Advisories for Cargo/Youki package

Impact youki utilizes bind mounting the container's /dev/null as a file mask. When performing this operation, the initial validation of the source /dev/null was insufficient. Specifically, we initially failed to verify whether /dev/null was genuinely present. However, we did perform validation to ensure that the /dev/null path existed within the container, including checking for symbolic links. Additionally, there was a vulnerability in the timing between validation and the actual mount …

Impact youki’s apparmor handling performs insufficiently strict write-target validation, which—combined with path substitution during pathname resolution—can allow writes to unintended procfs locations. Weak write-target check youki only verifies that the destination lies somewhere under procfs. As a result, a write intended for /proc/self/attr/apparmor/exec can succeed even if the path has been redirected to /proc/sys/kernel/hostname(which is also in procfs). Path substitution While resolving a path component-by-component, a shared-mount race can substitute …

If /proc and /sys in the rootfs are symbolic links, they can potentially be exploited to gain access to the host root filesystem.