| Name | CVE-2019-5736 |
| Description | runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 922050, 922169 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| lxc (PTS) | bullseye | 1:4.0.6-2+deb11u2 | fixed |
| bookworm | 1:5.0.2-1+deb12u3 | fixed | |
| sid, trixie | 1:6.0.4-2 | fixed | |
| runc (PTS) | bullseye | 1.0.0~rc93+ds1-5+deb11u5 | fixed |
| bullseye (security) | 1.0.0~rc93+ds1-5+deb11u3 | fixed | |
| bookworm, bookworm (security) | 1.1.5+ds1-1+deb12u1 | fixed | |
| sid, trixie | 1.1.15+ds1-2 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| lxc | source | (unstable) | 1:3.1.0+really3.0.3-4 | unimportant | 922169 | |
| runc | source | stretch | 0.1.1+dfsg1-2+deb9u1 | |||
| runc | source | (unstable) | 1.0.0~rc6+dfsg1-2 | 922050 |
https://www.openwall.com/lists/oss-security/2019/02/11/2
runc: Fixed by: https://github.com/opencontainers/runc/commit/0a8e4117e7f715d5fbeef398405813ce8e88558b
lxc: Fixed by: https://github.com/lxc/lxc/commit/6400238d08cdf1ca20d49bafb85f4e224348bf9d
Not considered a security issue by LXC upstream