Mageia 2021-0484: docker-containerd security update
Summary
A bug was found in containerd where pulling and extracting a
specially-crafted container image can result in Unix file permission
changes for existing files in the host’s filesystem. Changes to file
permissions can deny access to the expected owner of the file, widen
access to others, or set extended bits like setuid, setgid, and sticky.
This bug does not directly allow files to be read, modified, or executed
without an additional cooperating process.
References
- https://bugs.mageia.org/show_bug.cgi?id=29268
- https://github.com/containerd/containerd/security/advisories/GHSA-c72p-9xmj-rx3w
- https://ubuntu.com/security/notices/USN-5012-1
- https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/KOVJMTDKAFMTONFNVO7Z327OFE52V7FK/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DDMNDPJJTP3J5GOEDB66F6MGXUTRG3Y3/
- https://github.com/containerd/containerd/security/advisories/GHSA-c2h3-6mxw-7mvq
- https://ubuntu.com/security/notices/USN-5100-1
- https://lists.suse.com/pipermail/sle-security-updates/2021-October/009566.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/M7ZZTABKTSJ5DYVDIQ7CVZG5HABGM2EC/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32760
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41103
Resolution
MGASA-2021-0484 - Updated docker-containerd packages fix security vulnerability
SRPMS
- 8/core/docker-containerd-1.5.7-1.mga8