Bug 1188282 - (CVE-2021-32760) VUL-0: CVE-2021-32760: containerd: archive package allows chmod of file outside of unpack target directory
(CVE-2021-32760)
VUL-0: CVE-2021-32760: containerd: archive package allows chmod of file outsi...
Status: IN_PROGRESS
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Containers Team
Security Team bot
https://smash.suse.de/issue/303993/
CVSSv3.1:SUSE:CVE-2021-32760:3.0:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-07-13 15:16 UTC by Robert Frohl
Modified: 2021-10-31 20:40 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2021-07-13 15:16:35 UTC
This issue will remain embargoed until July 19, 2021 between 10am and
noon Pacific time, at which point upstream containerd releases will be
available and an advisory will be posted to 
https://github.com/containerd/containerd/security/advisories/GHSA-c72p-9xmj-rx3w.
  A CVE ID has been requested for this issue but has not yet been
assigned.  A follow-up email will be sent out when the CVE ID is
assigned.

Impact

A bug was found in containerd where pulling and extracting a specially-
crafted container image can result in Unix file permission changes for
existing files in the host’s filesystem. Changes to file permissions
can deny access to the expected owner of the file, widen access to
others, or set extended bits like setuid, setgid, and sticky. This bug
does not directly allow files to be read, modified, or executed without
an additional cooperating process.

Patches

This bug will be fixed in containerd 1.5.4 and 1.4.8. Users should
update to these versions as soon as they are released. Running
containers do not need to be restarted.

Patches for containerd 1.4.x and 1.5.x suitable for backporting into
your existing packages are attached to this email.

Workarounds

Ensure you only pull images from trusted sources.
Linux security modules (LSMs) like SELinux and AppArmor can limit the
files potentially affected by this bug through policies and profiles
that prevent containerd from interacting with unexpected files.

On behalf of the containerd project,
Samuel Karp
Comment 1 Robert Frohl 2021-07-13 15:17:03 UTC
Created attachment 850965 [details]
1.4-Use-chmod-path-for-checking-symlink.patch
Comment 2 Robert Frohl 2021-07-13 15:17:24 UTC
Created attachment 850966 [details]
1.5-Cleanup-lchmod-logic-in-archive.patch
Comment 10 Swamp Workflow Management 2021-07-20 16:29:23 UTC
openSUSE-SU-2021:2412-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1188282
CVE References: CVE-2021-32760
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    containerd-1.4.4-5.36.1
Comment 11 Swamp Workflow Management 2021-07-20 16:30:32 UTC
SUSE-SU-2021:2412-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1188282
CVE References: CVE-2021-32760
JIRA References: 
Sources used:
SUSE MicroOS 5.0 (src):    containerd-1.4.4-5.36.1
SUSE Linux Enterprise Module for Containers 15-SP3 (src):    containerd-1.4.4-5.36.1
SUSE Linux Enterprise Module for Containers 15-SP2 (src):    containerd-1.4.4-5.36.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2021-07-20 16:43:39 UTC
SUSE-SU-2021:2413-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1188282
CVE References: CVE-2021-32760
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Containers 12 (src):    containerd-1.4.4-16.42.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Swamp Workflow Management 2021-07-23 22:22:22 UTC
openSUSE-SU-2021:1081-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1188282
CVE References: CVE-2021-32760
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    containerd-1.4.4-lp152.2.9.1
Comment 14 Swamp Workflow Management 2021-10-12 13:26:58 UTC
SUSE-SU-2021:3336-1: An update that solves 6 vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1102408,1185405,1187704,1188282,1191015,1191121,1191334,1191355,1191434
CVE References: CVE-2021-30465,CVE-2021-32760,CVE-2021-41089,CVE-2021-41091,CVE-2021-41092,CVE-2021-41103
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Containers 12 (src):    containerd-1.4.11-16.45.1, docker-20.10.9_ce-98.72.1, runc-1.0.2-16.14.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Swamp Workflow Management 2021-10-25 13:17:31 UTC
openSUSE-SU-2021:3506-1: An update that solves 6 vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 1102408,1185405,1187704,1188282,1190826,1191015,1191121,1191334,1191355,1191434
CVE References: CVE-2021-30465,CVE-2021-32760,CVE-2021-41089,CVE-2021-41091,CVE-2021-41092,CVE-2021-41103
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    containerd-1.4.11-56.1, docker-20.10.9_ce-156.1, docker-kubic-20.10.9_ce-156.1, runc-1.0.2-23.1
Comment 16 Swamp Workflow Management 2021-10-25 13:20:17 UTC
SUSE-SU-2021:3506-1: An update that solves 6 vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 1102408,1185405,1187704,1188282,1190826,1191015,1191121,1191334,1191355,1191434
CVE References: CVE-2021-30465,CVE-2021-32760,CVE-2021-41089,CVE-2021-41091,CVE-2021-41092,CVE-2021-41103
JIRA References: 
Sources used:
SUSE MicroOS 5.1 (src):    containerd-1.4.11-56.1, docker-20.10.9_ce-156.1, runc-1.0.2-23.1
SUSE MicroOS 5.0 (src):    containerd-1.4.11-56.1, docker-20.10.9_ce-156.1, runc-1.0.2-23.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    containerd-1.4.11-56.1, docker-20.10.9_ce-156.1, runc-1.0.2-23.1
SUSE Linux Enterprise Server for SAP 15 (src):    containerd-1.4.11-56.1, docker-20.10.9_ce-156.1, runc-1.0.2-23.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    containerd-1.4.11-56.1, docker-20.10.9_ce-156.1, runc-1.0.2-23.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    containerd-1.4.11-56.1, docker-20.10.9_ce-156.1, runc-1.0.2-23.1
SUSE Linux Enterprise Server 15-LTSS (src):    containerd-1.4.11-56.1, docker-20.10.9_ce-156.1, runc-1.0.2-23.1
SUSE Linux Enterprise Module for Containers 15-SP3 (src):    containerd-1.4.11-56.1, docker-20.10.9_ce-156.1, runc-1.0.2-23.1
SUSE Linux Enterprise Module for Containers 15-SP2 (src):    containerd-1.4.11-56.1, docker-20.10.9_ce-156.1, runc-1.0.2-23.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    containerd-1.4.11-56.1, docker-20.10.9_ce-156.1, runc-1.0.2-23.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    containerd-1.4.11-56.1, docker-20.10.9_ce-156.1, runc-1.0.2-23.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    containerd-1.4.11-56.1, docker-20.10.9_ce-156.1, runc-1.0.2-23.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    containerd-1.4.11-56.1, docker-20.10.9_ce-156.1
SUSE Enterprise Storage 7 (src):    runc-1.0.2-23.1
SUSE Enterprise Storage 6 (src):    containerd-1.4.11-56.1, docker-20.10.9_ce-156.1, runc-1.0.2-23.1
SUSE CaaS Platform 4.0 (src):    containerd-1.4.11-56.1, docker-20.10.9_ce-156.1, runc-1.0.2-23.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Swamp Workflow Management 2021-10-31 20:40:29 UTC
openSUSE-SU-2021:1404-1: An update that solves 6 vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 1102408,1185405,1187704,1188282,1190826,1191015,1191121,1191334,1191355,1191434
CVE References: CVE-2021-30465,CVE-2021-32760,CVE-2021-41089,CVE-2021-41091,CVE-2021-41092,CVE-2021-41103
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    containerd-1.4.11-lp152.2.12.1, docker-20.10.9_ce-lp152.2.18.1, runc-1.0.2-lp152.2.9.1