On Fri, Mar 27, 2026 at 06:39:02AM +0100, Salvatore Bonaccorso wrote: > The following vulnerability was published for crun. > > CVE-2026-30892[0]: > | crun is an open source OCI Container Runtime fully written in C. In > | versions 1.19 through 1.26, the `crun exec` option `-u` (`--user`) > | is incorrectly parsed. The value `1` is interpreted as UID 0 and GID > | 0 when it should have been UID 1 and GID 0. The process thus runs > | with higher privileges than expected. Version 1.27 patches the > | issue.
Thanks Salvatore! I saw the release and wanted to reach out, but you got to it first :) This is now fixed in unstable with 1.27-1, alongside a few other changes that I deemed to be safe. This was pre-tested in Debusine, so hopefully the forky migration won't be delayed. With regards to trixie, the commit you've already identified in the tracker (1bd7f42446999b0e76bc3d575392e05c943b0b01) seems to apply cleanly to 1.21. I've pushed a change to salsa under the debian/trixie branch that backports this patch (no other changes): https://salsa.debian.org/debian/crun/-/commit/cf06f3a5523236668050c588155b24a292860c74 I've also pushed the .changes to debusine (without signing it) where it is being pre-tested: https://debusine.debian.net/debian/developers/work-request/536786/ Let me know wheter you would like me to proceed with the upload to security-master, or if there are changes that you would like to see. Thanks! Faidon
