SUSE has issued an advisory today (December 12): https://lists.suse.com/pipermail/sle-security-updates/2022-December/013215.html The issue is fixed upstream in 1.5.16: https://github.com/containerd/containerd/security/advisories/GHSA-2qjp-425j-52j9 The second issue in SUSE's advisory needs to be fixed in golang-x-crypto (Bug 30323). Mageia 8 is also affected.
Status comment: (none) => Fixed upstream in 1.5.16
Status: NEW => ASSIGNED
Depends on: (none) => 30323
Ubuntu has issued an advisory for this today (December 13): https://ubuntu.com/security/notices/USN-5776-1 It also fixed CVE-2022-24778, which was fixed upstream in 1.6.3, but doesn't appear to have been addressed in the 1.5.x branch (but Ubuntu's update is for 1.5.x, so we can probably pull a patch from them).
1.6.14 uploaded to cauldron
Or not: http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20221222013023.bcornec.duvel.1518213/log/docker-containerd-1.6.14-3.mga9/build.i586.0.20221222013103.log
Indeed :-( I hate go build process. I passed ten of hours testing varioous ways to make it build, it was working locally, and then on the BS it's not, and I'm back to my table to find again the right approach. Not even sure I'm learning something. Ok pushed again, will see.
Finally 1.6.14 uploaded to cauldron.
contains the fix for CVE-2022-23471 as per https://github.com/containerd/containerd/commit/a05d175400b1145e5e6a735a6710579d181e7fb0
Status comment: Fixed upstream in 1.5.16 => (none)Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED
Mageia 8 still to come.
Status: RESOLVED => REOPENEDResolution: FIXED => (none)Version: Cauldron => 8
Fedora has issued an advisory for this on December 26: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/J2URKEEXLEABIVVVLSCXEXL6GIXX3GYN/
pushed now it works correctly for both mga8 and cauldron. For mga8 will need a new golang dep golang-github-mrunalp-fileutils also pushed to updates_testing
Assignee: bruno => qa-bugsStatus: REOPENED => ASSIGNED
CC: (none) => bruno
Bruno, we also need to fix Bug 30323 (and this will probably need to be rebuilt for that). Currently: golang-github-mrunalp-fileutils-devel-0.5.0-1.mga8 golang-github-mrunalp-fileutils-0.5.0-1.mga8 docker-containerd-1.6.14-1.mga8 from SRPMS: golang-github-mrunalp-fileutils-0.5.0-1.mga8.src.rpm docker-containerd-1.6.14-1.mga8.src.rpm
So is this actually ready for QA? There seem to be two or three interlocking issues.
CC: (none) => tarazed25
Assuming yes, ready for testing: mga8, x64 This is a relatively new machine, so starting from scratch. Installed docker. Started the dockerd service and then $ run docker hello-world This failed trying to connect to docker socket - permissions problem. Added user to docker group and tried again. $ docker run hello-world Unable to find image 'hello-world:latest' locally latest: Pulling from library/hello-world 2db29710123e: Pull complete .... $ docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 601d50ec1c89 hello-world "/hello" 2 minutes ago Exited (0) 2 minutes ago beautiful_lederberg Installation working then. $ docker run -it fedora:latest bash Unable to find image 'fedora:latest' locally latest: Pulling from library/fedora cd974119263e: Pull complete Digest: sha256:3487c98481d1bba7e769cf7bcecd6343c2d383fdd6bed34ec541b6b23ef07664 Status: Downloaded newer image for fedora:latest [root@b125895cbc08 /]# exit $ docker run -it fedora:latest bash [root@8c49f31ddb8e /]# dnf install rust Fedora 37 - x86_64 7.3 MB/s | 64 MB 00:08 Fedora 37 openh264 (From Cisco) - x86_64 4.0 kB/s | 2.5 kB 00:00 ...... Installing weak dependencies: rust-analysis x86_64 1.65.0-1.fc37 updates 3.3 M rust-src noarch 1.65.0-1.fc37 updates 2.6 M Transaction Summary ================================================================================ Install 24 Packages Upgrade 1 Package Total download size: 148 M Is this ok [y/N]: y .... pkgconf-pkg-config-1.8.0-3.fc37.x86_64 