Bug 30526 - cri-o new security issue CVE-2022-1708
Summary: cri-o new security issue CVE-2022-1708
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-06-08 18:23 CEST by David Walser
Modified: 2023-07-27 00:09 CEST (History)
6 users (show)

See Also:
Source RPM: cri-o-1.17.3-2.mga9.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2022-06-08 18:23:23 CEST
Upstream has issued an advisory on June 6:
https://github.com/cri-o/cri-o/security/advisories/GHSA-fcm2-6c3h-pg6j

The issue is fixed upstream in 1.24.1, 1.23.3, and 1.22.5.

Mageia 8 is also affected.
David Walser 2022-06-08 18:23:41 CEST

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 1.22.5, 1.23.3, and 1.24.1

Comment 1 Lewis Smith 2022-06-13 21:26:11 CEST
Joseph is the registered and last maintainer of this, which has been quiet since "update to 1.17.3" over 2y ago.

Assignee: bugsquad => joequant

Comment 2 David Walser 2022-10-19 16:42:32 CEST
SUSE has issued an advisory for this on October 18:
https://lists.suse.com/pipermail/sle-security-updates/2022-October/012564.html

Apparently 1.19.7 fixes the issue as well.
Comment 3 David Walser 2022-11-08 23:38:30 CET
RedHat has issued an advisory for this today (November 8):
https://access.redhat.com/errata/RHSA-2022:7469
Comment 4 David GEIGER 2023-07-01 19:23:11 CEST
cri-o was updated to 1.25.1 in cauldron!

Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)
CC: (none) => geiger.david68210

Comment 5 Joseph Wang 2023-07-02 07:07:06 CEST
working on it

CC: (none) => joequant

Comment 6 Joseph Wang 2023-07-02 09:00:56 CEST
QA  

Please test 

cri-o-1.25.1-1.mga8
Joseph Wang 2023-07-02 09:01:32 CEST

CC: (none) => qa-bugs

David Walser 2023-07-02 22:30:00 CEST

CC: qa-bugs => (none)
Status comment: Fixed upstream in 1.22.5, 1.23.3, and 1.24.1 => (none)
Assignee: joequant => qa-bugs

Comment 7 Herman Viaene 2023-07-09 15:04:17 CEST
MGA8-64 MATE on Acer Aspire 5253
No installation issues.
No wiki, no previous updates and containers is untrodden area for me, so playing with some commands
$ crio-status -h
NAME:
   crio-status - A tool for CRI-O status retrieval

USAGE:
   crio-status [global options] command [command options] [arguments...]

VERSION:
   1.25.1

DESCRIPTION:
   A tool for CRI-O status retrieval

AUTHOR:
   The CRI-O Maintainers

COMMANDS:
   complete, completion          Generate bash, fish or zsh completions.
   man                           Generate the man page documentation.
   markdown, md                  Generate the markdown documentation.
   config, c                     Show the configuration of CRI-O as TOML string.
   containers, container, cs, s  Display detailed information about the provided container ID.
   info, i                       Retrieve generic information about CRI-O, like the cgroup and storage driver.
   help, h                       Shows a list of commands or help for one command

GLOBAL OPTIONS:
   --help, -h                show help (default: false)
   --socket value, -s value  absolute path to the unix socket (default: "/var/run/crio/crio.sock")
   --version, -v             print the version (default: false)



$ crio -h
NAME:
   crio - OCI-based implementation of Kubernetes Container Runtime Interface

USAGE:
   OCI-based implementation of Kubernetes Container Runtime Interface Daemon
   
   crio is meant to provide an integration path between OCI conformant runtimes
   and the kubelet. Specifically, it implements the Kubelet Container Runtime
   Interface (CRI) using OCI conformant runtimes. The scope of crio is tied to the
   scope of the CRI.
   
   1. Support multiple image formats including the existing Docker and OCI image formats.
   2. Support for multiple means to download images including trust & image verification.
   3. Container image management (managing image layers, overlay filesystems, etc).
   4. Container process lifecycle management.
   5. Monitoring and logging required to satisfy the CRI.
   6. Resource isolation as required by the CRI.

VERSION:
   1.25.1
Version:        1.25.1
GitCommit:      unknown
GitCommitDate:  unknown
GitTreeState:   clean
GoVersion:      go1.19.10
Compiler:       gc
Platform:       linux/amd64
Linkmode:       dynamic
BuildTags:      
  rpm_crashtraceback
and a lot more ....

Found https://github.com/cri-o/cri-o/blob/main/tutorials/crictl.md
requires crictl, but
# urpmf crictl
cri-o:/etc/crictl.yaml
    $MIRRORLIST: media/core/release/media_info/20210224-165404-files.xml.lzma
cri-o:/etc/crictl.yaml                                                                                                     
    $MIRRORLIST: media/core/updates/media_info/20230707-051628-files.xml.lzma
    $MIRRORLIST: media/nonfree/release/media_info/20210224-171907-files.xml.lzma                                           
    $MIRRORLIST: media/nonfree/updates/media_info/20230608-193145-files.xml.lzma                                           
    $MIRRORLIST: media/tainted/release/media_info/20210224-172114-files.xml.lzma                                           
    $MIRRORLIST: media/tainted/updates/media_info/20230521-083722-files.xml.lzma  

Leaving for others with more knowledge on the subject, but the installation does not seem to do any harm to the system.

CC: (none) => herman.viaene

Comment 8 Thomas Andrews 2023-07-16 20:27:22 CEST
From https://access.redhat.com/documentation/en-us/openshift_container_platform/3.11/html/cri-o_runtime/use-crio-engine

" There is little need for direct command-line contact with CRI-O. However, to provide full access to CRI-O for testing and monitoring, and to provide features you expect with Docker that CRI-O does not offer, a set of container-related command-line tools are available. These tools replace and extend what is available with the docker command and service. Tools include:

    crictl - For troubleshooting and working directly with CRI-O container engines
    runc - For running container images
    podman - For managing pods and container images (run, stop, start, ps, attach, exec, etc.) outside of the container engine
    buildah - For building, pushing and signing container images
    skopeo - For copying, inspecting, deleting, and signing images"

We do not seem to provide crictl, but at least some version of each of the others is available. 

Unfortunately, I am at a complete loss where it comes to setting cri-o up, and using the tools with it. If someone else with more skills than I have doesn't look to test this in a couple of days, I will OK and validate on the basis of Herman's clean install.

CC: (none) => andrewsfarm

Comment 9 Thomas Andrews 2023-07-19 04:07:31 CEST
Validating.

Whiteboard: (none) => MGA8-64-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Dave Hodgins 2023-07-24 20:21:02 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 10 Mageia Robot 2023-07-27 00:09:01 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0240.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.