Incorrect Default Permissions in runc
Description
runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. A bug was found in runc prior to version 1.1.2 where runc exec --cap created processes with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during execve(2). This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container's bounding set. This bug has been fixed in runc 1.1.2. This fix changes runc exec --cap behavior such that the additional capabilities granted to the process being executed (as specified via --cap arguments) do not include inheritable capabilities. In addition, runc spec is changed to not set any inheritable capabilities in the created example OCI spec (config.json) file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/opencontainers/runcGo | < 1.1.2 | 1.1.2 |
Affected products
134- osv-coords133 versionspkg:apk/chainguard/ctoppkg:apk/chainguard/podmanpkg:apk/chainguard/podman-docpkg:apk/chainguard/runcpkg:apk/chainguard/runc-docpkg:apk/wolfi/ctoppkg:apk/wolfi/podmanpkg:apk/wolfi/podman-docpkg:apk/wolfi/runcpkg:apk/wolfi/runc-docpkg:golang/github.com/opencontainers/runcpkg:rpm/almalinux/aardvark-dnspkg:rpm/almalinux/buildahpkg:rpm/almalinux/buildah-testspkg:rpm/almalinux/cockpit-podmanpkg:rpm/almalinux/conmonpkg:rpm/almalinux/containernetworking-pluginspkg:rpm/almalinux/containers-commonpkg:rpm/almalinux/container-selinuxpkg:rpm/almalinux/critpkg:rpm/almalinux/criupkg:rpm/almalinux/criu-develpkg:rpm/almalinux/criu-libspkg:rpm/almalinux/crunpkg:rpm/almalinux/fuse-overlayfspkg:rpm/almalinux/libslirppkg:rpm/almalinux/libslirp-develpkg:rpm/almalinux/netavarkpkg:rpm/almalinux/oci-seccomp-bpf-hookpkg:rpm/almalinux/podmanpkg:rpm/almalinux/podman-catatonitpkg:rpm/almalinux/podman-dockerpkg:rpm/almalinux/podman-gvproxypkg:rpm/almalinux/podman-pluginspkg:rpm/almalinux/podman-remotepkg:rpm/almalinux/podman-testspkg:rpm/almalinux/python3-criupkg:rpm/almalinux/python3-podmanpkg:rpm/almalinux/runcpkg:rpm/almalinux/skopeopkg:rpm/almalinux/skopeo-testspkg:rpm/almalinux/slirp4netnspkg:rpm/almalinux/toolboxpkg:rpm/almalinux/toolbox-testspkg:rpm/almalinux/udicapkg:rpm/opensuse/containerd&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/containerd&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/docker&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/docker&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/docker-kubic&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/docker-kubic&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/kubevirt&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/kubevirt&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/runc&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/runc&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/runc&distro=openSUSE%20Tumbleweedpkg:rpm/suse/containerd&distro=SUSE%20Enterprise%20Storage%206pkg:rpm/suse/containerd&distro=SUSE%20Enterprise%20Storage%207pkg:rpm/suse/containerd&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOSpkg:rpm/suse/containerd&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/containerd&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-ESPOSpkg:rpm/suse/containerd&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/containerd&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/containerd&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/containerd&distro=SUSE%20Linux%20Enterprise%20Micro%205.1pkg:rpm/suse/containerd&distro=SUSE%20Linux%20Enterprise%20Micro%205.2pkg:rpm/suse/containerd&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2012pkg:rpm/suse/containerd&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP3pkg:rpm/suse/containerd&