rust-1.65.0-1.fc37.x86_64 rust-analysis-1.65.0-1.fc37.x86_64 rust-src-1.65.0-1.fc37.noarch rust-std-static-1.65.0-1.fc37.x86_64 Complete! [root@8c49f31ddb8e /]#rpm -qa | grep rust p11-kit-trust-0.24.1-3.fc37.x86_64 rust-src-1.65.0-1.fc37.noarch rust-analysis-1.65.0-1.fc37.x86_64 rust-std-static-1.65.0-1.fc37.x86_64 rust-1.65.0-1.fc37.x86_64 root@8c49f31ddb8e /]# exit Failed to install the golang-github-mrunalp-fileutils rpms. "No package named golang-github-mrunalp-fileutils" After downloading the three packages qarepo showed docker-containerd-1.6.14-1.mga8.x86_64.rpm golang-github-mrunalp-fileutils-0.5.0-1.mga8.x86_64.rpm golang-github-mrunalp-fileutils-devel-0.5.0-1.mga8.noarch.rpm Ran MageiaUpdate. $ rpm -qa | grep containerd docker-containerd-1.6.14-1.mga8 $ rpm -qa | grep github # urpmi golang-github-mrunalp-fileutils-0.5.0-1.mga8.x86_64.rpm installing golang-github-mrunalp-fileutils-0.5.0-1.mga8.x86_64.rpm # urpmi golang-github-mrunalp-fileutils-devel-0.5.0-1.mga8.noarch.rpm A requested package cannot be installed: golang-github-mrunalp-fileutils-devel-0.5.0-1.mga8.noarch (due to unsatisfied golang(syscall)) Continue installation anyway? (Y/n)
(In reply to Len Lawrence from comment #11) > So is this actually ready for QA? There seem to be two or three > interlocking issues. For me the version I pushed is better than what we currently have, even if not perfect. I still need to understand hwether the embedded version is affected or not by the bug mentioned by David.
(In reply to David Walser from comment #10) > Bruno, we also need to fix Bug 30323 (and this will probably need to be > rebuilt for that). For me, CVE-2021-43565 is not a problem as it's related to golang.org/x/crypto/ssh which is not delivered (as per https://groups.google.com/g/golang-announce/c/2AR1sKiM-Qs?pli=1) The patch doesn't use files provided in our version: https://github.com/golang/crypto/commit/5770296d904e90f15f38f77dfc2e43fdf5efc083 Same story for me with the other CVE-2022-27191: https://groups.google.com/g/golang-announce/c/-cp44ypCT5s only talks about the ssh part which isn't delivered in our case. So for me we're good to go with the version pushed.
Updated the first two packages OK but trying this results in the same error as before: $ sudo urpmi golang-github-mrunalp-fileutils-devel A requested package cannot be installed: golang-github-mrunalp-fileutils-devel-0.5.0-1.mga8.noarch (due to unsatisfied golang(syscall)) Continue installation anyway? (Y/n) While some packages may have been installed, there were failures. A requested package cannot be installed: golang-github-mrunalp-fileutils-devel-0.5.0-1.mga8.noarch (due to unsatisfied golang(syscall))
Hummm, I made a mistake upper. You need that golang package only to *rebuild* docker-containerd, nit to install it ! So Ken, if you just do urpmi docker-containerd, you should be fine.
Bruno, it will still need to be fixed to push this update. If it was needed to build it, it must be pushed with it.
@David: it has already been pushed to mga8 updates_testing. But I was replying to Len trying to install it to test the package, which is useless. Now I don't know why this install doesn't work for him, whereas I have no issue on my side. I think if there is indeed an issue with it, we should handle it in a separate bug report as I don't want that one to prevent this security issue to be handled. Note that the build system had no issue building the package, so may be linked to Len's setup.
Packages that get pushed to updates can't depend on packages only in updates_testing, even for building. The mrunalp packages need to be installable. Did the containerd only BR the regular mrunalp package and not the devel one? Nothing provides golang(syscall) so that looks like a legit issue.
Still trying to understand where this syscall package comes from. From browsing the web it seems that it is part of golang, so where is it provided?
