CVE-2024-45310 – runc can be confused to create empty files/directories on the host

https://notcve.org/view.php?id=CVE-2024-45310

runc is a CLI tool for spawning and running containers according to the OCI specification. runc 1.1.13 and earlier, as well as 1.2.0-rc2 and earlier, can be tricked into creating empty files or directories in arbitrary locations in the host filesystem by sharing a volume between two containers and exploiting a race with `os.MkdirAll`. While this could be used to create empty files, existing files would not be truncated. An attacker must have the ability to start containers using some kind of custom volume configuration. Containers using user namespaces are still affected, but the scope of places an attacker can create inodes can be significantly reduced. Sufficiently strict LSM policies (SELinux/Apparmor) can also in principle block this attack -- we suspect the industry standard SELinux policy may restrict this attack's scope but the exact scope of protection hasn't been analysed. • https://github.com/opencontainers/runc/commit/63c2908164f3a1daea455bf5bcd8d363d70328c7 https://github.com/opencontainers/runc/commit/8781993968fd964ac723ff5f360b6f259e809a3e https://github.com/opencontainers/runc/commit/f0b652ea61ff6750a8fcc69865d45a7abf37accf https://github.com/opencontainers/runc/pull/4359 https://github.com/opencontainers/runc/security/advisories/GHSA-jfvp-7x6p-h2pv • CWE-61: UNIX Symbolic Link (Symlink) Following CWE-363: Race Condition Enabling Link Following •