29268 – docker-containerd new security issues CVE-2021-32760 and CVE-2021-41103

Bug 29268 - docker-containerd new security issues CVE-2021-32760 and CVE-2021-41103

Summary: docker-containerd new security issues CVE-2021-32760 and CVE-2021-41103

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA8-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2021-07-19 23:34 CEST by David Walser
Modified:	2021-10-23 12:06 CEST (History)
CC List:	6 users (show)

See Also:
Source RPM:	docker-containerd-1.4.4-1.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2021-07-19 23:34:11 CEST

Upstream has issued an advisory today (July 19):
https://github.com/containerd/containerd/security/advisories/GHSA-c72p-9xmj-rx3w

The issue is fixed upstream in 1.4.8.

Mageia 8 is also affected.

David Walser 2021-07-19 23:34:30 CEST

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 1.4.8

Comment 1 David Walser 2021-07-20 14:54:54 CEST

Ubuntu has issued an advisory for this today (July 20):
https://ubuntu.com/security/notices/USN-5012-1

Comment 2 David Walser 2021-07-21 16:47:59 CEST

openSUSE has issued an advisory for this today (July 21):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/KOVJMTDKAFMTONFNVO7Z327OFE52V7FK/

Comment 3 Lewis Smith 2021-07-21 20:23:07 CEST

Another one for Bruno, the registered & active maintainer of this.

Assignee: bugsquad => bruno

Comment 4 Nicolas Lécureuil 2021-07-31 17:19:40 CEST

updated in mga9

CC: (none) => mageia
Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8

Comment 5 David Walser 2021-07-31 17:21:21 CEST

Not yet.

Version: 8 => Cauldron
Whiteboard: (none) => MGA8TOO

Comment 6 Bruno Cornec 2021-08-26 00:49:17 CEST

version 1.5.5 pushed to cauldron

Status: NEW => ASSIGNED

Comment 7 David Walser 2021-08-26 18:57:03 CEST

Fedora has issued an advisory for this on August 25:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DDMNDPJJTP3J5GOEDB66F6MGXUTRG3Y3/

Bruno Cornec 2021-08-29 21:34:58 CEST

Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8

Comment 8 David Walser 2021-10-04 21:36:42 CEST

Upstream has issued an advisory today (October 4):
https://github.com/containerd/containerd/security/advisories/GHSA-c2h3-6mxw-7mvq

The issue is fixed upstream in 1.4.11 and 1.5.7.

Version: 8 => Cauldron
Status comment: Fixed upstream in 1.4.8 => Fixed upstream in 1.4.11 and 1.5.7
Whiteboard: (none) => MGA8TOO
Summary: docker-containerd new security issue CVE-2021-32760 => docker-containerd new security issues CVE-2021-32760 and CVE-2021-41103

Comment 9 David Walser 2021-10-04 21:52:23 CEST

(In reply to David Walser from comment #8)
> Upstream has issued an advisory today (October 4):
> https://github.com/containerd/containerd/security/advisories/GHSA-c2h3-6mxw-
> 7mvq
> 
> The issue is fixed upstream in 1.4.11 and 1.5.7.

Ubuntu has issued an advisory for this today (October 4):
https://ubuntu.com/security/notices/USN-5100-1

Comment 10 Bruno Cornec 2021-10-12 01:54:58 CEST

1.5.7 pushed to cauldron

David Walser 2021-10-12 02:05:14 CEST

Whiteboard: MGA8TOO => (none)
Status comment: Fixed upstream in 1.4.11 and 1.5.7 => Fixed upstream in 1.4.11
Version: Cauldron => 8

Comment 11 David Walser 2021-10-12 23:27:58 CEST

SUSE has issued an advisory for this today (October 12):
https://lists.suse.com/pipermail/sle-security-updates/2021-October/009566.html

Comment 12 Bruno Cornec 2021-10-16 02:15:10 CEST

1.5.7 also pushed to mga8 updates_testing as 1.4.11 doesn't build easily out of the box for obscure reasons for me.

Assignee: bruno => qa-bugs

Comment 13 Len Lawrence 2021-10-16 19:03:45 CEST

mga8, x64

User in docker group.
$ urpmq --requires docker | uniq
docker: docker-containerd[>= 1.1.0]
$ rpm -q docker-containerd
docker-containerd-1.4.4-1.mga8
Before update docker was working with docker-containerd.

CVE-2021-32760: Fixed a bug which allows untrusted container images to
     change permissions in the host's filesystem. 
Did not pursue this.

qarepo and mirrorservice
Installed docker-containerd-1.5.7-1.mga8
Restarted the docker service.

$ docker run hello-world
Hello from Docker!
This message shows that your installation appears to be working correctly.
$ docker run -it ubuntu bash
root@7a590701f872:/# help
<This presented a list of the commands available and accepted arguments>
root@7a590701f872:/# ls
bin   dev  home  lib32  libx32  mnt  proc  run   srv  tmp  var
boot  etc  lib   lib64  media   opt  root  sbin  sys  usr
root@7a590701f872:/# exit

$ docker ps -a
CONTAINER ID   IMAGE           COMMAND       CREATED          STATUS                          PORTS     NAMES
7a590701f872   ubuntu          "bash"        4 minutes ago    Exited (0) About a minute ago             beautiful_jepsen
4a976d45fb97   hello-world     "/hello"      5 minutes ago    Exited (0) 5 minutes ago                  stupefied_blackburn
..........
7c0d05d8ec03   ubuntu          "/bin/bash"   7 weeks ago      Exited (0) 7 weeks ago                    stupefied_dhawan
b9fbe95cd3a6   hello-world     "/hello"      7 weeks ago      Exited (0) 7 weeks ago                    strange_borg

$ docker rm 7c0d05d8ec03
7c0d05d8ec03
$ docker ps -a
.............
967c69acb1d2   fedora:latest   "/bin/bash"   7 weeks ago      Exited (0) 7 weeks ago                great_galois
b9fbe95cd3a6   hello-world     "/hello"      7 weeks ago      Exited (0) 7 weeks ago                strange_borg

$ docker run -it fedora:latest bash
[root@c91b7bc8d5b2 /]# exit

Working OK for padawans.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => tarazed25

Comment 14 David Walser 2021-10-16 19:42:04 CEST

docker-containerd-1.5.7-1.mga8

from docker-containerd-1.5.7-1.mga8.src.rpm

Status comment: Fixed upstream in 1.4.11 => (none)
CC: (none) => bruno

Comment 15 David Walser 2021-10-19 16:06:30 CEST

Fedora has issued an advisory for the newer issue today (October 19):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/M7ZZTABKTSJ5DYVDIQ7CVZG5HABGM2EC/

Comment 16 Thomas Andrews 2021-10-21 03:33:41 CEST

Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2021-10-23 03:29:44 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 17 Mageia Robot 2021-10-23 12:06:48 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0484.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.