Been looking at this again using older techniques - that is without qarepo. Updated Core Updates Testing and tried direct installation after disabling the local repository. golang-github-mrunalp-fileutils-0.5.0-1.mga8.x86_64 is installed but: $ sudo urpmi golang-github-mrunalp-fileutils-devel A requested package cannot be installed: golang-github-mrunalp-fileutils-devel-0.5.0-1.mga8.noarch (due to unsatisfied golang(syscall)) Continue installation anyway? (Y/n) So nothing has changed and as far as I can tell the setup is normal as far as QA testing is concerned.
It is time something was done to move this along. It might be better to move the build dependency problem to another bug because it is not strictly relevant to testing the container technology. $ sudo systemctl start docker $ sudo systemctl status docker ● docker.service - Docker Application Container Engine Loaded: loaded (/usr/lib/systemd/system/docker.service; disabled; vendor prese> Active: active (running) since Thu 2023-03-09 14:46:40 GMT; 34s ago ..... $ docker run hello-world Hello from Docker! This message shows that your installation appears to be working correctly. .... $ docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 5144a4d3f26b hello-world "/hello" About a minute ago Exited (0) About a minute ago sleepy_austin ..... $ docker run -it fedora:latest bash [root@b75394deeccb /]# dnf install ruby Fedora 36 - x86_64 7.3 MB/s | 81 MB 00:11 Fedora 36 openh264 (From Cisco) - x86_64 2.7 kB/s | 2.5 kB 00:00 Fedora Modular 36 - x86_64 2.8 MB/s | 2.4 MB 00:00 [...] rubygem-rdoc-6.4.0-173.fc36.noarch rubygems-3.3.26-173.fc36.noarch rubypick-1.1.1-16.fc36.noarch Complete! [root@b75394deeccb /]# rpm -qa | grep ruby ruby-libs-3.1.3-173.fc36.x86_64 ruby-3.1.3-173.fc36.x86_64 rubypick-1.1.1-16.fc36.noarch [...] [root@b75394deeccb /]# exit exit $ docker rm 4ebecf2ff72f 4ebecf2ff72f $ docker rm aec94bab05a9 2755dd556e0f aec94bab05a9 2755dd556e0f Giving this an OK based on those quick tests.
Whiteboard: (none) => MGA8-64-OK
For the record, after checking bug 30323, golang components installed include golang-x-crypto-devel-0-0.31.mga8 (not the latest) and no golang-x-term-devel.
Still need a response from Bruno to Comment 19. We can't ship broken packages.
Keywords: (none) => feedback
Fedora has issued an advisory on March 11: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7KYYYEETR5DEGOQBCMLUC4OEN4O3JGKF/ Two new issues are fixed upstream in 1.5.18 and 1.6.18 (they pushed 1.6.19): https://github.com/containerd/containerd/security/advisories/GHSA-259w-8hf6-59c2 https://github.com/containerd/containerd/security/advisories/GHSA-hmfx-3pcx-653p Mageia 8 is also affected. golang-github-mrunalp-fileutils-devel, which was needed to build this update, also needs to be fixed.
Version: 8 => CauldronWhiteboard: MGA8-64-OK => MGA8TOOAssignee: qa-bugs => brunoSummary: docker-containerd new security issue CVE-2022-23471 => docker-containerd new security issues CVE-2022-23471, CVE-2023-25153, and CVE-2023-25173Keywords: feedback => (none)Source RPM: docker-containerd-1.5.13-1.mga9.src.rpm => docker-containerd-1.6.14-4.mga9.src.rpmStatus comment: (none) => Fixed upstream in 1.5.18 and 1.6.18
Ubuntu has issued an advisory for this today (July 5): https://ubuntu.com/security/notices/USN-6202-1
(In reply to David Walser from comment #24) > Still need a response from Bruno to Comment 19. We can't ship broken > packages. Hello David, I think I can't really help here :-( docker-containerd *is* installable since I uploaded it and Len tested it. The issue with the devel golang package has nothing to do with this one as not needed at install time. I reproduced Len's issue so indeed it can't be installed. BUT, there is no need of that package to build docker-containerd !! What we need is: BuildRequires: golang-github-mrunalp-fileutils And that package is working. So I suggests that we go ahead, as soon as I have uploaded the latest version again to fix all security issues. It will be 1.6.21 for mga8 and 1.7.2 for cauldron (if they let it in)
Bruno, When you built the updated docker-containerd, it required you to import a new SRPM into Mageia 8 updates, golang-github-mrunalp-fileutils. That SRPM provides two RPMS, golang-github-mrunalp-fileutils and golang-github-mrunalp-fileutils-devel. The golang-github-mrunalp-fileutils-devel package is broken and not installable. If golang-github-mrunalp-fileutils was required to be imported and required as part of the build process for docker-containerd, then it has to be shipped as part of this update. We don't just import things that are needed for the build and leave them languishing in updates_testing, meanwhile the new (docker-containerd) SRPM we shipped is no longer buildable on Mageia 8 with the main repos (release and updates) because a BuildRequires package is not available. So, right now this update, in totality, is in a broken state and cannot be shipped that way. If the golang-github-mrunalp-fileutils-devel package is not needed, then modify the golang-github-mrunalp-fileutils SRPM to not provide that subpackage and rebuild it.
