Univention Bugzilla – Bug 56457
docker.io, containerd, runc, golang-1.13: Multiple issues (5.0)
Last modified: 2024-05-08 12:38:00 CEST
golang-1.13 (build dependency) UCS: 1.13.8-1ubuntu1 <https://univention-dist-binpkg-webgui.k8s.knut.univention.de/source/golang-1.13/?since=4.0> Ubuntu: 1.13.8-1ubuntu1.1 <https://packages.ubuntu.com/source/focal/golang-1.13> > * SECURITY UPDATE: Infinite read loop via invalid inputs > - debian/patches/CVE-2020-16845.patch: ensure that ReadUvarint > reads a limited amount of data in src/encoding/binary/varint.go. - [Go applications could be made to hang or crash if they received specially crafted input.](https://ubuntu.com/security/notices/USN-5725-2) - CVE-2020-16845: 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H golang-defaults (build dependency) UCS: 2:1.13~1ubuntu2 <https://univention-dist-binpkg-webgui.k8s.knut.univention.de/source/golang-defaults/?since=4.0> Ubuntu: 2.1.13~1ubuntu2 <https://packages.ubuntu.com/source/focal/golang-defaults> docker.io UCS: 19.03.8-0ubuntu1.20.04.1 <https://univention-dist-binpkg-webgui.k8s.knut.univention.de/source/docker.io/?since=4.0> Ubuntu: 20.10.21-0ubuntu1~20.04.2 <https://packages.ubuntu.com/source/focal/docker.io> > - Among new features and bug fixes, the CVE-2021-21284 and CVE-2021-21285 > were addressed. > * SECURITY UPDATE: insufficiently restricted directory permissions > - d/p/CVE-2021-41091.patch: Lock down docker root dir perms. > * SECURITY UPDATE: permissions modifications outside of install directory > - d/p/CVE-2021-41089.patch: chrootarchive: don't create parent dirs > outside of chroot. > * SECURITY UPDATE: docker cli information disclosure on misconfiguration > - d/p/CVE-2021-41092.patch: Ensure that default authentication config > has an address. - [This update provides a new upstream version.](https://ubuntu.com/security/notices/USN-5032-2) - CVE-2021-21284: 6.8 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N - CVE-2021-21285: 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H - [Docker could be made to adjust the permissions of files.](https://ubuntu.com/security/notices/USN-5103-1) - CVE-2021-41089: 6.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L - CVE-2021-41091: 6.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L - [Docker could be made to expose sensitive information over the network.](https://ubuntu.com/security/notices/USN-5134-1) - CVE-2021-41092: 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N runc UCS: 1.0.0~rc10-0ubuntu1 <https://univention-dist-binpkg-webgui.k8s.knut.univention.de/source/runc/?since=4.0> Ubuntu: 1.1.4-0ubuntu1~20.04.3 <https://packages.ubuntu.com/source/focal/runc> > * SECURITY UPDATE: Incorrect access control through /sys/fs/cgroup > - debian/patches/CVE-2023-25809.patch: apply MS_RDONLY if > /sys/fs/cgroup is bind-mounted or mask if bind source is unavailable > in libcontainer/rootfs_linux.go. > * SECURITY UPDATE: Incorrect access control through /proc and /sys > - debian/patches/CVE-2023-27561_CVE-2023-28642.patch: Prohibit /proc and > /sys to be symlinks in libcontainer/rootfs_linux.go. > * SECURITY UPDATE: symlink exchange attack > - debian/patches/CVE-2021-30465/*.patch: upstream patches to add mount > destination validation. - [Several security issues were fixed in runC](https://ubuntu.com/security/notices/USN-6088-1) - CVE-2023-25809: 6.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L - CVE-2023-27561: 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H - CVE-2023-28642: 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - [runC could be made to overwrite files as the administrator.](https://ubuntu.com/security/notices/USN-4960-1) - CVE-2021-30465: 8.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H containerd: UCS: 1.3.3-0ubuntu2 <https://univention-dist-binpkg-webgui.k8s.knut.univention.de/source/containerd/?since=4.0> Ubuntu: 1.6.12-0ubuntu1~20.04.3 <https://packages.ubuntu.com/source/focal/containerd> > * SECURITY UPDATE: Denial of service through image processing > - debian/patches/CVE-2023-25153.patch: limit the amount of > bytes read to 20Mb in images/archive/importer.go. > * SECURITY UPDATE: Incorrect supplementary group access control > - debian/patches/CVE-2023-25173.patch: ensure that primary GID > is included in the list of additionals GIDs in oci/spec_opts.go. > * New upstream release. > - Fixes CVE-2022-23471. > * SECURITY UPDATE: insufficiently restricted directory permissions > - debian/patches/1.5-reduce-directory-permissions.patch: reduce > permissions for bundle dir in runtime/v1/linux/bundle.go, > runtime/v1/linux/bundle_test.go, runtime/v2/bundle.go, > runtime/v2/bundle_default.go, runtime/v2/bundle_linux.go, > runtime/v2/bundle_linux_test.go, runtime/v2/bundle_test.go, > snapshots/btrfs/btrfs.go. > - CVE-2021-41103 > * New upstream release. > - It contains a fix for CVE-2021-21334 along with various other minor > issues. > * SECURITY UPDATE: Elevation of privilege vulnerability > - debian/patches/CVE-2020-15257.patch: Use path based unix socket for shims > and use path-based unix socket for containerd-shim. - [containerd could be made to crash or run programs as an administrator.](https://ubuntu.com/security/notices/USN-4653-2) - CVE-2020-15257: 5.2 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N - [The system could be made to expose sensitive information.](https://ubuntu.com/security/notices/USN-4881-1) - CVE-2021-21334: 6.3 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N - [containerd could be made to overwrite file permissions.](https://ubuntu.com/security/notices/USN-5012-1) - CVE-2021-32760: 6.