Bug 29669

Summary: docker-containerd new security issue CVE-2021-41190
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, bruno, davidwhodgins, sysadmin-bugs, tarazed25
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: docker-containerd-1.5.7-1.mga9.src.rpm CVE:
Status comment:

Description David Walser 2021-11-18 21:54:18 CET 
Upstream has issued an advisory on November 17:
https://github.com/moby/moby/security/advisories/GHSA-xmmx-7jpf-fx42

The issue is fixed upstream in 1.4.12 and 1.5.8:
https://github.com/containerd/containerd/releases/tag/v1.4.12
https://github.com/containerd/containerd/releases/tag/v1.5.8

It's also mentioned in the Docker/moby 20.10.11 release notes, but probably just because the upstream distribution bundles containerd:
https://github.com/moby/moby/releases/tag/v20.10.11
David Walser 2021-11-18 21:54:43 CET

Status comment: (none) => Fixed upstream in 1.4.12 and 1.5.8
Whiteboard: (none) => MGA8TOO

Comment 1 Bruno Cornec 2021-11-19 00:11:49 CET 
Version 1.5.8 pushed to cauldron.

Status: NEW => ASSIGNED

Comment 2 Bruno Cornec 2021-11-19 00:14:30 CET 
Same version also pushed to updates_testing for mga8

Assignee: bruno => qa-bugs

Comment 3 David Walser 2021-11-19 00:18:22 CET 
docker-containerd-1.5.8-1.mga8

from docker-containerd-1.5.8-1.mga8.src.rpm

Status comment: Fixed upstream in 1.4.12 and 1.5.8 => (none)
CC: (none) => bruno
Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)

Comment 4 Len Lawrence 2021-11-25 19:07:45 CET 
mga8, x64

Updated docker-containerd and restarted the docker service.
$ urpmq --requires docker | grep containerd
docker: docker-containerd[>= 1.1.0]

Followed the procedure in bug 29268.
$ docker run hello-world
Hello from Docker!
This message shows that your installation appears to be working correctly.
.................
$ docker run -it ubuntu
root@14c631130af7:/# ls -l
total 48
lrwxrwxrwx   1 root root    7 Jul 23 17:35 bin -> usr/bin
drwxr-xr-x   2 root root 4096 Apr 15  2020 boot
drwxr-xr-x   5 root root  360 Nov 25 17:45 dev
drwxr-xr-x   1 root root 4096 Nov 25 17:45 etc
............
root@14c631130af7:/# ls bin
'['                        getopt             rgrep
 addpart                   gpasswd            rm
.............
root@14c631130af7:/# exit
exit
$ docker ps -a
CONTAINER ID   IMAGE           COMMAND       CREATED         STATUS                      PORTS     NAMES
14c631130af7   ubuntu          "bash"        3 minutes ago   Exited (0) 23 seconds ago             youthful_satoshi
4ebe8822fac9   hello-world     "/hello"      4 minutes ago   Exited (0) 4 minutes ago              funny_bhabha
...........
$ docker rm 88f8321c5926 61f76f4e329d 22517f8bed0e 5b03ae090d6e
88f8321c5926
61f76f4e329d
22517f8bed0e
5b03ae090d6e
$ docker run -it fedora:latest bash
[root@07421e5a620a /]# dnf install ruby
............
Install  11 Packages
Total download size: 4.4 M
Installed size: 16 M
Is this ok [y/N]: y
...............
Installed:
[.....]
  rubygems-3.2.22-149.fc34.noarch                                               
  rubypick-1.1.1-14.fc34.noarch                                                 
Complete!
[root@07421e5a620a /]# ruby -e "puts Object.methods"
.......
equal?
instance_eval
instance_exec
__id__
__send__
[root@07421e5a620a /]# exit

Good enough.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => tarazed25

Comment 5 Thomas Andrews 2021-11-27 00:03:06 CET 
Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2021-12-01 22:20:50 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 6 David Walser 2021-12-01 23:48:51 CET 
Fedora has issued an advisory for this today (December 1):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FLBBZYA3OFWVHHKTB5WOIIX6O7UI3YQS/
Comment 7 David Walser 2021-12-01 23:50:16 CET 
Upstream advisory for containerd itself:
https://github.com/advisories/GHSA-5j5w-g665-5m35
Comment 8 Mageia Robot 2021-12-02 17:50:42 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0531.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED