Security update for runc

Announcement ID:	SUSE-SU-2023:1726-1
Rating:	important
References:	bsc#1168481 bsc#1208962 bsc#1209884 bsc#1209888
Cross-References:	CVE-2023-25809 CVE-2023-27561 CVE-2023-28642
CVSS scores:	CVE-2023-25809 ( SUSE ): 2.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:L CVE-2023-25809 ( NVD ): 5.0 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L CVE-2023-27561 ( SUSE ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2023-27561 ( NVD ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2023-28642 ( SUSE ): 6.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L CVE-2023-28642 ( NVD ): 6.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Affected Products:	Containers Module 12 SUSE Linux Enterprise High Performance Computing 12 SP2 SUSE Linux Enterprise High Performance Computing 12 SP3 SUSE Linux Enterprise High Performance Computing 12 SP4 SUSE Linux Enterprise High Performance Computing 12 SP5 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Server 12 SP1 SUSE Linux Enterprise Server 12 SP2 SUSE Linux Enterprise Server 12 SP3 SUSE Linux Enterprise Server 12 SP4 SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server for SAP Applications 12 SUSE Linux Enterprise Server for SAP Applications 12 SP1 SUSE Linux Enterprise Server for SAP Applications 12 SP2 SUSE Linux Enterprise Server for SAP Applications 12 SP3 SUSE Linux Enterprise Server for SAP Applications 12 SP4 SUSE Linux Enterprise Server for SAP Applications 12 SP5

An update that solves three vulnerabilities and has one security fix can now be installed.

Description:

This update for runc fixes the following issues:

Update to runc v1.1.5:

Security fixes:

• CVE-2023-25809: Fixed rootless /sys/fs/cgroup is writable when cgroupns isn't unshared (bnc#1209884).
• CVE-2023-27561: Fixed regression that reintroduced CVE-2019-19921 vulnerability (bnc#1208962).
• CVE-2023-28642: Fixed AppArmor/SELinux bypass with symlinked /proc (bnc#1209888).

Other fixes:

• Fix the inability to use /dev/null when inside a container.
• Fix changing the ownership of host's /dev/null caused by fd redirection (bsc#1168481).
• Fix rare runc exec/enter unshare error on older kernels.
• nsexec: Check for errors in write_log().
• Drop version-specific Go requirement.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• Containers Module 12
  zypper in -t patch SUSE-SLE-Module-Containers-12-2023-1726=1

Package List:

• Containers Module 12 (ppc64le s390x x86_64)
  • runc-1.1.5-16.29.1
  • runc-debuginfo-1.1.5-16.29.1

References:

• https://www.suse.com/security/cve/CVE-2023-25809.html
• https://www.suse.com/security/cve/CVE-2023-27561.html
• https://www.suse.com/security/cve/CVE-2023-28642.html
• https://bugzilla.suse.com/show_bug.cgi?id=1168481
• https://bugzilla.suse.com/show_bug.cgi?id=1208962
• https://bugzilla.suse.com/show_bug.cgi?id=1209884
• https://bugzilla.suse.com/show_bug.cgi?id=1209888