Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 775329 (CVE-2021-21334) - <app-emulation/containerd-1.4.4: Information disclosure via environment variables (CVE-2021-21334)
Summary: <app-emulation/containerd-1.4.4: Information disclosure via environment varia...
Status: CONFIRMED
Alias: CVE-2021-21334
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [cleanup cve glsa+]
Keywords:
Depends on: CVE-2021-30465 783525
Blocks:
  Show dependency tree
 
Reported: 2021-03-11 02:48 UTC by Sam James
Modified: 2021-06-14 07:41 UTC (History)
2 users (show)

See Also:
Package list:
app-emulation/containerd-1.4.4 amd64 arm64 ppc64 app-emulation/docker-20.10.6-r1 amd64 arm64 ppc64 app-emulation/docker-cli-20.10.6 amd64 arm64 ppc64 app-emulation/docker-proxy-0.8.0_p20201215 amd64 arm64 ppc64 app-emulation/runc-1.0.0_rc92 amd64 arm64 ppc64 sys-process/tini-0.19.0 amd64 arm64 ppc64
Runtime testing required: ---
nattka: sanity-check-


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2021-03-11 02:48:56 UTC
"In containerd (an industry-standard container runtime) before versions 1.3.10 and 1.4.4, containers launched through containerd's CRI implementation (through Kubernetes, crictl, or any other pod/container client that uses the containerd CRI service) that share the same image may receive incorrect environment variables, including values that are defined for other containers.

If the affected containers have different security contexts, this may allow sensitive information to be unintentionally shared.

If you are not using containerd's CRI implementation (through one of the mechanisms described above), you are not vulnerable to this issue. If you are not launching multiple containers or Kubernetes pods from the same image which have different environment variables, you are not vulnerable to this issue.

If you are not launching multiple containers or Kubernetes pods from the same image in rapid succession, you have reduced likelihood of being vulnerable to this issue.

This vulnerability has been fixed in containerd 1.3.10 and containerd 1.4.4. Users should update to these versions."
Comment 1 Sam James archtester gentoo-dev Security 2021-03-11 02:49:34 UTC
Tell us when ready to stable -- or if you plan to bump to 1.3.10 and stable that instead?
Comment 2 NATTkA bot gentoo-dev 2021-03-11 02:52:54 UTC Comment hidden (obsolete)
Comment 3 Sam James archtester gentoo-dev Security 2021-03-28 05:44:25 UTC
ping
Comment 4 NATTkA bot gentoo-dev 2021-04-01 20:09:14 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev 2021-04-28 16:48:37 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-05-16 12:48:36 UTC Comment hidden (obsolete)
Comment 7 Thomas Deutschmann gentoo-dev Security 2021-05-25 19:38:47 UTC
Added to an existing GLSA request.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2021-05-26 10:30:15 UTC
This issue was resolved and addressed in
 GLSA 202105-33 at https://security.gentoo.org/glsa/202105-33
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 9 Thomas Deutschmann gentoo-dev Security 2021-05-26 10:30:51 UTC
Re-opening for remaining architecture.
Comment 10 Georgy Yakovlev gentoo-dev 2021-06-10 23:41:58 UTC
going to skip ppc64 here and proceed in 790257
Comment 11 Georgy Yakovlev gentoo-dev 2021-06-11 01:02:24 UTC
ppc64 done in 790257
Comment 12 John Helmert III gentoo-dev Security 2021-06-11 01:11:18 UTC
Thanks! Please cleanup
Comment 13 Larry the Git Cow gentoo-dev 2021-06-11 16:27:22 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=86912bea08db24cd53aa813c9c1a266f09c9fe70

commit 86912bea08db24cd53aa813c9c1a266f09c9fe70
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2021-06-11 16:23:21 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2021-06-11 16:25:13 +0000

    app-emulation/docker: stabilize 20.10.7 on amd64
    
    Bug: https://bugs.gentoo.org/775329
    Package-Manager: Portage-3.0.18, Repoman-3.0.2
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 app-emulation/docker/docker-20.10.7.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6c05e1b29e4a19c5d3f868890f78816c7acd6294

commit 6c05e1b29e4a19c5d3f868890f78816c7acd6294
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2021-06-11 16:11:39 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2021-06-11 16:25:13 +0000

    app-emulation/docker-proxy: stabilize 0.8.0_p20210525 on amd64
    
    Bug: https://bugs.gentoo.org/775329
    Package-Manager: Portage-3.0.18, Repoman-3.0.2
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 app-emulation/docker-proxy/docker-proxy-0.8.0_p20210525.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f72167936ef4898678107e43080fb9349f3e20cd

commit f72167936ef4898678107e43080fb9349f3e20cd
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2021-06-11 16:08:07 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2021-06-11 16:25:13 +0000

    app-emulation/docker-cli: stabilize 20.10.7 on amd64
    
    Bug: https://bugs.gentoo.org/775329
    Package-Manager: Portage-3.0.18, Repoman-3.0.2
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 app-emulation/docker-cli/docker-cli-20.10.7.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b2d4eaa5dcd3772bc4053c935909676e6cc994f4

commit b2d4eaa5dcd3772bc4053c935909676e6cc994f4
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2021-06-11 16:04:26 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2021-06-11 16:25:13 +0000

    app-emulation/runc: stabilize 1.0.0_rc95 on amd64
    
    Bug: https://bugs.gentoo.org/775329
    Package-Manager: Portage-3.0.18, Repoman-3.0.2
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 app-emulation/runc/runc-1.0.0_rc95.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e50c548ae83692602b6cd5dce9621292b5ef7482

commit e50c548ae83692602b6cd5dce9621292b5ef7482
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2021-06-11 15:57:13 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2021-06-11 16:25:12 +0000

    app-emulation/containerd: stabilize 1.4.6 on amd64
    
    Bug: https://bugs.gentoo.org/775329
    Package-Manager: Portage-3.0.18, Repoman-3.0.2
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 app-emulation/containerd/containerd-1.4.6.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 14 Georgy Yakovlev gentoo-dev 2021-06-14 00:32:48 UTC
cleanup done
Comment 15 NATTkA bot gentoo-dev 2021-06-14 07:41:24 UTC
Unable to check for sanity:

> no match for package: app-emulation/containerd-1.4.4