Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 835917 (CVE-2022-24769)

Summary: <app-containers/containerd-1.5.11: Default inheritable capabilities for linux container should be empty
Product: Gentoo Security Reporter: Mathieu Tortuyaux <mathieu.tortuyaux>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: ajak, gyakovlev, sam, williamh
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/containerd/containerd/security/advisories/GHSA-c9cp-9c75-9v8c
See Also: https://bugs.gentoo.org/show_bug.cgi?id=835976
Whiteboard: B4 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 836778    
Bug Blocks:    

Description Mathieu Tortuyaux 2022-03-24 09:27:31 UTC 
Hi,

CVE-2022-24769: (https://github.com/containerd/containerd/commit/551516a18d0a60c4afbc85e7588af356191eaead) A bug was found in containerd where containers were incorrectly started with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during execve(2). Normally, when executable programs have specified permitted file capabilities, otherwise unprivileged users and processes can execute those programs and gain the specified file capabilities up to the bounding set. Due to this bug, containers which included executable programs with inheritable file capabilities allowed otherwise unprivileged users and processes to additionally gain these inheritable file capabilities up to the container's bounding set. Containers which use Linux users and groups to perform privilege separation inside the container are most directly impacted.

This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container's bounding set.

Might be a B2 level ?

We need to upgrade to >= 1.5.11
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-24 19:56:10 UTC 
Thanks for reporting! Maintainers, please bump to 1.5.11 and 1.6.2.
Comment 2 Larry the Git Cow gentoo-dev 2022-03-28 05:35:16 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b0c789e55fe279952eff475ff60cc1574ea5f917

commit b0c789e55fe279952eff475ff60cc1574ea5f917
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2022-03-28 05:34:56 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2022-03-28 05:34:56 +0000

    app-containers/containerd: add 1.5.11
    
    Closes: https://bugs.gentoo.org/835367
    Bug: https://bugs.gentoo.org/835917
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 app-containers/containerd/Manifest                 |  1 +
 app-containers/containerd/containerd-1.5.11.ebuild | 84 ++++++++++++++++++++++
 2 files changed, 85 insertions(+)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-28 14:07:38 UTC 
Please stabilize when ready.
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-04-09 23:38:39 UTC 
Please cleanup
Comment 5 Larry the Git Cow gentoo-dev 2022-04-14 22:40:39 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6789bc6bbd8fa2bc9bc7877669e86c89a3651ef6

commit 6789bc6bbd8fa2bc9bc7877669e86c89a3651ef6
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2022-04-14 22:36:28 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2022-04-14 22:39:37 +0000

    app-containers/containerd: drop 1.4.11, 1.4.12
    
    Bug: https://bugs.gentoo.org/835917
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 app-containers/containerd/Manifest                 |  2 -
 app-containers/containerd/containerd-1.4.11.ebuild | 84 ----------------------
 app-containers/containerd/containerd-1.4.12.ebuild | 84 ----------------------
 3 files changed, 170 deletions(-)
Comment 6 Larry the Git Cow gentoo-dev 2024-01-31 12:31:26 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=f9feb611eaa9a3e053e61253ddab0e4d85b21cd9

commit f9feb611eaa9a3e053e61253ddab0e4d85b21cd9
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-01-31 12:30:06 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-01-31 12:31:16 +0000

    [ GLSA 202401-31 ] containerd: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/802948
    Bug: https://bugs.gentoo.org/816315
    Bug: https://bugs.gentoo.org/834689
    Bug: https://bugs.gentoo.org/835917
    Bug: https://bugs.gentoo.org/850124
    Bug: https://bugs.gentoo.org/884803
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202401-31.xml | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 52 insertions(+)