Either that or put in a requires_exclude for golang(syscall) on the golang-github-mrunalp-fileutils-devel package.
I finally found a way to avoid the generation of the wrong automatic golang dep by doing in the spec: %global __go_requires /bin/true golang-github-mrunalp-fileutils-0.5.0-2 on its way to mga8. SRPMS/golang-github-mrunalp-fileutils-0.5.0-2.mga8.src.rpm RPMS/x86_64/golang-github-mrunalp-fileutils-debugsource-0.5.0-2.mga8.x86_64.rpm RPMS/noarch/golang-github-mrunalp-fileutils-devel-0.5.0-2.mga8.noarch.rpm RPMS/x86_64/golang-github-mrunalp-fileutils-0.5.0-2.mga8.x86_64.rpm RPMS/x86_64/golang-github-mrunalp-fileutils-debuginfo-0.5.0-2.mga8.x86_64.rpm That should allow with docker-containerd-1.6.21 to close this issue. Hopefully !
Assignee: bruno => qa-bugsVersion: Cauldron => 8Whiteboard: MGA8TOO => (none)Depends on: 30323 => (none)
FTR, I'm also pushing golang-github-mrunalp-fileutils 0.5.0-3 for mga9 in order to unfreeze docker-containerd and solve as well that issue for cauldron.
Status comment: Fixed upstream in 1.5.18 and 1.6.18 => (none)
Having another go at this for mga8, 64-bit The mrunalp packages installed without trouble Installed docker-containerd-1.6.21 also. Added user to docker group and cycled login. $ rpm -q docker docker-20.10.22-1.mga8 Started docker service. $ docker run hello-world Status: Downloaded newer image for hello-world:latest Hello from Docker! This message shows that your installation appears to be working correctly. $ docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 31679f172752 hello-world "/hello" About a minute ago Exited (0) About a minute ago musing_elbakyan $ docker run -it fedora:latest bash Unable to find image 'fedora:latest' locally latest: Pulling from library/fedora f71a5d924485: Pull complete Digest: sha256:8c27ac4634ce7a761728e97985ff03fa422ccdc58c5d5d38a282051777915866 Status: Downloaded newer image for fedora:latest [root@a791ac49e724 /]# dnf install tkimg Fedora 38 - x86_64 8.4 MB/s | 83 MB 00:09 Fedora 38 openh264 (From Cisco) - x86_64 2.4 kB/s | 2.5 kB 00:01 Fedora Modular 38 - x86_64 2.4 MB/s | 2.8 MB 00:01 Fedora 38 - x86_64 - Updates 6.2 MB/s | 29 MB 00:04 Fedora Modular 38 - x86_64 - Updates 1.7 MB/s | 2.1 MB 00:01 Dependencies resolved. ================================================================================ Package Arch Version Repository Size ================================================================================ Installing: tkimg x86_64 1.4.14-3.fc38 fedora 619 k Installing dependencies: cairo x86_64 1.17.8-4.fc38 updates 704 k fontconfig x86_64 2.14.2-1.fc38 fedora 295 k fonts-filesystem noarch 1:2.0.5-11.fc38 fedora 8.1 k freetype x86_64 2.13.0-2.fc38 fedora 414 k google-noto-fonts-common noarch 20230201-1.fc38 fedora 16 k google-noto-sans-vf-fonts noarch 20230201-1.fc38 fedora 580 k graphite2 x86_64 1.3.14-11.fc38 fedora 95 k harfbuzz x86_64 7.1.0-1.fc38 fedora 889 k langpacks-core-font-en noarch 3.0-32.fc38 updates 9.6 k libX11 x86_64 1.8.6-1.fc38 updates 649 k libX11-common noarch 1.8.6-1.fc38 updates 175 k libXau x86_64 1.0.11-2.fc38 fedora 32 k libXext x86_64 1.3.5-2.fc38 fedora 