Hi Faidon, [+cc [email protected]]
On Sat, Mar 28, 2026 at 02:01:56PM +0200, Faidon Liambotis wrote: > On Fri, Mar 27, 2026 at 06:39:02AM +0100, Salvatore Bonaccorso wrote: > > The following vulnerability was published for crun. > > > > CVE-2026-30892[0]: > > | crun is an open source OCI Container Runtime fully written in C. In > > | versions 1.19 through 1.26, the `crun exec` option `-u` (`--user`) > > | is incorrectly parsed. The value `1` is interpreted as UID 0 and GID > > | 0 when it should have been UID 1 and GID 0. The process thus runs > > | with higher privileges than expected. Version 1.27 patches the > > | issue. > > Thanks Salvatore! I saw the release and wanted to reach out, but you got > to it first :) > > This is now fixed in unstable with 1.27-1, alongside a few other changes > that I deemed to be safe. This was pre-tested in Debusine, so hopefully > the forky migration won't be delayed. > > With regards to trixie, the commit you've already identified in the > tracker (1bd7f42446999b0e76bc3d575392e05c943b0b01) seems to apply > cleanly to 1.21. > > I've pushed a change to salsa under the debian/trixie branch that > backports this patch (no other changes): > https://salsa.debian.org/debian/crun/-/commit/cf06f3a5523236668050c588155b24a292860c74 > > I've also pushed the .changes to debusine (without signing it) where it > is being pre-tested: > https://debusine.debian.net/debian/developers/work-request/536786/ > > Let me know wheter you would like me to proceed with the upload to > security-master, or if there are changes that you would like to see. Thanks for the update for unstable. Recheching the GHSA, I think it does not really need a DSA, could you fix it please for the next trixie point release? Regards, Salvatore
