Bug 30279

Summary:	docker-containerd new security issue CVE-2022-24769
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	normal
Priority:	Normal	CC:	andrewsfarm, bruno, davidwhodgins, sysadmin-bugs, tarazed25
Version:	8	Keywords:	advisory, validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	MGA8-64-OK
Source RPM:	docker-containerd-1.5.10-2.mga9.src.rpm	CVE:
Status comment:

Description David Walser 2022-04-12 23:12:08 CEST

Fedora has issued an advisory on April 11:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FPOJUJZXGMIVKRS4QR75F6OIXNQ6LDBL/

The issue is fixed upstream in 1.5.11:
https://github.com/containerd/containerd/security/advisories/GHSA-c9cp-9c75-9v8c

Mageia 8 is also affected.

David Walser 2022-04-12 23:12:23 CEST

Status comment: (none) => Fixed upstream in 1.5.11
Whiteboard: (none) => MGA8TOO

Comment 1 Bruno Cornec 2022-04-13 00:51:10 CEST

cauldron version updated and pushed.

Status: NEW => ASSIGNED
CC: (none) => bruno

Comment 2 Bruno Cornec 2022-04-13 00:54:46 CEST

mga8 update pushed docker-containerd-1.5.11-1.mga8.src.rpm

Assignee: bruno => qa-bugs

David Walser 2022-04-13 01:05:46 CEST

Version: Cauldron => 8
Status comment: Fixed upstream in 1.5.11 => (none)
Whiteboard: MGA8TOO => (none)

Comment 3 Len Lawrence 2022-04-13 13:57:04 CEST

mga8, x64

Started docker service.
$ rpm -q docker-containerd
docker-containerd-1.5.10-1.mga8

Ran preliminary check to make sure docker was running properly.
Updated docker-containerd and restarted the docker daemon.
$ rpm -q docker-containerd
docker-containerd-1.5.11-1.mga8
$ docker run hello-world
Hello from Docker!
This message shows that your installation appears to be working correctly.
......

$ docker ps -a
CONTAINER ID   IMAGE           COMMAND    CREATED          STATUS                      PORTS     NAMES
f0c7a75f7e52   hello-world     "/hello"   57 seconds ago   Exited (0) 56 seconds ago             sharp_chatelet
....
$ docker run -it ubuntu bash
Unable to find image 'ubuntu:latest' locally
latest: Pulling from library/ubuntu
e0b25ef51634: Pull complete 
Digest: sha256:9101220a875cee98b016668342c489ff0674f247f6ca20dfc91b91c0f28581ae
Status: Downloaded newer image for ubuntu:latest
root@7d3d6fac4655:/# exit
exit
$ docker pull fedora:latest
latest: Pulling from library/fedora
Digest: sha256:f1e3a29da8990568c1da6a460cf9658ee7e9b409aa39c2aded67f7ac1dfe7e8a
Status: Image is up to date for fedora:latest
docker.io/library/fedora:latest
docker run -ti fedora:latest /bin/bash
[root@61ad03b3bfc3 /]#dnf install ruby ruby-devel 
[...]
Installing:
 ruby                    x86_64      3.0.2-151.fc35          fedora        41 k
 ruby-devel              x86_64      3.0.2-151.fc35          fedora       267 k
Installing dependencies:
 libpkgconf              x86_64      1.8.0-1.fc35            fedora        36 k
 pkgconf                 x86_64      1.8.0-1.fc35            fedora        41 k
[...]
  rubygems-3.2.22-151.fc35.noarch                                               
  rubypick-1.1.1-15.fc35.noarch                                                 
Complete!
[root@61ad03b3bfc3 /]#exit
$ docker run -it -h cowsay debian bash
root@cowsay:/# apt-get update
Get:1 http://security.debian.org/debian-security bullseye-security InRelease [44.1 kB]
Get:2 http://deb.debian.org/debian bullseye InRelease [116 kB]
Get:3 http://deb.debian.org/debian bullseye-updates InRelease [39.4 kB]
Get:4 http://security.debian.org/debian-security bullseye-security/main amd64 Packages [125 kB]
Get:5 http://deb.debian.org/debian bullseye/main amd64 Packages [8182 kB]
Get:6 http://deb.debian.org/debian bullseye-updates/main amd64 Packages [2596 B]
Fetched 8509 kB in 2s (4963 kB/s)                         
Reading package lists... Done
root@cowsay:/# apt-get install -y cowsay fortune
Reading package lists... Done
[...]
Setting up perl (5.32.1-4+deb11u2) ...
Setting up cowsay (3.03+dfsg2-8) ...
Processing triggers for libc-bin (2.31-13+deb11u2) ...
root@cowsay:/# /usr/games/fortune | /usr/games/cowsay
 _________________________________________
/ FORTUNE PROVIDES QUESTIONS FOR THE      \
| GREAT ANSWERS: #19 A: To be or not to   |
\ be. Q: What is the square root of 4b^2? /
 -----------------------------------------
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||
root@cowsay:/# /usr/games/fortune | /usr/games/cowsay
 _________________________________________
/ Q: What's the difference between a dead \
| dog in the road and a dead              |
| lawyer in the road? A: There are skid   |
\ marks in front of the dog.              /
 -----------------------------------------
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||
root@cowsay:/# exit

That should do.  docker works fine with the updated containerd.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => tarazed25

Comment 4 Thomas Andrews 2022-04-14 14:31:27 CEST

Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-04-15 22:32:26 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 5 Mageia Robot 2022-04-15 23:36:47 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0144.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED