3.3 LOW
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Local (L)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): None (N)
- User Interaction (UI): Required (R)
- Scope (S): Unchanged (U)
- Confidentiality (C): None (N)
- Integrity (I): Low (L)
- Availability (A): None (N)
- Modified Attack Vector (MAV): Local (L)
- Modified Attack Complexity (MAC): Low (L)
- Modified Privileges Required (MPR): None (N)
- Modified User Interaction (MUI): Required (R)
- Modified Confidentiality (MC): None (N)
- Modified Scope (MS): Unchanged (U)
- Modified Integrity (MI): Low (L)
- Modified Availability (MA): None (N)
by @LeSuisse Activity log
- Created suggestion
-
@LeSuisse
ignored
20 packages
- nym
- crunch
- git-brunch
- y-cruncher
- speedcrunch
- ocaml-crunch
- untrunc-anthwlock
- ocamlPackages.crunch
- gnomeExtensions.runcat
- haskellPackages.git-brunch
- ocamlPackages_latest.crunch
- perlPackages.StringTruncate
- python312Packages.truncnorm
- python313Packages.truncnorm
- python314Packages.truncnorm
- perl5Packages.StringTruncate
- haskellPackages.html-truncate
- perl538Packages.StringTruncate
- perl540Packages.StringTruncate
- vscode-extensions.42crunch.vscode-openapi
- @LeSuisse accepted
- @LeSuisse published on GitHub
runc: Malicious image with /dev symlink can trigger limited host filesystem integrity violations
runc is a CLI tool for spawning and running containers according to the OCI specification. In versions prior to 1.3.6, 1.4.0-rc.1, 1.4.0-rc.12, 1.5.0-rc.1, and 1.5.0-rc.1, when setting up the container rootfs, setupPtmx and setupDevSymlinks call os.Remove and os.Symlink with a filepath.Join string which allow an image with /dev as a symlink to trick runc into deleting files called ptmx on the host or creating a hardcoded set of symlinks with specific names and targets in an arbitrary pre-existing host directory. This issue is not exploitable under Docker, because Docker creates a top-level read-only layer that masks any malicious /dev symlink present in the container image — unlike some other Linux container tooling, whose higher-level runtimes built on runc remain exposed to exploitation via a malicious image. This issue has been fixed in versions 1.3.6, 1.4.3 and 1.5.0.
References
-
https://github.com/opencontainers/runc/security/advisories/GHSA-xjvp-4fhw-gc47 x_refsource_CONFIRM
-
https://github.com/opencontainers/runc/commit/864db8042dbb x_refsource_MISC
Affected products
- ==>= 1.4.0-rc.1, < 1.4.3
- ==< 1.3.6
- ==>= 1.5.0-rc.1, < 1.5.0-rc.3
Matching in nixpkgs
Ignored packages (20)
pkgs.nym
Mixnet providing IP-level privacy
-
nixos-unstable 2024.14-crunch-patched
- nixpkgs-unstable 2024.14-crunch-patched
- nixos-unstable-small 2024.14-crunch-patched
-
nixos-26.05 2024.14-crunch-patched
- nixos-26.05-small 2024.14-crunch-patched
- nixpkgs-26.05-darwin 2024.14-crunch-patched
pkgs.crunch
Wordlist generator
pkgs.git-brunch
git checkout command-line tool
pkgs.y-cruncher
Compute Pi and other constants to billions of digits
-
nixos-unstable 0.8.7.9547
- nixpkgs-unstable 0.8.7.9547
- nixos-unstable-small 0.8.7.9547
-
nixos-26.05 0.8.7.9547
- nixos-26.05-small 0.8.7.9547
- nixpkgs-26.05-darwin 0.8.7.9547
pkgs.speedcrunch
High-precision scientific calculator
-
nixos-unstable 0.12-unstable-2024-12-02
- nixpkgs-unstable 0.12-unstable-2024-12-02
- nixos-unstable-small 0.12-unstable-2024-12-02
-
nixos-26.05 0.12-unstable-2024-12-02
- nixos-26.05-small 0.12-unstable-2024-12-02
- nixpkgs-26.05-darwin 0.12-unstable-2024-12-02
pkgs.ocaml-crunch
Convert a filesystem into a static OCaml module
pkgs.untrunc-anthwlock
Restore a truncated mp4/mov (improved version of ponchio/untrunc)
-
nixos-unstable 0-unstable-2026-02-04
- nixpkgs-unstable 0-unstable-2026-02-04
- nixos-unstable-small 0-unstable-2026-02-04
-
nixos-26.05 0-unstable-2026-02-04
- nixos-26.05-small 0-unstable-2026-02-04
- nixpkgs-26.05-darwin 0-unstable-2026-02-04
pkgs.ocamlPackages.crunch
Convert a filesystem into a static OCaml module
pkgs.gnomeExtensions.runcat
The cat tells you the CPU usage by running speed
pkgs.haskellPackages.git-brunch
git checkout command-line tool
pkgs.ocamlPackages_latest.crunch
Convert a filesystem into a static OCaml module
pkgs.perlPackages.StringTruncate
Module for when strings are too long to be displayed in...
pkgs.python312Packages.truncnorm
None
pkgs.python313Packages.truncnorm
Moments for doubly truncated multivariate normal distributions
pkgs.python314Packages.truncnorm
Moments for doubly truncated multivariate normal distributions
pkgs.perl5Packages.StringTruncate
Module for when strings are too long to be displayed in...
pkgs.haskellPackages.html-truncate
A HTML truncator
pkgs.perl538Packages.StringTruncate
None
pkgs.perl540Packages.StringTruncate
None
pkgs.vscode-extensions.42crunch.vscode-openapi
Visual Studio Code extension with rich support for the OpenAPI Specification (OAS)
-
nixos-unstable 42Crunch-vscode-openapi-4.40.0
- nixpkgs-unstable 42Crunch-vscode-openapi-4.40.0
- nixos-unstable-small 42Crunch-vscode-openapi-4.40.0
-
nixos-26.05 42Crunch-vscode-openapi-4.40.0
- nixos-26.05-small 42Crunch-vscode-openapi-4.40.0
- nixpkgs-26.05-darwin 42Crunch-vscode-openapi-4.40.0
Package maintainers
-
@saschagrunert Sascha Grunert <mail@saschagrunert.de>
-
@vdemeester Vincent Demeester <vincent@sbr.pm>