First Last Prev Next    This bug is not in your last search results.
Bug 56457 - docker.io, containerd, runc, golang-1.13: Multiple issues (5.0)
docker.io, containerd, runc, golang-1.13: Multiple issues (5.0)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 5.0
Other Linux
: P5 normal (vote)
: UCS 5.0-7-errata
Assigned To: Arvid Requate
Felix Botner
:
: 57051 (view as bug list)
Depends on: 52838
Blocks:
  Show dependency treegraph
 
Reported: 2023-08-19 14:04 CEST by Philipp Hahn
Modified: 2024-05-08 12:38 CEST (History)
6 users (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support: Yes
Flags outvoted (downgraded) after PO Review:
Ticket number: 2024021921000109
Bug group (optional):
Max CVSS v3 score: 8.6 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Philipp Hahn univentionstaff 2023-08-19 14:04:00 CEST 
golang-1.13 (build dependency)
   UCS: 1.13.8-1ubuntu1 <https://univention-dist-binpkg-webgui.k8s.knut.univention.de/source/golang-1.13/?since=4.0>
  Ubuntu: 1.13.8-1ubuntu1.1 <https://packages.ubuntu.com/source/focal/golang-1.13>

>   * SECURITY UPDATE: Infinite read loop via invalid inputs
>     - debian/patches/CVE-2020-16845.patch: ensure that ReadUvarint
>       reads a limited amount of data in src/encoding/binary/varint.go.

- [Go applications could be made to hang or crash if they received specially crafted input.](https://ubuntu.com/security/notices/USN-5725-2)
  - CVE-2020-16845: 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H


golang-defaults (build dependency)
  UCS: 2:1.13~1ubuntu2 <https://univention-dist-binpkg-webgui.k8s.knut.univention.de/source/golang-defaults/?since=4.0>
  Ubuntu: 2.1.13~1ubuntu2 <https://packages.ubuntu.com/source/focal/golang-defaults>


docker.io
  UCS: 19.03.8-0ubuntu1.20.04.1 <https://univention-dist-binpkg-webgui.k8s.knut.univention.de/source/docker.io/?since=4.0>
  Ubuntu: 20.10.21-0ubuntu1~20.04.2 <https://packages.ubuntu.com/source/focal/docker.io>

>     - Among new features and bug fixes, the CVE-2021-21284 and CVE-2021-21285
>       were addressed.
>   * SECURITY UPDATE: insufficiently restricted directory permissions
>     - d/p/CVE-2021-41091.patch: Lock down docker root dir perms.
>   * SECURITY UPDATE: permissions modifications outside of install directory
>     - d/p/CVE-2021-41089.patch: chrootarchive: don't create parent dirs
>       outside of chroot.
>   * SECURITY UPDATE: docker cli information disclosure on misconfiguration
>     - d/p/CVE-2021-41092.patch: Ensure that default authentication config
>     has an address.

- [This update provides a new upstream version.](https://ubuntu.com/security/notices/USN-5032-2)
  - CVE-2021-21284: 6.8 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
  - CVE-2021-21285: 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
- [Docker could be made to adjust the permissions of files.](https://ubuntu.com/security/notices/USN-5103-1)
  - CVE-2021-41089: 6.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
  - CVE-2021-41091: 6.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
- [Docker could be made to expose sensitive information over the network.](https://ubuntu.com/security/notices/USN-5134-1)
  - CVE-2021-41092: 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N


runc
  UCS: 1.0.0~rc10-0ubuntu1 <https://univention-dist-binpkg-webgui.k8s.knut.univention.de/source/runc/?since=4.0>
  Ubuntu: 1.1.4-0ubuntu1~20.04.3 <https://packages.ubuntu.com/source/focal/runc>

>   * SECURITY UPDATE: Incorrect access control through /sys/fs/cgroup
>     - debian/patches/CVE-2023-25809.patch: apply MS_RDONLY if
>       /sys/fs/cgroup is bind-mounted or mask if bind source is unavailable
>       in libcontainer/rootfs_linux.go.
>   * SECURITY UPDATE: Incorrect access control through /proc and /sys
>     - debian/patches/CVE-2023-27561_CVE-2023-28642.patch: Prohibit /proc and
>       /sys to be symlinks in libcontainer/rootfs_linux.go.
>   * SECURITY UPDATE: symlink exchange attack
>     - debian/patches/CVE-2021-30465/*.patch: upstream patches to add mount
>       destination validation.

- [Several security issues were fixed in runC](https://ubuntu.com/security/notices/USN-6088-1)
  - CVE-2023-25809: 6.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
  - CVE-2023-27561: 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
  - CVE-2023-28642: 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- [runC could be made to overwrite files as the administrator.](https://ubuntu.com/security/notices/USN-4960-1)
  - CVE-2021-30465: 8.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H


containerd:
  UCS: 1.3.3-0ubuntu2 <https://univention-dist-binpkg-webgui.k8s.knut.univention.de/source/containerd/?since=4.0>
  Ubuntu: 1.6.12-0ubuntu1~20.04.3 <https://packages.ubuntu.com/source/focal/containerd>

>   * SECURITY UPDATE: Denial of service through image processing
>     - debian/patches/CVE-2023-25153.patch: limit the amount of
>       bytes read to 20Mb in images/archive/importer.go.
>   * SECURITY UPDATE: Incorrect supplementary group access control
>     - debian/patches/CVE-2023-25173.patch: ensure that primary GID
>       is included in the list of additionals GIDs in oci/spec_opts.go.
>   * New upstream release.
>     - Fixes CVE-2022-23471.
>   * SECURITY UPDATE: insufficiently restricted directory permissions
>     - debian/patches/1.5-reduce-directory-permissions.patch: reduce
>       permissions for bundle dir in runtime/v1/linux/bundle.go,
>       runtime/v1/linux/bundle_test.go, runtime/v2/bundle.go,
>       runtime/v2/bundle_default.go, runtime/v2/bundle_linux.go,
>       runtime/v2/bundle_linux_test.go, runtime/v2/bundle_test.go,
>       snapshots/btrfs/btrfs.go.
>     - CVE-2021-41103
>   * New upstream release.
>     - It contains a fix for CVE-2021-21334 along with various other minor
>       issues.
>   * SECURITY UPDATE: Elevation of privilege vulnerability
>     - debian/patches/CVE-2020-15257.patch: Use path based unix socket for shims
>       and use path-based unix socket for containerd-shim.

- [containerd could be made to crash or run programs as an administrator.](https://ubuntu.com/security/notices/USN-4653-2)
  - CVE-2020-15257: 5.2 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
- [The system could be made to expose sensitive information.](https://ubuntu.com/security/notices/USN-4881-1)
  - CVE-2021-21334: 6.3 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
- [containerd could be made to overwrite file permissions.](https://ubuntu.com/security/notices/USN-5012-1)
  - CVE-2021-32760: 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
- [containerd would allow unintended access to files.](https://ubuntu.com/security/notices/USN-5100-1)
  - CVE-2021-41103: 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- [containerd would allow unintended access to files over the network.](https://ubuntu.com/security/notices/USN-5311-1)
  - CVE-2022-23648: 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- [Several security issues were fixed in containerd.](https://ubuntu.com/security/notices/USN-5776-1)
  - CVE-2022-23471: 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
  - CVE-2022-31030: 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
  - CVE-2022-24769: 5.9 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
  - CVE-2022-24778: 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- [Several security issues were fixed in containerd.](https://ubuntu.com/security/notices/USN-6202-1)
  - CVE-2023-25153: 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  - CVE-2023-25173: 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Comment 1 Philipp Hahn univentionstaff 2024-02-22 11:58:12 CET 
[runc: escape container file system]

(In reply to Arvid Requate from Bug #57051 comment #0)
> * https://security-tracker.debian.org/tracker/CVE-2024-21626
> * https://ubuntu.com/security/CVE-2024-21626
Comment 2 Philipp Hahn univentionstaff 2024-02-22 11:58:16 CET 
*** Bug 57051 has been marked as a duplicate of this bug. ***
Comment 4 Arvid Requate univentionstaff 2024-04-29 15:30:16 CEST 
For containerd and docker.io we took the source package state from ubuntu/focal-security
just before their changes for https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/2022390

