CVE-2021-32760: containerd is a container runtime. A bug was found in containerd versions prior to 1.4.8 and 1.5.4 where pulling and extracting a specially-crafted container image can result in Unix file permission changes for existing files in the host’s filesystem. Changes to file permissions can deny access to the expected owner of the file, widen access to others, or set extended bits like setuid, setgid, and sticky. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process. This bug has been fixed in containerd 1.5.4 and 1.4.8. As a workaround, ensure that users only pull images from trusted sources. Linux security modules (LSMs) like SELinux and AppArmor can limit the files potentially affected by this bug through policies and profiles that prevent containerd from interacting with specific files. Please bump to 1.4.8 and 1.5.4.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3844230e77f39931083e7dfa33452666d6fd7452 commit 3844230e77f39931083e7dfa33452666d6fd7452 Author: Georgy Yakovlev <gyakovlev@gentoo.org> AuthorDate: 2021-07-20 02:41:18 +0000 Commit: Georgy Yakovlev <gyakovlev@gentoo.org> CommitDate: 2021-07-20 02:43:54 +0000 app-emulation/containerd: add 1.5.4 Bug: https://bugs.gentoo.org/802948 Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org> app-emulation/containerd/Manifest | 1 + app-emulation/containerd/containerd-1.5.4.ebuild | 84 ++++++++++++++++++++++++ 2 files changed, 85 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d7ca7f4aa67809d4817c384e744bc9653278b815 commit d7ca7f4aa67809d4817c384e744bc9653278b815 Author: Georgy Yakovlev <gyakovlev@gentoo.org> AuthorDate: 2021-07-20 02:06:38 +0000 Commit: Georgy Yakovlev <gyakovlev@gentoo.org> CommitDate: 2021-07-20 02:43:53 +0000 app-emulation/containerd: add 1.4.8 Bug: https://bugs.gentoo.org/802948 Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org> app-emulation/containerd/Manifest | 1 + app-emulation/containerd/containerd-1.4.8.ebuild | 84 ++++++++++++++++++++++++ 2 files changed, 85 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=71495d17b60621fe86d64ab649085e6f51fc597b commit 71495d17b60621fe86d64ab649085e6f51fc597b Author: Georgy Yakovlev <gyakovlev@gentoo.org> AuthorDate: 2021-07-20 02:04:57 +0000 Commit: Georgy Yakovlev <gyakovlev@gentoo.org> CommitDate: 2021-07-20 02:43:53 +0000 app-emulation/runc: add 1.0.0 Bug: https://bugs.gentoo.org/802948 Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org> app-emulation/runc/Manifest | 1 + app-emulation/runc/runc-1.0.0.ebuild | 78 ++++++++++++++++++++++++++++++++++++ 2 files changed, 79 insertions(+)
Thanks! Please stabilize.
Sanity check failed: > app-emulation/containerd-1.4.8 > bdepend amd64 dev profile default/linux/amd64/17.0/x32 (2 total) > ~app-emulation/runc-1.0.0 > bdepend amd64 stable profile default/linux/amd64/17.1 (43 total) > ~app-emulation/runc-1.0.0 > rdepend amd64 dev profile default/linux/amd64/17.0/x32 (2 total) > ~app-emulation/runc-1.0.0 > rdepend amd64 stable profile default/linux/amd64/17.1 (43 total) > ~app-emulation/runc-1.0.0
All sanity-check issues have been resolved
amd64 done
arm64 done
ppc64 done all arches done
Please cleanup, thanks!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f4718c79bb481de1743dfbe88d8df78dc467e914 commit f4718c79bb481de1743dfbe88d8df78dc467e914 Author: Georgy Yakovlev <gyakovlev@gentoo.org> AuthorDate: 2021-07-26 21:24:27 +0000 Commit: Georgy Yakovlev <gyakovlev@gentoo.org> CommitDate: 2021-07-26 21:24:41 +0000 app-emulation/runc: drop 1.0.0_rc95 Bug: https://bugs.gentoo.org/802948 Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org> app-emulation/runc/Manifest | 1 - app-emulation/runc/runc-1.0.0_rc95.ebuild | 78 ------------------------------- 2 files changed, 79 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=682e0ab4966d624d99be7e9a954e476e950be926 commit 682e0ab4966d624d99be7e9a954e476e950be926 Author: Georgy Yakovlev <gyakovlev@gentoo.org> AuthorDate: 2021-07-26 21:24:13 +0000 Commit: Georgy Yakovlev <gyakovlev@gentoo.org> CommitDate: 2021-07-26 21:24:41 +0000 app-emulation/containerd: drop 1.4.6 Bug: https://bugs.gentoo.org/802948 Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org> app-emulation/containerd/Manifest | 1 - app-emulation/containerd/containerd-1.4.6.ebuild | 84 ------------------------ 2 files changed, 85 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=62af75d4a618ab35ca0d6d9ef057535f86f0ce0c commit 62af75d4a618ab35ca0d6d9ef057535f86f0ce0c Author: Georgy Yakovlev <gyakovlev@gentoo.org> AuthorDate: 2021-07-26 21:23:54 +0000 Commit: Georgy Yakovlev <gyakovlev@gentoo.org> CommitDate: 2021-07-26 21:24:40 +0000 app-emulation/containerd: drop 1.5.2 Bug: https://bugs.gentoo.org/802948 Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org> app-emulation/containerd/Manifest | 2 - app-emulation/containerd/containerd-1.5.2.ebuild | 82 ------------------------ 2 files changed, 84 deletions(-)
cleanup done. security, please do your thing =)
Unable to check for sanity: > no match for package: app-emulation/containerd-1.4.8
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=f9feb611eaa9a3e053e61253ddab0e4d85b21cd9 commit f9feb611eaa9a3e053e61253ddab0e4d85b21cd9 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-01-31 12:30:06 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-01-31 12:31:16 +0000 [ GLSA 202401-31 ] containerd: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/802948 Bug: https://bugs.gentoo.org/816315 Bug: https://bugs.gentoo.org/834689 Bug: https://bugs.gentoo.org/835917 Bug: https://bugs.gentoo.org/850124 Bug: https://bugs.gentoo.org/884803 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202401-31.xml | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+)
