Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 835917 (CVE-2022-24769) - <app-containers/containerd-1.5.11: Default inheritable capabilities for linux container should be empty
Summary: <app-containers/containerd-1.5.11: Default inheritable capabilities for linux...
Status: IN_PROGRESS
Alias: CVE-2022-24769
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://github.com/containerd/contain...
Whiteboard: B4 [glsa?]
Keywords:
Depends on: 836778
Blocks:
  Show dependency tree
 
Reported: 2022-03-24 09:27 UTC by mathieu.tortuyaux
Modified: 2022-04-14 23:58 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description mathieu.tortuyaux 2022-03-24 09:27:31 UTC
Hi,

CVE-2022-24769: (https://github.com/containerd/containerd/commit/551516a18d0a60c4afbc85e7588af356191eaead) A bug was found in containerd where containers were incorrectly started with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during execve(2). Normally, when executable programs have specified permitted file capabilities, otherwise unprivileged users and processes can execute those programs and gain the specified file capabilities up to the bounding set. Due to this bug, containers which included executable programs with inheritable file capabilities allowed otherwise unprivileged users and processes to additionally gain these inheritable file capabilities up to the container's bounding set. Containers which use Linux users and groups to perform privilege separation inside the container are most directly impacted.

This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container's bounding set.

Might be a B2 level ?

We need to upgrade to >= 1.5.11
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-24 19:56:10 UTC
Thanks for reporting! Maintainers, please bump to 1.5.11 and 1.6.2.
Comment 2 Larry the Git Cow gentoo-dev 2022-03-28 05:35:16 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b0c789e55fe279952eff475ff60cc1574ea5f917

commit b0c789e55fe279952eff475ff60cc1574ea5f917
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2022-03-28 05:34:56 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2022-03-28 05:34:56 +0000

    app-containers/containerd: add 1.5.11
    
    Closes: https://bugs.gentoo.org/835367
    Bug: https://bugs.gentoo.org/835917
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 app-containers/containerd/Manifest                 |  1 +
 app-containers/containerd/containerd-1.5.11.ebuild | 84 ++++++++++++++++++++++
 2 files changed, 85 insertions(+)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-28 14:07:38 UTC
Please stabilize when ready.
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-04-09 23:38:39 UTC
Please cleanup
Comment 5 Larry the Git Cow gentoo-dev 2022-04-14 22:40:39 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6789bc6bbd8fa2bc9bc7877669e86c89a3651ef6

commit 6789bc6bbd8fa2bc9bc7877669e86c89a3651ef6
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2022-04-14 22:36:28 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2022-04-14 22:39:37 +0000

    app-containers/containerd: drop 1.4.11, 1.4.12
    
    Bug: https://bugs.gentoo.org/835917
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 app-containers/containerd/Manifest                 |  2 -
 app-containers/containerd/containerd-1.4.11.ebuild | 84 ----------------------
 app-containers/containerd/containerd-1.4.12.ebuild | 84 ----------------------
 3 files changed, 170 deletions(-)