Bug 28478 - containernetworking-plugins new security issue CVE-2021-20206
Summary: containernetworking-plugins new security issue CVE-2021-20206
Status: REOPENED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard:
Keywords: feedback
Depends on:
Blocks:
 
Reported: 2021-02-27 20:28 CET by David Walser
Modified: 2021-03-31 02:56 CEST (History)
3 users (show)

See Also:
Source RPM: containernetworking-plugins-0.8.5-1.mga8.src.rpm
CVE: CVE-2021-20206
Status comment:


Attachments

David Walser 2021-02-27 20:29:51 CET

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 0.9.1

Comment 1 Aurelien Oudelet 2021-02-28 20:57:33 CET
Hi, thanks for reporting this.
Assigned to the package maintainer.

(Please set the status to 'assigned' if you are working on it)

Assignee: bugsquad => joequant
CC: (none) => ouaurelien
CVE: (none) => CVE-2021-20206

Comment 2 Nicolas Lécureuil 2021-03-05 18:23:01 CET
in the bugreport this is told that the fixed version 0.8.1:

https://bugzilla.redhat.com/show_bug.cgi?id=1919391

"Fixed In Version: 	containernetworking/cni 0.8.1 "

Closing as fixed.

Status: NEW => RESOLVED
Resolution: (none) => FIXED
CC: (none) => mageia

Comment 3 David Walser 2021-03-05 18:45:19 CET
containernetworking/cni is apparently some embedded golang module, but it has different versioning than the package itself.  The package needed to be updated to 0.9.1 to include it.  I think all of the packages actually need to be updated.

Status: RESOLVED => REOPENED
Resolution: FIXED => (none)

Comment 4 Nicolas Lécureuil 2021-03-09 10:33:41 CET
New version pushed in cauldron.

Fixed version pushed in mga8:

src:
    - containernetworking-plugins-0.9.1-1.mga8

Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)
Assignee: joequant => qa-bugs

Comment 5 Nicolas Lécureuil 2021-03-09 10:37:32 CET
fails to build, i think a missing BR as it built locally.
I take a look
Comment 6 David Walser 2021-03-09 16:27:43 CET
Are you certain that the other packages don't also contain the containernetworking/cni library?
David Walser 2021-03-09 16:28:06 CET

Assignee: qa-bugs => mageia

Comment 7 Nicolas Lécureuil 2021-03-12 22:09:17 CET
i think i looked everywhere and found nothing. Let's give this to QA :-)

Source RPM: containernetworking-plugins-0.8.5-1.mga8.src.rpm => -0.8.5-1.mga8.src.rpm
Assignee: mageia => qa-bugs

Comment 8 David Walser 2021-03-14 15:55:45 CET
Advisory:
========================

Updated containernetworking-plugins package fixes security vulnerability:

An improper limitation of path name flaw was found in containernetworking/cni.
When specifying the plugin to load in the `type` field in the network
configuration, it is possible to use special elements such as "../" separators
to reference binaries elsewhere on the system. This flaw allows an attacker to
execute other existing binaries other than the cni plugins/types, such as
reboot. The highest threat from this vulnerability is to confidentiality,
integrity, as well as system availability (CVE-2021-20206).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20206
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/O2K6F4S5TE5ZEI2ZEJGC4XEC5QW7JORX/

Status comment: Fixed upstream in 0.9.1 => (none)
Source RPM: -0.8.5-1.mga8.src.rpm => containernetworking-plugins-0.8.5-1.mga8.src.rpm

Comment 9 Thomas Andrews 2021-03-31 02:56:07 CEST
Something is wrong here, but I'm not sure what.

This package is about 16 levels above my pay grade, so I was going to settle for a clean install over the older packages. Lacking a specific package list, I used the one from http://madb.mageia.org/tools/listRpmsForQaBug/bugnum/28478/application/0 That was this:

containernetworking-plugins-0.9.1-1.mga8.x86_64.rpm
containernetworking-plugins-devel-0.9.1-1.mga8.noarch.rpm
containernetworking-plugins-unit-test-devel-0.9.1-1.mga8.x86_64.rpm

Using MCC, installed the plugins, but I couldn't find either of the devel packages listed. OK, they're new, or something. It's happened before. So, I used the above list in qarepo, and it downloaded those three rpms. 

The plugins rpm updated OK, but when I went to use drakrpm to install the two devel packages (now listed), after OKing a long list of dependencies for the tests rpm, I got this:

Sorry, the following package cannot be selected:

- containernetworking-plugins-unit-test-devel-0.9.1-1.mga8.x86_64 (due to unsatisfied golang(github.com/d2g/dhcp4))

And when I tried to select the other devel rpm, I got this:

Sorry, the following package cannot be selected:

- containernetworking-plugins-devel-0.9.1-1.mga8.noarch (due to unsatisfied golang(github.com/vishvananda/netlink))

So, I haven't a clue about where to go from here.

CC: (none) => andrewsfarm
Keywords: (none) => feedback


Note You need to log in before you can comment on or make changes to this bug.