GHSA-5W4J-F78P-4WH9

Vulnerability from github – Published: 2025-03-21 15:18 – Updated: 2025-03-21 15:42
VLAI?
Summary
Libcontainer is affected by capabilities elevation similar to GHSA-f3fp-gc8g-vw66
Details

Impact

In libcontainer, while creating a tenant container, the tenant builder accepts a list of capabilities to be added in the spec of tenant container. Code can be seen here . The logic here adds the given capabilities to all capabilities of main container if present in spec, otherwise simply set provided capabilities as capabilities of the tenant container.

However, GHSA-f3fp-gc8g-vw66 was opened on runc mentioning that setting inherited caps in any case for tenant container can lead to elevation of capabilities. For this, they added a fix here where they never set new inherited caps on tenant, and set ambient caps only if original container had inherited caps.

Similarly crun never sets inherited caps as can be seen here.

[!NOTE] This does not affect youki binary itself, as the exec implementation is partially broken and does not pass on the user-provided caps to tenant containers, this is only applicable if you are using libcontainer directly and using the tenant builder.

Workarounds

  • Do not pass any user-provided capabilities to the tenant builder, in which case no capabilities will be set on tenant.
  • Alternatively you can verify the capabilities of original container and filter the user passed capabilities before setting them on tenant.

References

  • https://github.com/opencontainers/runc/security/advisories/GHSA-f3fp-gc8g-vw66
  • https://man7.org/linux/man-pages/man7/capabilities.7.html
Severity ?
5.9 (Medium)
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "libcontainer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.5.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-27612"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-276"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-21T15:18:28Z",
    "nvd_published_at": "2025-03-21T15:15:42Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nIn libcontainer, while creating a tenant container, the tenant builder accepts a list of capabilities to be added in the spec of tenant container. Code can be seen [here](https://github.com/youki-dev/youki/blob/9e63fa4da1672a78ca45100f3059a732784a5174/crates/libcontainer/src/container/tenant_builder.rs#L408) . The logic here adds the given capabilities to all capabilities of main container if present in spec, otherwise simply set provided capabilities as capabilities of the tenant container.\n\nHowever, GHSA-f3fp-gc8g-vw66 was opened on runc mentioning that setting inherited caps in any case for tenant container can lead to elevation of capabilities. For this, they added a fix [here](https://github.com/opencontainers/runc/blob/986451c24e17c8d4be3c454f60b1f7be4af3e8b4/exec.go#L234-L242) where they never set new inherited caps on tenant, and set ambient caps only if original container had inherited caps.\n\nSimilarly crun never sets inherited caps as can be seen [here](https://github.com/containers/crun/blob/3ec6298abd79e144fbf3fa6db90793ff4c0516f9/src/exec.c#L319).\n\n\u003e [!NOTE]\nThis does not affect youki binary itself, as the exec implementation is partially broken and does not pass on the user-provided caps to tenant containers, this is only applicable if you are using libcontainer directly and using the tenant builder.\n\n### Workarounds\n- Do not pass any user-provided capabilities to the tenant builder, in which case no capabilities will be set on tenant.\n- Alternatively you can verify the capabilities of original container and filter the user passed capabilities before setting them on tenant.\n\n### References\n- https://github.com/opencontainers/runc/security/advisories/GHSA-f3fp-gc8g-vw66\n- https://man7.org/linux/man-pages/man7/capabilities.7.html",
  "id": "GHSA-5w4j-f78p-4wh9",
  "modified": "2025-03-21T15:42:03Z",
  "published": "2025-03-21T15:18:28Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/opencontainers/runc/security/advisories/GHSA-f3fp-gc8g-vw66"
    },
    {
      "type": "WEB",
      "url": "https://github.com/youki-dev/youki/security/advisories/GHSA-5w4j-f78p-4wh9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27612"
    },
    {
      "type": "WEB",
      "url": "https://github.com/youki-dev/youki/commit/747e342d2026fbf3a395db3e2a491ebef00082f1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/containers/crun/blob/3ec6298abd79e144fbf3fa6db90793ff4c0516f9/src/exec.c#L319"
    },
    {
      "type": "WEB",
      "url": "https://github.com/opencontainers/runc/blob/986451c24e17c8d4be3c454f60b1f7be4af3e8b4/exec.go#L234-L242"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/youki-dev/youki"
    },
    {
      "type": "WEB",
      "url": "https://github.com/youki-dev/youki/blob/9e63fa4da1672a78ca45100f3059a732784a5174/crates/libcontainer/src/container/tenant_builder.rs#L408"
    },
    {
      "type": "WEB",
      "url": "https://man7.org/linux/man-pages/man7/capabilities.7.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Libcontainer is affected by capabilities elevation similar to GHSA-f3fp-gc8g-vw66"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.