Work in ucs-patches repo:
40098bc0f | remove legacy patches             # after import of new containerd
ba7d196ea | Adjust to debhelper 12            # good patch for golang-1.18
ffcec7488 | Add builddepends on git           # useless attempt for containerd
03e62fba8 | Add builddepends on git           # useless attempt for containerd
118f7fe08 | Add builddepends on git           # useless attempt for containerd
22470f86f | Adjust patches to new upstream    # for docker.io-20.10.21
8cc3c83fa | Adjust patches to new upstream    # re-enable tests docker.io-20.10.21
385f94d7e | Workaround for Debian bug 933541  # fixing a build error for runc
f6dfc4cae | Remove builddepends on git        # remove useless attempt for containerd
779763ff5 | remove legacy patches             # after re-import of new containerd
f2b731f5b | Add patch for Debian Bug 960887   # fixing a build error of containerd
8f5da84f7 | remove legacy patches             # after import of containerd 1.6.12-0ubuntu1~20.04.3
b8c919d4e | Adjust patches to new upstream    # after import of docker.io 20.10.21-0ubuntu1~20.04.2
d70c41805 | Adjust patch to new upstream      # for docker.io
476501b2e | Re-enable patch                   # for docker.io
75518ca25 | Adjust patch to new upstream      # for docker.io
3856a8da3 | patch merged by repo-ng - from golang-1.18/ucs_5.0-0-docker
4c14e679b | patch merged by repo-ng - from dh-golang/ucs_5.0-0-docker
193dd6306 | patch merged by repo-ng - from runc/ucs_5.0-0-docker
e52b29fd3 | patch merged by repo-ng - from docker.io/ucs_5.0-0-docker

Resulting in these ucs-patches:

golang-1.18/ucs_5.0-0-errata5.0-7/1.18.1-1ubuntu1~20.04.2/01_debhelper12.patch
dh-golang/ucs_5.0-0-errata5.0-7/1.48/01_debian-bug-960887.patch
runc/ucs_5.0-0-errata5.0-7/1.1.7-0ubuntu1~20.04.2/01_dh_dwz.patch
docker.io/ucs_5.0-0-errata5.0-7/20.10.21-0ubuntu1~20.04.2/20_systemd_restart_firewall.quilt
docker.io/ucs_5.0-0-errata5.0-7/20.10.21-0ubuntu1~20.04.2/30_dont_change_FORWARD_policy.quilt
docker.io/ucs_5.0-0-errata5.0-7/20.10.21-0ubuntu1~20.04.2/31_fix-initd.patch
docker.io/ucs_5.0-0-errata5.0-7/20.10.21-0ubuntu1~20.04.2/31_fix-initd.quilt


Package: golang-1.13
Version: 1.13.8-1ubuntu1.2
Branch: ucs_5.0-0-errata5.0-7
Scope: errata5.0-7

Package: golang-1.18
Version: 1.18.1-1ubuntu1~20.04.2A~5.0.0.202404291504
Branch: ucs_5.0-0-errata5.0-7
Scope: errata5.0-7

Package: dh-golang
Version: 1.48A~5.0.0.202404291512
Branch: 5.0-0
Scope: errata5.0-7

Package: runc
Version: 1.1.7-0ubuntu1~20.04.2A~5.0.0.202404291512
Branch: 5.0-0
Scope: errata5.0-7

Package: containerd
Version: 1.6.12-0ubuntu1~20.04.3
Branch: ucs_5.0-0-errata5.0-7
Scope: errata5.0-7

Package: docker.io
Version: 20.10.21-0ubuntu1~20.04.2A~5.0.0.202404291519
Branch: ucs_5.0-0-errata5.0-7
Scope: errata5.0-7


a19a1534c7 | Advisories
Comment 5 Arvid Requate univentionstaff 2024-04-29 16:09:48 CEST 
f7aa5259e | Fix docker.io/ucs_5.0-0-errata5.0-7/20.10.21-0ubuntu1~20.04.2/30_dont_change_FORWARD_policy.quilt
4c544d71f | Fix more

Package: docker.io
Version: 20.10.21-0ubuntu1~20.04.2A~5.0.0.202404291605
Branch: 5.0-0
Scope: errata5.0-7

e071d757c5 | Advisory update
Comment 6 Felix Botner univentionstaff 2024-05-03 14:37:15 CEST 
* OK - packages/CVE
* OK - manual tests
* OK - autom. tests
* OK - YAML
First Last Prev Next    This bug is not in your last search results.