Hi, CVE-2022-24769: (https://github.com/containerd/containerd/commit/551516a18d0a60c4afbc85e7588af356191eaead) A bug was found in containerd where containers were incorrectly started with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during execve(2). Normally, when executable programs have specified permitted file capabilities, otherwise unprivileged users and processes can execute those programs and gain the specified file capabilities up to the bounding set. Due to this bug, containers which included executable programs with inheritable file capabilities allowed otherwise unprivileged users and processes to additionally gain these inheritable file capabilities up to the container's bounding set. Containers which use Linux users and groups to perform privilege separation inside the container are most directly impacted. This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container's bounding set. Might be a B2 level ? We need to upgrade to >= 1.5.11
Thanks for reporting! Maintainers, please bump to 1.5.11 and 1.6.2.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b0c789e55fe279952eff475ff60cc1574ea5f917 commit b0c789e55fe279952eff475ff60cc1574ea5f917 Author: William Hubbs <williamh@gentoo.org> AuthorDate: 2022-03-28 05:34:56 +0000 Commit: William Hubbs <williamh@gentoo.org> CommitDate: 2022-03-28 05:34:56 +0000 app-containers/containerd: add 1.5.11 Closes: https://bugs.gentoo.org/835367 Bug: https://bugs.gentoo.org/835917 Signed-off-by: William Hubbs <williamh@gentoo.org> app-containers/containerd/Manifest | 1 + app-containers/containerd/containerd-1.5.11.ebuild | 84 ++++++++++++++++++++++ 2 files changed, 85 insertions(+)
Please stabilize when ready.
Please cleanup
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6789bc6bbd8fa2bc9bc7877669e86c89a3651ef6 commit 6789bc6bbd8fa2bc9bc7877669e86c89a3651ef6 Author: William Hubbs <williamh@gentoo.org> AuthorDate: 2022-04-14 22:36:28 +0000 Commit: William Hubbs <williamh@gentoo.org> CommitDate: 2022-04-14 22:39:37 +0000 app-containers/containerd: drop 1.4.11, 1.4.12 Bug: https://bugs.gentoo.org/835917 Signed-off-by: William Hubbs <williamh@gentoo.org> app-containers/containerd/Manifest | 2 - app-containers/containerd/containerd-1.4.11.ebuild | 84 ---------------------- app-containers/containerd/containerd-1.4.12.ebuild | 84 ---------------------- 3 files changed, 170 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=f9feb611eaa9a3e053e61253ddab0e4d85b21cd9 commit f9feb611eaa9a3e053e61253ddab0e4d85b21cd9 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-01-31 12:30:06 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-01-31 12:31:16 +0000 [ GLSA 202401-31 ] containerd: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/802948 Bug: https://bugs.gentoo.org/816315 Bug: https://bugs.gentoo.org/834689 Bug: https://bugs.gentoo.org/835917 Bug: https://bugs.gentoo.org/850124 Bug: https://bugs.gentoo.org/884803 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202401-31.xml | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+)