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP4pkg:rpm/suse/containerd&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP3pkg:rpm/suse/containerd&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCLpkg:rpm/suse/containerd&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/containerd&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-BCLpkg:rpm/suse/containerd&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/containerd&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/containerd&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015pkg:rpm/suse/containerd&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/containerd&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/containerd&distro=SUSE%20Manager%20Proxy%204.1pkg:rpm/suse/containerd&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.1pkg:rpm/suse/containerd&distro=SUSE%20Manager%20Server%204.1pkg:rpm/suse/docker&distro=SUSE%20Enterprise%20Storage%206pkg:rpm/suse/docker&distro=SUSE%20Enterprise%20Storage%207pkg:rpm/suse/docker&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOSpkg:rpm/suse/docker&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/docker&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-ESPOSpkg:rpm/suse/docker&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/docker&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/docker&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/docker&distro=SUSE%20Linux%20Enterprise%20Micro%205.1pkg:rpm/suse/docker&distro=SUSE%20Linux%20Enterprise%20Micro%205.2pkg:rpm/suse/docker&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2012pkg:rpm/suse/docker&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP3pkg:rpm/suse/docker&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP4pkg:rpm/suse/docker&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCLpkg:rpm/suse/docker&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/docker&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-BCLpkg:rpm/suse/docker&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/docker&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/docker&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015pkg:rpm/suse/docker&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/docker&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/docker&distro=SUSE%20Manager%20Proxy%204.1pkg:rpm/suse/docker&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.1pkg:rpm/suse/docker&distro=SUSE%20Manager%20Server%204.1pkg:rpm/suse/kubevirt&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP3pkg:rpm/suse/kubevirt&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP4pkg:rpm/suse/runc&distro=SUSE%20Enterprise%20Storage%206pkg:rpm/suse/runc&distro=SUSE%20Enterprise%20Storage%207pkg:rpm/suse/runc&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/runc&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOSpkg:rpm/suse/runc&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/runc&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-ESPOSpkg:rpm/suse/runc&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/runc&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/runc&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/runc&distro=SUSE%20Linux%20Enterprise%20Micro%205.1pkg:rpm/suse/runc&distro=SUSE%20Linux%20Enterprise%20Micro%205.2pkg:rpm/suse/runc&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2012pkg:rpm/suse/runc&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP3pkg:rpm/suse/runc&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP4pkg:rpm/suse/runc&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCLpkg:rpm/suse/runc&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