conditons: 1. when runc is executed inside the user namespace, and the `config.json` does not specify the cgroup namespace to be unshared (e.g.., `(docker|podman|nerdctl) run --cgroupns=host`, with Rootless Docker/Podman/nerdctl) or 2. when runc is executed outside the user namespace, and `/sys` is mounted with `rbind, ro` (e.g., `runc spec --rootless`; this condition is very rare). A container may gain the write access to user-owned cgroup hierarchy `/sys/fs/cgroup/user.slice/...` on the host . Other users's cgroup hierarchies are not affected. Users are advised to upgrade to version 1.1.5. Users unable to upgrade may unshare the cgroup namespace (`(docker|podman|nerdctl) run --cgroupns=private)`. This is the default behavior of Docker/Podman/nerdctl on cgroup v2 hosts. or add `/sys/fs/cgroup` to `maskedPaths`.(CVE-2023-25809)\r\n\r\nrunc is a CLI tool for spawning and running containers according to the OCI specification. It was found that AppArmor can be bypassed when `/proc` inside the container is symlinked with a specific mount configuration. This issue has been fixed in runc version 1.1.5, by prohibiting symlinked `/proc`. See PR #3785 for details. users are advised to upgrade. Users unable to upgrade should avoid using an untrusted container image.(CVE-2023-28642)","modified":"2025-09-03T06:19:01.681241Z","published":"2023-04-11T11:05:07Z","upstream":["CVE-2023-25809","CVE-2023-28642"],"database_specific":{"severity":"Medium"},"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2023-1204"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-25809"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-28642"}],"affected":[{"package":{"name":"runc","ecosystem":"openEuler:22.03-LTS-SP1","purl":"pkg:rpm/openEuler/runc&distro=openEuler-22.03-LTS-SP1"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"docker-1.1.3-13.oe2203sp1"}]}],"ecosystem_specific":{"src":["docker-runc-1.1.3-13.oe2203sp1.src.rpm"],"aarch64":["docker-runc-1.1.3-13.oe2203sp1.aarch64.rpm"],"x86_64":["docker-runc-1.1.3-13.oe2203sp1.x86_64.rpm"]},"database_specific":{"source":"https://repo.openeuler.org/security/data/osv/OESA-2023-1204.json"}}],"schema_version":"1.7.3"}