Bug 30525 - docker-containerd new security issue CVE-2022-31030
Summary: docker-containerd new security issue CVE-2022-31030
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-06-08 18:21 CEST by David Walser
Modified: 2022-06-13 22:45 CEST (History)
5 users (show)

See Also:
Source RPM: docker-containerd-1.5.11-1.mga9.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2022-06-08 18:21:27 CEST 
Upstream has issued an advisory on June 6:
https://github.com/containerd/containerd/security/advisories/GHSA-5ffw-gxpp-mxpf

The issue is fixed upstream in 1.5.13:
https://github.com/containerd/containerd/releases/tag/v1.5.13

Mageia 8 is also affected.
David Walser 2022-06-08 18:21:45 CEST

Status comment: (none) => Fixed upstream in 1.5.13
Whiteboard: (none) => MGA8TOO

Comment 1 Bruno Cornec 2022-06-13 12:06:29 CEST 
1.5.13 pushed to both cauldron and mga8

Status: NEW => ASSIGNED
Version: Cauldron => 8
Assignee: bruno => qa-bugs
Whiteboard: MGA8TOO => (none)

Comment 2 Len Lawrence 2022-06-13 16:43:28 CEST 
Mageia8, x86_64
Updated to docker-containerd-1.5.13-1

Followed earlier procedures for testing, e.g. bug 29669.
Started docker daemon.

$ docker run hello-world
showed that the docker installation was working.

$ docker run -it ubuntu
[...]
Status: Downloaded newer image for ubuntu:latest
root@05151f1fe973:/# ls /proc/sys
abi  debug  dev  fs  fscache  kernel  net  sunrpc  user  vm
root@05151f1fe973:/# exit

$ docker ps -a
CONTAINER ID   IMAGE         COMMAND    CREATED          STATUS                      PORTS     NAMES
05151f1fe973   ubuntu        "bash"     27 minutes ago   Exited (0) 23 minutes ago             dreamy_carver
12e0bad3735e   hello-world   "/hello"   29 minutes ago   Exited (0) 29 minutes ago             trusting_gauss

$ docker run -it fedora:latest bash
Unable to find image 'fedora:latest' locally
latest: Pulling from library/fedora
e1deda52ffad: Pull complete 
Digest: sha256:cbf627299e327f564233aac6b97030f9023ca41d3453c497be2f5e8f7762d185
Status: Downloaded newer image for fedora:latest
[root@2755dd556e0f /]# dnf install rust
Fedora 36 - x86_64                              7.6 MB/s |  81 MB     00:10    
Fedora 36 openh264 (From Cisco) - x86_64        604  B/s | 2.5 kB     00:04    
Fedora Modular 36 - x86_64                      2.1 MB/s | 2.4 MB     00:01    
Fedora 36 - x86_64 - Updates                    4.5 MB/s |  17 MB     00:03    
Fedora Modular 36 - x86_64 - Updates            1.9 MB/s | 2.2 MB     00:01    
Dependencies resolved.
[...]
  rust-1.61.0-2.fc36.x86_64                                                     
  rust-std-static-1.61.0-2.fc36.x86_64                                          

Complete!
[root@2755dd556e0f /]# 
 rpm -qa | grep rust
p11-kit-trust-0.24.1-2.fc36.x86_64
rust-std-static-1.61.0-2.fc36.x86_64
rust-1.61.0-2.fc36.x86_64
[root@2755dd556e0f /]# exit
exit

CC: (none) => tarazed25

Len Lawrence 2022-06-13 16:43:52 CEST

Whiteboard: (none) => MGA8-64-OK

Comment 3 David Walser 2022-06-13 16:48:52 CEST 
docker-containerd-1.5.13-1.mga8

from docker-containerd-1.5.13-1.mga8.src.rpm

Status comment: Fixed upstream in 1.5.13 => (none)
CC: (none) => bruno

Comment 4 Thomas Andrews 2022-06-13 19:31:56 CEST 
Validating

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-06-13 21:25:44 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 5 Mageia Robot 2022-06-13 22:45:38 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0227.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.