/runc&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-BCLpkg:rpm/suse/runc&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/runc&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/runc&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015pkg:rpm/suse/runc&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/runc&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/runc&distro=SUSE%20Manager%20Proxy%204.1pkg:rpm/suse/runc&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.1pkg:rpm/suse/runc&distro=SUSE%20Manager%20Server%204.1
< 0.7.7-r13+ 132 more
- (no CPE)range: < 0.7.7-r13
- (no CPE)range: < 5.2.2-r1
- (no CPE)range: < 5.2.2-r1
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0.7.7-r13
- (no CPE)range: < 5.2.2-r1
- (no CPE)range: < 5.2.2-r1
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 1.1.2
- (no CPE)range: < 2:1.0.1-35.module_el8.7.0+3344+5bcd850f
- (no CPE)range: < 1:1.24.5-2.module_el8.7.0+3344+5bcd850f
- (no CPE)range: < 1:1.24.5-2.module_el8.7.0+3344+5bcd850f
- (no CPE)range: < 46-1.module_el8.7.0+3344+5bcd850f
- (no CPE)range: < 2:2.1.4-1.module_el8.7.0+3344+5bcd850f
- (no CPE)range: < 1:1.1.1-2.module_el8.7.0+3344+5bcd850f
- (no CPE)range: < 2:1-35.module_el8.7.0+3344+5bcd850f
- (no CPE)range: < 2:2.189.0-1.module_el8.7.0+3344+5bcd850f
- (no CPE)range: < 3.15-3.module_el8.6.0+3137+d33c3efb
- (no CPE)range: < 3.15-3.module_el8.6.0+2877+8e437bf5
- (no CPE)range: < 3.15-3.module_el8.6.0+2877+8e437bf5
- (no CPE)range: < 3.15-3.module_el8.6.0+2877+8e437bf5
- (no CPE)range: < 1.5-1.module_el8.7.0+3344+5bcd850f
- (no CPE)range: < 1.9-1.module_el8.7.0+3344+5bcd850f
- (no CPE)range: < 4.4.0-1.module_el8.6.0+2877+8e437bf5
- (no CPE)range: < 4.4.0-1.module_el8.6.0+3137+d33c3efb
- (no CPE)range: < 2:1.0.1-35.module_el8.7.0+3344+5bcd850f
- (no CPE)range: < 1.2.5-1.module_el8.7.0+3344+5bcd850f
- (no CPE)range: < 2:4.0.2-8.module_el8.7.0+3344+5bcd850f
- (no CPE)range: < 2:4.0.2-8.module_el8.7.0+3344+5bcd850f
- (no CPE)range: < 2:4.0.2-8.module_el8.7.0+3344+5bcd850f
- (no CPE)range: < 2:4.0.2-8.module_el8.7.0+3344+5bcd850f
- (no CPE)range: < 2:4.0.2-8.module_el8.7.0+3344+5bcd850f
- (no CPE)range: < 2:4.0.2-8.module_el8.7.0+3344+5bcd850f
- (no CPE)range: < 2:4.0.2-8.module_el8.7.0+3344+5bcd850f
- (no CPE)range: < 3.15-3.module_el8.6.0+3137+d33c3efb
- (no CPE)range: < 4.0.0-1.module_el8.6.0+2877+8e437bf5
- (no CPE)range: < 1:1.1.4-1.module_el8.7.0+3344+484dae7b
- (no CPE)range: < 2:1.6.2-5.module_el8.7.0+3344+5bcd850f
- (no CPE)range: < 2:1.6.2-5.module_el8.7.0+3344+5bcd850f
- (no CPE)range: < 1.1.8-2.module_el8.6.0+2877+8e437bf5
- (no CPE)range: < 0.0.99.3-0.5.module_el8.7.0+3344+5bcd850f
- (no CPE)range: < 0.0.99.3-0.5.module_el8.7.0+3344+5bcd850f
- (no CPE)range: < 0.2.6-3.module_el8.6.0+2886+d33c3efb
- (no CPE)range: < 1.6.6-150000.73.2
- (no CPE)range: < 1.6.6-150000.73.2
- (no CPE)range: < 20.10.17_ce-150000.166.1
- (no CPE)range: < 20.10.17_ce-150000.166.1
- (no CPE)range: < 20.10.17_ce-150000.166.1
- (no CPE)range: < 20.10.17_ce-150000.166.1
- (no CPE)range: < 0.0.20250807T150727-1.1
- (no CPE)range: < 0.49.0-150300.8.13.1
- (no CPE)range: < 0.54.0-150400.3.3.2
- (no CPE)range: < 1.1.3-150000.30.1
- (no CPE)range: < 1.1.3-150000.30.1
- (no CPE)range: < 1.1.2-1.1
- (no CPE)range: < 1.6.6-150000.73.2
- (no CPE)range: < 1.6.6-150000.73.2
- (no CPE)range: < 1.6.6-150000.73.2
- (no CPE)range: < 1.6.6-150000.73.2
- (no CPE)range: < 1.6.6-150000.73.2
- (no CPE)range: < 1.6.6-150000.73.2
- (no CPE)range: < 1.6.6-150000.73.2
- (no CPE)range: < 1.6.6-150000.73.2
- (no CPE)range: < 1.6.6-150000.73.2
- (no CPE)range: < 1.6.6-150000.73.2
- (no CPE)range: < 1.6.6-16.62.1
- (no CPE)range: < 1.6.6-150000.73.2
- (no CPE)range: < 1.6.6-150000.73.2
- (no CPE)range: < 1.6.6-150000.73.2
- (no CPE)range: < 1.6.6-150000.73.2
- (no CPE)range: < 1.6.6-150000.73.2
- (no CPE)range: < 1.6.6-150000.73.2
- (no CPE)range: < 1.6.6-150000.73.2
- (no CPE)range: < 1.6.6-150000.73.2
- (no CPE)range: < 1.6.6-150000.73.2
- (no CPE)range: < 1.6.6-150000.73.2
- (no CPE)range: < 1.6.6-150000.73.2
- (no CPE)range: < 1.6.6-150000.73.2
- (no CPE)range: < 1.6.6-150000.73.2
- (no CPE)range: < 1.6.6-150000.73.2
- (no CPE)range: < 20.10.17_ce-150000.166.1
- (no CPE)range: < 20.10.17_ce-150000.166.1
- (no CPE)range: < 20.10.17_ce-150000.166.1
- (no CPE)range: < 20.10.17_ce-150000.166.1
- (no CPE)range: < 20.10.17_ce-150000.166.1
- (no CPE)range: < 20.10.17_ce-150000.166.1
- (no CPE)range: < 20.10.17_ce-150000.166.1
- (no CPE)range: < 20.10.17_ce-150000.166.1
- (no CPE)range: < 20.10.17_ce-150000.166.1
- (no CPE)range: < 20.10.17_ce-150000.166.1
- (no CPE)range: < 20.10.17_ce-98.83.1
- (no CPE)range: < 20.10.17_ce-150000.166.1
- (no CPE)range: < 20.10.17_ce-150000.166.1
- (no CPE)range: < 20.10.17_ce-150000.166.1
- (no CPE)range: < 20.10.17_ce-150000.166.1
- (no CPE)range: < 20.10.17_ce-150000.166.1
- (no CPE)range: < 20.10.17_ce-150000.166.1
- (no CPE)range: < 20.10.17_ce-150000.166.1
- (no CPE)range: < 20.10.17_ce-150000.166.1
- (no CPE)range: < 20.10.17_ce-150000.166.1
- (no CPE)range: < 20.10.17_ce-150000.166.1
- (no CPE)range: < 20.10.17_ce-150000.166.1
- (no CPE)range: < 20.10.17_ce-150000.166.1
- (no CPE)range: < 20.10.17_ce-150000.166.1
- (no CPE)range: < 0.49.0-150300.8.13.1
- (no CPE)range: < 0.54.0-150400.3.3.2
- (no CPE)range: < 1.1.3-150000.30.1
- (no CPE)range: < 1.1.3-150000.30.1
- (no CPE)range: < 1.1.3-150000.30.1
- (no CPE)range: < 1.1.3-150000.30.1
- (no CPE)range: < 1.1.3-150000.30.1
- (no CPE)range: < 1.1.3-150000.30.1
- (no CPE)range: < 1.1.3-150000.30.1
- (no CPE)range: < 1.1.3-150000.30.1
- (no CPE)range: < 1.1.3-150000.30.1
- (no CPE)range: < 1.1.3-150000.30.1
- (no CPE)range: < 1.1.3-150000.30.1
- (no CPE)range: < 1.1.3-16.21.1
- (no CPE)range: < 1.1.3-150000.30.1
- (no CPE)range: < 1.1.3-150000.30.1
- (no CPE)range: < 1.1.3-150000.30.1
- (no CPE)range: < 1.1.3-150000.30.1
- (no CPE)range: < 1.1.3-150000.30.1
- (no CPE)range: < 1.1.3-150000.30.1
- (no CPE)range: < 1.1.3-150000.30.1
- (no CPE)range: < 1.1.3-150000.30.1
- (no CPE)range: < 1.1.3-150000.30.1
- (no CPE)range: < 1.1.3-150000.30.1
- (no CPE)range: < 1.1.3-150000.30.1
- (no CPE)range: < 1.1.3-150000.30.1
- (no CPE)range: < 1.1.3-150000.30.1
- opencontainers/runcv5Range: < 1.1.2
Patches
Vulnerability mechanics
References
13- github.com/advisories/GHSA-f3fp-gc8g-vw66ghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AVPZBV7ISA7QKRPTC7ZXWKMIQI2HZEBB/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/D77CKD3AXPMU4PMQIQI5Q74SI4JATNND/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GPQU4YC4AAY54JDXGDQHJEYKSXXG5T2Y/mitrevendor-advisory
- nvd.nist.gov/vuln/detail/CVE-2022-29162ghsaADVISORY
- github.com/opencontainers/runcghsaPACKAGE
- github.com/opencontainers/runc/commit/d04de3a9b72d7a2455c1885fc75eb36d02cd17b5ghsaWEB
- github.com/opencontainers/runc/releases/tag/v1.1.2ghsaWEB
- github.com/opencontainers/runc/security/advisories/GHSA-f3fp-gc8g-vw66ghsaWEB
- lists.debian.org/debian-lts-announce/2023/03/msg00023.htmlghsamailing-listWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AVPZBV7ISA7QKRPTC7ZXWKMIQI2HZEBBghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D77CKD3AXPMU4PMQIQI5Q74SI4JATNNDghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GPQU4YC4AAY54JDXGDQHJEYKSXXG5T2YghsaWEB
News mentions
0No linked articles in our index yet.