Bugzilla – Bug 1188282
VUL-0: CVE-2021-32760: containerd: archive package allows chmod of file outside of unpack target directory
Last modified: 2021-10-31 20:40:29 UTC
This issue will remain embargoed until July 19, 2021 between 10am and noon Pacific time, at which point upstream containerd releases will be available and an advisory will be posted to https://github.com/containerd/containerd/security/advisories/GHSA-c72p-9xmj-rx3w. A CVE ID has been requested for this issue but has not yet been assigned. A follow-up email will be sent out when the CVE ID is assigned. Impact A bug was found in containerd where pulling and extracting a specially- crafted container image can result in Unix file permission changes for existing files in the host’s filesystem. Changes to file permissions can deny access to the expected owner of the file, widen access to others, or set extended bits like setuid, setgid, and sticky. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process. Patches This bug will be fixed in containerd 1.5.4 and 1.4.8. Users should update to these versions as soon as they are released. Running containers do not need to be restarted. Patches for containerd 1.4.x and 1.5.x suitable for backporting into your existing packages are attached to this email. Workarounds Ensure you only pull images from trusted sources. Linux security modules (LSMs) like SELinux and AppArmor can limit the files potentially affected by this bug through policies and profiles that prevent containerd from interacting with unexpected files. On behalf of the containerd project, Samuel Karp
Created attachment 850965 [details] 1.4-Use-chmod-path-for-checking-symlink.patch
Created attachment 850966 [details] 1.5-Cleanup-lchmod-logic-in-archive.patch
openSUSE-SU-2021:2412-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1188282 CVE References: CVE-2021-32760 JIRA References: Sources used: openSUSE Leap 15.3 (src): containerd-1.4.4-5.36.1
SUSE-SU-2021:2412-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1188282 CVE References: CVE-2021-32760 JIRA References: Sources used: SUSE MicroOS 5.0 (src): containerd-1.4.4-5.36.1 SUSE Linux Enterprise Module for Containers 15-SP3 (src): containerd-1.4.4-5.36.1 SUSE Linux Enterprise Module for Containers 15-SP2 (src): containerd-1.4.4-5.36.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2021:2413-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1188282 CVE References: CVE-2021-32760 JIRA References: Sources used: SUSE Linux Enterprise Module for Containers 12 (src): containerd-1.4.4-16.42.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2021:1081-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1188282 CVE References: CVE-2021-32760 JIRA References: Sources used: openSUSE Leap 15.2 (src): containerd-1.4.4-lp152.2.9.1
SUSE-SU-2021:3336-1: An update that solves 6 vulnerabilities and has three fixes is now available. Category: security (important) Bug References: 1102408,1185405,1187704,1188282,1191015,1191121,1191334,1191355,1191434 CVE References: CVE-2021-30465,CVE-2021-32760,CVE-2021-41089,CVE-2021-41091,CVE-2021-41092,CVE-2021-41103 JIRA References: Sources used: SUSE Linux Enterprise Module for Containers 12 (src): containerd-1.4.11-16.45.1, docker-20.10.9_ce-98.72.1, runc-1.0.2-16.14.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2021:3506-1: An update that solves 6 vulnerabilities and has four fixes is now available. Category: security (important) Bug References: 1102408,1185405,1187704,1188282,1190826,1191015,1191121,1191334,1191355,1191434 CVE References: CVE-2021-30465,CVE-2021-32760,CVE-2021-41089,CVE-2021-41091,CVE-2021-41092,CVE-2021-41103 JIRA References: Sources used: openSUSE Leap 15.3 (src): containerd-1.4.11-56.1, docker-20.10.9_ce-156.1, docker-kubic-20.10.9_ce-156.1, runc-1.0.2-23.1
SUSE-SU-2021:3506-1: An update that solves 6 vulnerabilities and has four fixes is now available. Category: security (important) Bug References: 1102408,1185405,1187704,1188282,1190826,1191015,1191121,1191334,1191355,1191434 CVE References: CVE-2021-30465,CVE-2021-32760,CVE-2021-41089,CVE-2021-41091,CVE-2021-41092,CVE-2021-41103 JIRA References: Sources used: SUSE MicroOS 5.1 (src): containerd-1.4.11-56.1, docker-20.10.9_ce-156.1, runc-1.0.2-23.1 SUSE MicroOS 5.0 (src): containerd-1.4.11-56.1, docker-20.10.9_ce-156.1, runc-1.0.2-23.1 SUSE Linux Enterprise Server for SAP 15-SP1 (src): containerd-1.4.11-56.1, docker-20.10.9_ce-156.1, runc-1.0.2-23.1 SUSE Linux Enterprise Server for SAP 15 (src): containerd-1.4.11-56.1, docker-20.10.9_ce-156.1, runc-1.0.2-23.1 SUSE Linux Enterprise Server 15-SP1-LTSS (src): containerd-1.4.11-56.1, docker-20.10.9_ce-156.1, runc-1.0.2-23.1 SUSE Linux Enterprise Server 15-SP1-BCL (src): containerd-1.4.11-56.1, docker-20.10.9_ce-156.1, runc-1.0.2-23.1 SUSE Linux Enterprise Server 15-LTSS (src): containerd-1.4.11-56.1, docker-20.10.9_ce-156.1, runc-1.0.2-23.1 SUSE Linux Enterprise Module for Containers 15-SP3 (src): containerd-1.4.11-56.1, docker-20.10.9_ce-156.1, runc-1.0.2-23.1 SUSE Linux Enterprise Module for Containers 15-SP2 (src): containerd-1.4.11-56.1, docker-20.10.9_ce-156.1, runc-1.0.2-23.1 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): containerd-1.4.11-56.1, docker-20.10.9_ce-156.1, runc-1.0.2-23.1 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): containerd-1.4.11-56.1, docker-20.10.9_ce-156.1, runc-1.0.2-23.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): containerd-1.4.11-56.1, docker-20.10.9_ce-156.1, runc-1.0.2-23.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): containerd-1.4.11-56.1, docker-20.10.9_ce-156.1 SUSE Enterprise Storage 7 (src): runc-1.0.2-23.1 SUSE Enterprise Storage 6 (src): containerd-1.4.11-56.1, docker-20.10.9_ce-156.1, runc-1.0.2-23.1 SUSE CaaS Platform 4.0 (src): containerd-1.4.11-56.1, docker-20.10.9_ce-156.1, runc-1.0.2-23.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2021:1404-1: An update that solves 6 vulnerabilities and has four fixes is now available. Category: security (important) Bug References: 1102408,1185405,1187704,1188282,1190826,1191015,1191121,1191334,1191355,1191434 CVE References: CVE-2021-30465,CVE-2021-32760,CVE-2021-41089,CVE-2021-41091,CVE-2021-41092,CVE-2021-41103 JIRA References: Sources used: openSUSE Leap 15.2 (src): containerd-1.4.11-lp152.2.12.1, docker-20.10.9_ce-lp152.2.18.1, runc-1.0.2-lp152.2.9.1