Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 833094 (CVE-2022-0532) - <app-containers/cri-o-1.23.1: insufficient pod sysctl sandboxing
Summary: <app-containers/cri-o-1.23.1: insufficient pod sysctl sandboxing
Status: RESOLVED FIXED
Alias: CVE-2022-0532
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL:
Whiteboard: ~4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2022-02-10 23:00 UTC by John Helmert III
Modified: 2022-02-12 21:47 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-02-10 23:00:13 UTC 
CVE-2022-0532 (https://bugzilla.redhat.com/show_bug.cgi?id=2051730):

An incorrect sysctls validation vulnerability was found in CRI-O 1.18 and earlier. The sysctls from the list of "safe" sysctls specified for the cluster will be applied to the host if an attacker is able to create a pod with a hostIPC and hostNetwork kernel namespace.

The CVE references themselves are pretty useless; clicking deeper
yields:

https://github.com/cri-o/cri-o/pull/5610
https://github.com/cri-o/cri-o/security/advisories/GHSA-w2j5-3rcx-vx7x (404s, maybe currently secret)

The PR seems to describe the vulnerability a little differently than
the CVE description, "Fix a bug where a pod given a host IPC or
network namespace could configure sysctls on the host".

1.23 commit: https://github.com/cri-o/cri-o/commit/e4aee3a2f741488205e97d2db0759f4a91425801
1.22 PR: https://github.com/cri-o/cri-o/pull/5616
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-02-12 04:24:55 UTC 
Patch made it into 1.23.1.
Comment 2 Larry the Git Cow gentoo-dev 2022-02-12 17:41:25 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7b2766b39db4392639311e23a8402f216d20f445

commit 7b2766b39db4392639311e23a8402f216d20f445
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2022-02-12 17:37:39 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2022-02-12 17:38:36 +0000

    app-containers/cri-o: Bump to version 1.23.1
    
    Bug: https://bugs.gentoo.org/833094
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-containers/cri-o/Manifest            |   13 +
 app-containers/cri-o/cri-o-1.23.1.ebuild | 2157 ++++++++++++++++++++++++++++++
 2 files changed, 2170 insertions(+)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-02-12 19:31:19 UTC 
Thanks, please cleanup!
Comment 4 Larry the Git Cow gentoo-dev 2022-02-12 19:45:01 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=90c99a01cf45f4a71a948f57f128bf94b2b7ce5c

commit 90c99a01cf45f4a71a948f57f128bf94b2b7ce5c
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2022-02-12 19:43:34 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2022-02-12 19:44:56 +0000

    app-containers/cri-o: Remove vulnerable versions
    
    Bug: https://bugs.gentoo.org/833094
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-containers/cri-o/Manifest            |  621 ---------
 app-containers/cri-o/cri-o-1.21.0.ebuild | 1997 ---------------------------
 app-containers/cri-o/cri-o-1.21.4.ebuild | 2041 ----------------------------
 app-containers/cri-o/cri-o-1.22.1.ebuild | 2079 ----------------------------
 app-containers/cri-o/cri-o-1.23.0.ebuild | 2154 ------------------------------
 5 files changed, 8892 deletions(-)
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-02-12 21:47:12 UTC 
Thanks, all done!