Release v1.1.5 (Fix CVE-2023-27561, CVE-2023-25809, CVE-2023-28642)

[AkihiroSuda]

We have to release v1.1.5 to fix:

• CVE-2023-27561 ([1.1 backport] Prohibit /proc and /sys to be symlinks #3785)
• CVE-2023-25809 (will be disclosed right before releasing v1.1.5)
• CVE-2023-28642 (will be disclosed right before releasing v1.1.5))

[AkihiroSuda]

@cyphar Could you / Can I (or any maintainer) make the release?

[kolyshkin]

I think we can postpone fixing #3715 to 1.1.6, so that we could release 1.1.5 faster.

[kolyshkin]

I will prepare a changelog.

[kolyshkin]

@cyphar it would be great if @AkihiroSuda or me could make a release.

@AkihiroSuda here's a draft of a changelog, not including a line for GHSA-m8cg-xc2p-r3fc. Feel free to use as is or modify.

## [1.1.5] - 2023-04-XX

> FIXME

### Fixed

* Prohibit container's `/proc` and `/sys` to be symlinks (CVE-2019-19921,
  CVE-2023-27561, #3785)
* Fix the inability to use `/dev/null` when inside a container. (#3620)
* Fix changing the ownership of host's `/dev/null` caused by fd redirection
  (a regression in 1.1.1). (#3674, #3731)
* Fix rare runc exec/enter unshare error on older kernels, inlcuding
  CentOS < 7.7. (#3776)
* nsexec: Check for errors in `write_log()`. (#3721)
* Various CI fixes and updates. (#3618, #3630, #3640, #3729)

[cyphar]

I will do the release. We discussed making a runc.keyring file for this (so packagers use that rather than depending on my keyring), I can set that up later.

[cyphar]

@hqhq pressed the merge button for GHSA-m8cg-xc2p-r3fc, so I'll just push everything now.

[AkihiroSuda]

CI began to fail for Ubuntu 🤦
0d62b95
https://github.com/opencontainers/runc/actions/runs/4550888689/jobs/8024349935

not ok 94 runc run [ro /sys/fs/cgroup mount]
# (in test file tests/integration/mounts.bats, line 74)
#   `for line in "${lines[@]}"; do [[ "${line}" == *'ro,'* ]]; done' failed
# runc spec --rootless (status=0):
# 
# runc run test_busybox (status=0):
# cgroup /sys/fs/cgroup/rdma cgroup ro,nosuid,nodev,noexec,relatime,rdma 0 0
# cgroup2 /sys/fs/cgroup/unified cgroup2 rw,nosuid,nodev,noexec,relatime,nsdelegate 0 0
# cgroup /sys/fs/cgroup/systemd cgroup ro,nosuid,nodev,noexec,relatime,xattr,name=systemd 0 0
# cgroup /sys/fs/cgroup/net_cls,net_prio cgroup ro,nosuid,nodev,noexec,relatime,net_cls,net_prio 0 0
# cgroup /sys/fs/cgroup/devices cgroup ro,nosuid,nodev,noexec,relatime,devices 0 0
# cgroup /sys/fs/cgroup/memory cgroup ro,nosuid,nodev,noexec,relatime,memory 0 0
# cgroup /sys/fs/cgroup/freezer cgroup ro,nosuid,nodev,noexec,relatime,freezer 0 0
# cgroup /sys/fs/cgroup/hugetlb cgroup ro,nosuid,nodev,noexec,relatime,hugetlb 0 0
# cgroup /sys/fs/cgroup/cpu,cpuacct cgroup ro,nosuid,nodev,noexec,relatime,cpu,cpuacct 0 0
# cgroup /sys/fs/cgroup/misc cgroup ro,nosuid,nodev,noexec,relatime,misc 0 0
# cgroup /sys/fs/cgroup/cpuset cgroup ro,nosuid,nodev,noexec,relatime,cpuset 0 0
# cgroup /sys/fs/cgroup/perf_event cgroup ro,nosuid,nodev,noexec,relatime,perf_event 0 0
# cgroup /sys/fs/cgroup/pids cgroup ro,nosuid,nodev,noexec,relatime,pids 0 0
# cgroup /sys/fs/cgroup/blkio cgroup ro,nosuid,nodev,noexec,relatime,blkio 0 0
# cgroup /sys/fs/cgroup/rdma cgroup ro,nosuid,nodev,noexec,relatime,rdma 0 0
# cgroup /sys/fs/cgroup/rdma cgroup ro,nosuid,nodev,noexec,relatime,rdma 0 0
# cgroup /sys/fs/cgroup/systemd cgroup ro,nosuid,nodev,noexec,relatime,xattr,name=systemd 0 0
# cgroup /sys/fs/cgroup/net_cls,net_prio cgroup ro,nosuid,nodev,noexec,relatime,net_cls,net_prio 0 0
# cgroup /sys/fs/cgroup/devices cgroup ro,nosuid,nodev,noexec,relatime,devices 0 0
# cgroup /sys/fs/cgroup/memory cgroup ro,nosuid,nodev,noexec,relatime,memory 0 0
# cgroup /sys/fs/cgroup/freezer cgroup ro,nosuid,nodev,noexec,relatime,freezer 0 0
# cgroup /sys/fs/cgroup/hugetlb cgroup ro,nosuid,nodev,noexec,relatime,hugetlb 0 0
# cgroup /sys/fs/cgroup/cpu,cpuacct cgroup ro,nosuid,nodev,noexec,relatime,cpu,cpuacct 0 0
# cgroup /sys/fs/cgroup/misc cgroup ro,nosuid,nodev,noexec,relatime,misc 0 0
# cgroup /sys/fs/cgroup/cpuset cgroup ro,nosuid,nodev,noexec,relatime,cpuset 0 0
# cgroup /sys/fs/cgroup/perf_event cgroup ro,nosuid,nodev,noexec,relatime,perf_event 0 0
# cgroup /sys/fs/cgroup/pids cgroup ro,nosuid,nodev,noexec,relatime,pids 0 0
# cgroup /sys/fs/cgroup/blkio cgroup ro,nosuid,nodev,noexec,relatime,blkio 0 0
# cgroup /sys/fs/cgroup/rdma cgroup ro,nosuid,nodev,noexec,relatime,rdma 0 0

Passing for Fedora though.

[AkihiroSuda]

v1.1.5 is now ready ( https://github.com/opencontainers/runc/releases/tag/v1.1.5 ) (thanks @cyphar), so I'll open a separate issue to track the CI failure

• CI: mounts.bats began to fail for rootless on Ubuntu (But still passing on Fedora) #3792