39 k libXft x86_64 2.3.8-2.fc38 updates 72 k libXrender x86_64 0.9.11-2.fc38 fedora 27 k libpng x86_64 2:1.6.37-14.fc38 fedora 120 k libxcb x86_64 1.13.1-11.fc38 fedora 231 k pixman x86_64 0.42.2-1.fc38 fedora 285 k tcl x86_64 1:8.6.12-4.fc38 fedora 1.1 M tk x86_64 1:8.6.12-4.fc38 fedora 1.6 M xml-common noarch 0.6.3-60.fc38 fedora 31 k Transaction Summary ================================================================================ Install 22 Packages Total download size: 7.9 M Installed size: 22 M Is this ok [y/N]: y Downloading Packages: (1/22): fonts-filesystem-2.0.5-11.fc38.noarch.r 63 kB/s | 8.1 kB 00:00 [...] Running transaction Preparing : 1/1 Installing : tcl-1:8.6.12-4.fc38.x86_64 1/22 [...] tkimg-1.4.14-3.fc38.x86_64 xml-common-0.6.3-60.fc38.noarch Complete! [root@a791ac49e724 /]# exit exit $ docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES a791ac49e724 fedora:latest "bash" 6 minutes ago Exited (0) 29 seconds ago blissful_williamson 31679f172752 hello-world "/hello" 8 minutes ago Exited (0) 8 minutes ago musing_elbakyan $ docker rm 31679f172752 31679f172752 $ It looks OK but have no idea how to test mrunalp-fileutils.
For golang-github-mrunalp-fileutils $ rpm -q -l golang-github-mrunalp-fileutils|grep bin/ /usr/bin/gocp $ gocp --help 2023/07/25 21:30:15 usage: gocp <src> <dest> "gocp somefile destfile" works, but trying to copy an empty directory fails ... 14580 dave 20 0 232M 7240 3392 S 0.0 0.0 0:00.16 │ │ ├─ bash│/bin/bash 15605 dave 20 0 695M 7076 1464 S 101. 0.0 2:02.32 │ │ │ └─ gocp events/ testgocp 15608 dave 20 0 695M 7076 1464 R 16.0 0.0 0:24.13 │ │ │ ├─ gocp events/ testgocp 15607 dave 20 0 695M 7076 1464 S 9.5 0.0 0:19.41 │ │ │ ├─ gocp events/ testgocp 15612 dave 20 0 695M 7076 1464 S 17.4 0.0 0:18.39 │ │ │ ├─ gocp events/ testgocp 15609 dave 20 0 695M 7076 1464 S 26.4 0.0 0:18.21 │ │ │ ├─ gocp events/ testgocp 15610 dave 20 0 695M 7076 1464 S 12.5 0.0 0:18.01 │ │ │ ├─ gocp events/ testgocp 15606 dave 20 0 695M 7076 1464 S 0.7 0.0 0:00.82 │ │ │ └─ gocp events/ testgocp While it's memory doesn't grow, it doesn't end, just sits there using cpu until killed. The dest directory does not get created.
CC: (none) => davidwhodgins
Bruno, please see my question on Bug 30323.
(In reply to David Walser from comment #34) > Bruno, please see my question on Bug 30323. I answered that IMO we're not impacted. Wrt gocp, I don't know, but I'm just providing it as a dependency for mageia8, when it's already in cauldron. It's used as a library in fact, not with the gocp binary. Not sure what it should do when you copy an empty dir, but indeed it doesn't end. However works for copying other cases. Could be worth an upstream bug report if that's a legitimate use case.
It fails if given a directory, not just an empty one. As it does work for individual files, and given comment 32, validating.
Whiteboard: (none) => MGA8-64-OKKeywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Keywords: (none) => advisory
Whiteboard: MGA8-64-OK => MGA8-64-OK MGA9-64-OK
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0245.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED