Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 802948 (CVE-2021-32760) - <app-containers/containerd-{1.4.8,1.5.4}: host permission mangling via malicious container (CVE-2021-32760)
Summary: <app-containers/containerd-{1.4.8,1.5.4}: host permission mangling via malici...
Status: IN_PROGRESS
Alias: CVE-2021-32760
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://github.com/containerd/contain...
Whiteboard: B4 [glsa?]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-07-19 23:42 UTC by John Helmert III
Modified: 2022-01-01 10:25 UTC (History)
2 users (show)

See Also:
Package list:
app-emulation/containerd-1.4.8 app-emulation/runc-1.0.0
Runtime testing required: ---
nattka: sanity-check-


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2021-07-19 23:42:11 UTC
CVE-2021-32760:

containerd is a container runtime. A bug was found in containerd versions prior to 1.4.8 and 1.5.4 where pulling and extracting a specially-crafted container image can result in Unix file permission changes for existing files in the host’s filesystem. Changes to file permissions can deny access to the expected owner of the file, widen access to others, or set extended bits like setuid, setgid, and sticky. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process. This bug has been fixed in containerd 1.5.4 and 1.4.8. As a workaround, ensure that users only pull images from trusted sources. Linux security modules (LSMs) like SELinux and AppArmor can limit the files potentially affected by this bug through policies and profiles that prevent containerd from interacting with specific files.


Please bump to 1.4.8 and 1.5.4.
Comment 1 Larry the Git Cow gentoo-dev 2021-07-20 02:44:05 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3844230e77f39931083e7dfa33452666d6fd7452

commit 3844230e77f39931083e7dfa33452666d6fd7452
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2021-07-20 02:41:18 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2021-07-20 02:43:54 +0000

    app-emulation/containerd: add 1.5.4
    
    Bug: https://bugs.gentoo.org/802948
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 app-emulation/containerd/Manifest                |  1 +
 app-emulation/containerd/containerd-1.5.4.ebuild | 84 ++++++++++++++++++++++++
 2 files changed, 85 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d7ca7f4aa67809d4817c384e744bc9653278b815

commit d7ca7f4aa67809d4817c384e744bc9653278b815
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2021-07-20 02:06:38 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2021-07-20 02:43:53 +0000

    app-emulation/containerd: add 1.4.8
    
    Bug: https://bugs.gentoo.org/802948
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 app-emulation/containerd/Manifest                |  1 +
 app-emulation/containerd/containerd-1.4.8.ebuild | 84 ++++++++++++++++++++++++
 2 files changed, 85 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=71495d17b60621fe86d64ab649085e6f51fc597b

commit 71495d17b60621fe86d64ab649085e6f51fc597b
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2021-07-20 02:04:57 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2021-07-20 02:43:53 +0000

    app-emulation/runc: add 1.0.0
    
    Bug: https://bugs.gentoo.org/802948
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 app-emulation/runc/Manifest          |  1 +
 app-emulation/runc/runc-1.0.0.ebuild | 78 ++++++++++++++++++++++++++++++++++++
 2 files changed, 79 insertions(+)
Comment 2 John Helmert III gentoo-dev Security 2021-07-20 04:24:13 UTC
Thanks! Please stabilize.
Comment 3 NATTkA bot gentoo-dev 2021-07-20 04:28:20 UTC Comment hidden (obsolete)
Comment 4 NATTkA bot gentoo-dev 2021-07-23 06:28:22 UTC Comment hidden (obsolete)
Comment 5 Sam James archtester gentoo-dev Security 2021-07-23 17:57:55 UTC
amd64 done
Comment 6 Sam James archtester gentoo-dev Security 2021-07-24 17:19:57 UTC
arm64 done
Comment 7 Sam James archtester gentoo-dev Security 2021-07-26 02:14:16 UTC
ppc64 done

all arches done
Comment 8 Sam James archtester gentoo-dev Security 2021-07-26 02:17:23 UTC
Please cleanup, thanks!
Comment 9 Larry the Git Cow gentoo-dev 2021-07-26 21:25:09 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f4718c79bb481de1743dfbe88d8df78dc467e914

commit f4718c79bb481de1743dfbe88d8df78dc467e914
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2021-07-26 21:24:27 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2021-07-26 21:24:41 +0000

    app-emulation/runc: drop 1.0.0_rc95
    
    Bug: https://bugs.gentoo.org/802948
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 app-emulation/runc/Manifest               |  1 -
 app-emulation/runc/runc-1.0.0_rc95.ebuild | 78 -------------------------------
 2 files changed, 79 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=682e0ab4966d624d99be7e9a954e476e950be926

commit 682e0ab4966d624d99be7e9a954e476e950be926
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2021-07-26 21:24:13 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2021-07-26 21:24:41 +0000

    app-emulation/containerd: drop 1.4.6
    
    Bug: https://bugs.gentoo.org/802948
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 app-emulation/containerd/Manifest                |  1 -
 app-emulation/containerd/containerd-1.4.6.ebuild | 84 ------------------------
 2 files changed, 85 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=62af75d4a618ab35ca0d6d9ef057535f86f0ce0c

commit 62af75d4a618ab35ca0d6d9ef057535f86f0ce0c
Author:     Georgy Yakovlev <gyakovlev@gentoo.org>
AuthorDate: 2021-07-26 21:23:54 +0000
Commit:     Georgy Yakovlev <gyakovlev@gentoo.org>
CommitDate: 2021-07-26 21:24:40 +0000

    app-emulation/containerd: drop 1.5.2
    
    Bug: https://bugs.gentoo.org/802948
    Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>

 app-emulation/containerd/Manifest                |  2 -
 app-emulation/containerd/containerd-1.5.2.ebuild | 82 ------------------------
 2 files changed, 84 deletions(-)
Comment 10 Georgy Yakovlev archtester gentoo-dev 2021-07-26 21:25:34 UTC
cleanup done.
security, please do your thing =)
Comment 11 NATTkA bot gentoo-dev 2021-10-06 16:52:39 UTC
Unable to check for sanity:

> no match for package: app-emulation/containerd-1.4.8