Bug 1160452 (CVE-2019-19921) - VUL-0: CVE-2019-19921: runc: volume mount race condition with shared mounts
Summary: VUL-0: CVE-2019-19921: runc: volume mount race condition with shared mounts
Status: RESOLVED FIXED
Alias: CVE-2019-19921
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Minor
Target Milestone: ---
Assignee: Containers Team
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/250393/
Whiteboard: CVSSv2:NVD:CVE-2019-19921:4.4:(AV:L/...
Keywords:
Depends on:
Blocks:
 
Reported: 2020-01-08 14:02 UTC by Alexander Bergmann
Modified: 2024-07-22 13:50 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Aleksa Sarai 2020-01-15 14:12:31 UTC 
I've been bouncing between different prior engagements so I only just had a change to submit an upstream fix for the issue[1] and submit it to openSUSE. Unfortunately I'm at a conference (without my work laptop) so I cannot submit the same patch to IBS -- feel free to just do a direct submit-request from openSUSE.org:Virtualization:containers/docker-runc to SLE-15 and SLE-12.
Comment 2 Aleksa Sarai 2020-01-15 14:13:03 UTC 
(In reply to Aleksa Sarai from comment #1)
> I've been bouncing between different prior engagements so I only just had a
> change to submit an upstream fix for the issue[1] and submit it to openSUSE.
> Unfortunately I'm at a conference (without my work laptop) so I cannot
> submit the same patch to IBS -- feel free to just do a direct submit-request
> from openSUSE.org:Virtualization:containers/docker-runc to SLE-15 and SLE-12.

[1]: https://github.com/opencontainers/runc/pull/2207
Comment 3 Sascha Grunert 2020-01-16 07:42:09 UTC 
Did 2 MRs for SLE 12 and 15

- https://build.suse.de/request/show/209391
- https://build.suse.de/request/show/209392
Comment 5 Aleksa Sarai 2020-01-19 22:29:25 UTC 
The upstream PR has been modified (namely, error out if there is an attack in progress rather than mitigating it). I've submitted new versions of the openSUSE SRs and SLE MRs.
Comment 6 Swamp Workflow Management 2020-02-07 20:11:02 UTC 
SUSE-SU-2020:0375-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1160452
CVE References: CVE-2019-19921
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    docker-runc-kubic-1.0.0rc8+gitr3917_3e425f80a8c9-6.32.1
SUSE Linux Enterprise Module for Containers 15-SP1 (src):    docker-runc-1.0.0rc8+gitr3917_3e425f80a8c9-6.32.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Swamp Workflow Management 2020-02-07 20:11:40 UTC 
SUSE-SU-2020:0376-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1160452
CVE References: CVE-2019-19921
Sources used:
SUSE Linux Enterprise Module for Containers 12 (src):    docker-runc-1.0.0rc8+gitr3917_3e425f80a8c9-1.40.1
SUSE CaaS Platform 3.0 (src):    docker-runc-kubic-1.0.0rc8+gitr3917_3e425f80a8c9-1.40.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2020-02-13 23:11:03 UTC 
openSUSE-SU-2020:0219-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1160452
CVE References: CVE-2019-19921
Sources used:
openSUSE Leap 15.1 (src):    docker-runc-1.0.0rc8+gitr3917_3e425f80a8c9-lp151.3.15.1
Comment 11 Swamp Workflow Management 2020-04-07 19:15:55 UTC 
SUSE-SU-2020:0944-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 1149954,1160452
CVE References: CVE-2019-19921
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    runc-1.0.0~rc10-1.9.1
SUSE Linux Enterprise Module for Containers 15-SP1 (src):    runc-1.0.0~rc10-1.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Swamp Workflow Management 2021-04-30 16:19:57 UTC 
SUSE-SU-2021:1458-1: An update that solves 9 vulnerabilities and has 23 fixes is now available.

Category: security (important)
Bug References: 1028638,1034053,1048046,1051429,1053532,1095817,1118897,1118898,1118899,1121967,1131314,1131553,1149954,1152308,1160452,1168481,1175081,1175821,1181594,1181641,1181677,1181730,1181732,1181749,1182451,1182476,1182947,1183024,1183397,1183855,1184768,1184962
CVE References: CVE-2018-16873,CVE-2018-16874,CVE-2018-16875,CVE-2019-16884,CVE-2019-19921,CVE-2019-5736,CVE-2021-21284,CVE-2021-21285,CVE-2021-21334
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Containers 12 (src):    containerd-1.4.4-16.38.1, docker-20.10.6_ce-98.66.1, runc-1.0.0~rc93-16.8.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Cathy Hu 2023-03-06 10:37:12 UTC 
Upstream found a regression for the CVE-2019-19921 fix that was introduced by the fix for CVE-2021-30465. This is tracked under CVE-2023-27561 here: https://bugzilla.suse.com/show_bug.cgi?id=1208962
Comment 17 Aleksa Sarai 2024-05-03 03:18:30 UTC 
This has been fixed.