830672 – (CVE-2021-43816) <app-containers/containerd-1.5.7: selinux mislabeling vulnerability

Bug 830672 (CVE-2021-43816) - <app-containers/containerd-1.5.7: selinux mislabeling vulnerability

Summary: <app-containers/containerd-1.5.7: selinux mislabeling vulnerability

Status:	RESOLVED FIXED

Alias:	CVE-2021-43816

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial
Assignee:	Gentoo Security

URL:	https://github.com/containerd/contain...
Whiteboard:	~4 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2022-01-06 08:01 UTC by John Helmert III
Modified:	2022-01-06 14:38 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2022-01-06 08:01:53 UTC

CVE-2021-43816:

containerd is an open source container runtime. On installations using SELinux, such as EL8 (CentOS, RHEL), Fedora, or SUSE MicroOS, with containerd since v1.5.0-beta.0 as the backing container runtime interface (CRI), an unprivileged pod scheduled to the node may bind mount, via hostPath volume, any privileged, regular file on disk for complete read/write access (sans delete). Such is achieved by placing the in-container location of the hostPath volume mount at either `/etc/hosts`, `/etc/hostname`, or `/etc/resolv.conf`. These locations are being relabeled indiscriminately to match the container process-label which effectively elevates permissions for savvy containers that would not normally be able to access privileged host files. This issue has been resolved in version 1.5.9. Users are advised to upgrade as soon as possible.

Please bump to 1.5.9.

Comment 1 Georgy Yakovlev archtester

2022-01-06 08:14:01 UTC

just for the record, stable version does not have this vulnerable code, so 1.4.x is not affected

https://github.com/containerd/containerd/commit/d715d009061edf5ed0da5aa81fe7b6d2a6b3c10c

Comment 2 Larry the Git Cow gentoo-dev

2022-01-06 08:17:53 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=59cacb65fb0cceda1dd7e1b742116f35b8987051

commit 59cacb65fb0cceda1dd7e1b742116f35b8987051
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2022-01-06 08:15:53 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2022-01-06 08:17:25 +0000

    app-containers/containerd: drop 1.5.7
    
    Bug: https://bugs.gentoo.org/830672
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 app-containers/containerd/Manifest                |  1 -
 app-containers/containerd/containerd-1.5.7.ebuild | 84 -----------------------
 2 files changed, 85 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8fdda211404b31c7825bcfcd2f2f139c09c90740

commit 8fdda211404b31c7825bcfcd2f2f139c09c90740
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2022-01-06 08:15:20 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2022-01-06 08:17:25 +0000

    app-containers/containerd: add 1.5.9
    
    Bug: https://bugs.gentoo.org/830672
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 app-containers/containerd/Manifest                |  1 +
 app-containers/containerd/containerd-1.5.9.ebuild | 84 +++++++++++++++++++++++
 2 files changed, 85 insertions(+)

Comment 3 Georgy Yakovlev archtester

2022-01-06 08:18:26 UTC

bumpage and cleanup done

Comment 4 John Helmert III archtester

2022-01-06 14:38:08 UTC

(In reply to Georgy Yakovlev from comment #3)
> bumpage and cleanup done

Thanks, all done!