x/vulndb: potential Go vuln in github.com/opencontainers/runc: CVE-2024-45310

[GoVulnBot]

Advisory CVE-2024-45310 references a vulnerability in the following Go modules:

Module
github.com/opencontainers/runc

Description:
runc is a CLI tool for spawning and running containers according to the OCI specification. runc 1.1.13 and earlier, as well as 1.2.0-rc2 and earlier, can be tricked into creating empty files or directories in arbitrary locations in the host filesystem by sharing a volume between two containers and exploiting a race with os.MkdirAll. While this could be used to create empty files, existing files would not be truncated. An attacker must have the ability to start containers using some kind of custom volume configuration. Containers using user namespaces are still affected, but the scope of plac...

References:

• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2024-45310
• FIX: opencontainers/runc@63c2908
• FIX: opencontainers/runc@8781993
• FIX: opencontainers/runc@f0b652e
• FIX: rootfs: consolidate mountpoint creation logic opencontainers/runc#4359
• WEB: GHSA-jfvp-7x6p-h2pv

Cross references:

• github.com/opencontainers/runc appears in 12 other report(s):
  • data/reports/GO-2021-0070.yaml (dummy issue #70)
  • data/reports/GO-2021-0085.yaml (dummy issue #85)
  • data/reports/GO-2021-0087.yaml (dummy issue #87)
  • data/reports/GO-2022-0274.yaml (x/vulndb: potential Go vuln in github.com/opencontainers/runc: CVE-2021-43784 #274)
  • data/reports/GO-2022-0396.yaml (x/vulndb: potential Go vuln in github.com/opencontainers/runc: GHSA-g54h-m393-cpwq #396)
  • data/reports/GO-2022-0452.yaml (x/vulndb: potential Go vuln in github.com/opencontainers/runc: CVE-2022-29162 #452)
  • data/reports/GO-2022-0835.yaml (x/vulndb: potential Go vuln in github.com/opencontainers/runc: GHSA-gp4j-w3vj-7299 #835)
  • data/reports/GO-2022-0914.yaml (x/vulndb: potential Go vuln in github.com/opencontainers/runc: CVE-2021-30465, GHSA-c3xm-pvg7-gh7r #914)
  • data/reports/GO-2023-1627.yaml (x/vulndb: potential Go vuln in github.com/opencontainers/runc: GHSA-vpvm-3wq2-2wvm #1627)
  • data/reports/GO-2023-1682.yaml (x/vulndb: potential Go vuln in github.com/opencontainers/runc: CVE-2023-25809 #1682)
  • data/reports/GO-2023-1683.yaml (x/vulndb: potential Go vuln in github.com/opencontainers/runc: CVE-2023-28642 #1683)
  • data/reports/GO-2024-2491.yaml (x/vulndb: potential Go vuln in github.com/opencontainers/runc: CVE-2024-21626 #2491)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/opencontainers/runc
      vulnerable_at: 1.1.14
summary: CVE-2024-45310 in github.com/opencontainers/runc
cves:
    - CVE-2024-45310
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-45310
    - fix: https://github.com/opencontainers/runc/commit/63c2908164f3a1daea455bf5bcd8d363d70328c7
    - fix: https://github.com/opencontainers/runc/commit/8781993968fd964ac723ff5f360b6f259e809a3e
    - fix: https://github.com/opencontainers/runc/commit/f0b652ea61ff6750a8fcc69865d45a7abf37accf
    - fix: https://github.com/opencontainers/runc/pull/4359
    - web: https://github.com/opencontainers/runc/security/advisories/GHSA-jfvp-7x6p-h2pv
source:
    id: CVE-2024-45310
    created: 2024-09-03T21:01:24.412308071Z
review_status: UNREVIEWED

[tatianab]

Duplicate of #3110