[Bug]: runc, container breakout vulnerabilities (CVE-2024-21626)

[JGoroso]

Testcontainers version

v0.20.2-0

Using the latest Testcontainers version?

Yes

Host OS

macos

Host arch

arm

Go version

1.21.5

Docker version

Client:
 Cloud integration: v1.0.35+desktop.10
 Version:           25.0.2
 API version:       1.44
 Go version:        go1.21.6
 Git commit:        29cf629
 Built:             Thu Feb  1 00:18:45 2024
 OS/Arch:           darwin/arm64
 Context:           desktop-linux

Server: Docker Desktop 4.27.1 (136059)
 Engine:
  Version:          25.0.2
  API version:      1.44 (minimum version 1.24)
  Go version:       go1.21.6
  Git commit:       fce6e0c
  Built:            Thu Feb  1 00:23:21 2024
  OS/Arch:          linux/arm64
  Experimental:     false
 containerd:
  Version:          1.6.28
  GitCommit:        ae07eda36dd25f8a1b98dfbf587313b99c0190bb
 runc:
  Version:          1.1.12
  GitCommit:        v1.1.12-0-g51d5e94
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

Docker info

-

What happened?

Hello, we are encountering some problems with runc which use testcontainers-go, this is the vulnerabilty and apparently this could be the fix https://github.com/moby/moby/releases.

Could you help me? Thanks in advance!

Relevant log output

No response

Additional information

https://github.com/opencontainers/runc/releases/tag/v1.1.12
GHSA-xr7r-f8xq-vfvv

[mdelapenya]

Hey @JGoroso I see you are reporting this for testcontainers-go v0.20.2-0 but at the same time you mentioned using the latest version, which is v0.27.0. Is this a typo?

In any case, we merged #2196 yesterday, so using main is safe from that CVE, so will be the next release.

If this sounds good to you, I think we can close this issue. Thanks for the report!

[JGoroso]

Correct, I am using v0.20.2-0, my apoligies. I've to switch to v0.27.0.
You can close it, thanks for your answer!

[JGoroso]

Just to know, and if you can tell me, do you know when the new release would be out? Thanks.

[mdelapenya]

Hopefully soon this mid February. I'm finishing a task but I'm switching contexts more than I'd like to

[abezzub]

Is there a chance this can be released? The repo still depends on vulnerable version of containerd.

[mdelapenya]

@abezzub it was released in v0.28.0 😅 https://github.com/testcontainers/testcontainers-go/releases/tag/v0.28.0

[abezzub]

v1.7.12 version of containerd has vulnerability, the fix version is v1.7.13. Main currently depends on 1.7.12.

https://github.com/containerd/containerd/releases/tag/v1.7.13

[mdelapenya]

@abezzub I do not see the vulnerability in both

• https://github.com/testcontainers/testcontainers-go/security/dependabot
• https://deps.dev/go/github.com%2Ftestcontainers%2Ftestcontainers-go/

In fact, moving the version to v0.27.0 in https://deps.dev/go/github.com%2Ftestcontainers%2Ftestcontainers-go/v0.27.0 I do see it.

Could you clarify more where are you seeing the vulnerability?

[abezzub]

I don't know why dependabot doesn't show it, but I linked above the containerd release which has the CVE that it fixes. It was picked up by AWS ECR scanner for vulnerabilities.