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L - [containerd would allow unintended access to files.](https://ubuntu.com/security/notices/USN-5100-1) - CVE-2021-41103: 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - [containerd would allow unintended access to files over the network.](https://ubuntu.com/security/notices/USN-5311-1) - CVE-2022-23648: 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - [Several security issues were fixed in containerd.](https://ubuntu.com/security/notices/USN-5776-1) - CVE-2022-23471: 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H - CVE-2022-31030: 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H - CVE-2022-24769: 5.9 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L - CVE-2022-24778: 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - [Several security issues were fixed in containerd.](https://ubuntu.com/security/notices/USN-6202-1) - CVE-2023-25153: 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H - CVE-2023-25173: 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
[runc: escape container file system] (In reply to Arvid Requate from Bug #57051 comment #0) > * https://security-tracker.debian.org/tracker/CVE-2024-21626 > * https://ubuntu.com/security/CVE-2024-21626
*** Bug 57051 has been marked as a duplicate of this bug. ***
For containerd and docker.io we took the source package state from ubuntu/focal-security just before their changes for https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/2022390 Work in ucs-patches repo: 40098bc0f | remove legacy patches # after import of new containerd ba7d196ea | Adjust to debhelper 12 # good patch for golang-1.18 ffcec7488 | Add builddepends on git # useless attempt for containerd 03e62fba8 | Add builddepends on git # useless attempt for containerd 118f7fe08 | Add builddepends on git # useless attempt for containerd 22470f86f | Adjust patches to new upstream # for docker.io-20.10.21 8cc3c83fa | Adjust patches to new upstream # re-enable tests docker.io-20.10.21 385f94d7e | Workaround for Debian bug 933541 # fixing a build error for runc f6dfc4cae | Remove builddepends on git # remove useless attempt for containerd 779763ff5 | remove legacy patches # after re-import of new containerd f2b731f5b | Add patch for Debian Bug 960887 # fixing a build error of containerd 8f5da84f7 | remove legacy patches # after import of containerd 1.6.12-0ubuntu1~20.04.3 b8c919d4e | Adjust patches to new upstream # after import of docker.io 20.10.21-0ubuntu1~20.04.2 d70c41805 | Adjust patch to new upstream # for docker.io 476501b2e | Re-enable patch # for docker.io 75518ca25 | Adjust patch to new upstream # for docker.io 3856a8da3 | patch merged by repo-ng - from golang-1.18/ucs_5.0-0-docker 4c14e679b | patch merged by repo-ng - from dh-golang/ucs_5.0-0-docker 193dd6306 | patch merged by repo-ng - from runc/ucs_5.0-0-docker e52b29fd3 | patch merged by repo-ng - from docker.io/ucs_5.0-0-docker Resulting in these ucs-patches: golang-1.18/ucs_5.0-0-errata5.0-7/1.18.1-1ubuntu1~20.04.2/01_debhelper12.patch dh-golang/ucs_5.0-0-errata5.0-7/1.48/01_debian-bug-960887.patch runc/ucs_5.0-0-errata5.0-7/1.1.7-0ubuntu1~20.04.2/01_dh_dwz.patch docker.io/ucs_5.0-0-errata5.0-7/20.10.21-0ubuntu1~20.04.2/20_systemd_restart_firewall.quilt docker.io/ucs_5.0-0-errata5.0-7/20.10.21-0ubuntu1~20.04.2/30_dont_change_FORWARD_policy.quilt docker.io/ucs_5.0-0-errata5.0-7/20.10.21-0ubuntu1~20.04.2/31_fix-initd.patch docker.io/ucs_5.0-0-errata5.0-7/20.10.21-0ubuntu1~20.04.2/31_fix-initd.quilt Package: golang-1.13 Version: 1.13.8-1ubuntu1.2 Branch: ucs_5.0-0-errata5.0-7 Scope: errata5.0-7 Package: golang-1.18 Version: 1.18.1-1ubuntu1~20.04.2A~5.0.0.202404291504 Branch: ucs_5.0-0-errata5.0-7 Scope: errata5.0-7 Package: dh-golang Version: 1.48A~5.0.0.202404291512 Branch: 5.0-0 Scope: errata5.0-7 Package: runc Version: 1.1.7-0ubuntu1~20.04.2A~5.0.0.202404291512 Branch: 5.0-0 Scope: errata5.0-7 Package: containerd Version: 1.6.12-0ubuntu1~20.04.3 Branch: ucs_5.0-0-errata5.0-7 Scope: errata5.0-7 Package: docker.io Version: 20.10.21-0ubuntu1~20.04.2A~5.0.0.202404291519 Branch: ucs_5.0-0-errata5.0-7 Scope: errata5.0-7 a19a1534c7 | Advisories
f7aa5259e | Fix docker.io/ucs_5.0-0-errata5.0-7/20.10.21-0ubuntu1~20.04.2/30_dont_change_FORWARD_policy.quilt 4c544d71f | Fix more Package: docker.io Version: 20.10.21-0ubuntu1~20.04.2A~5.0.0.202404291605 Branch: 5.0-0 Scope: errata5.0-7 e071d757c5 | Advisory update
* OK - packages/CVE * OK - manual tests * OK - autom. tests * OK - YAML
<https://errata.software-univention.de/#/?erratum=5.0x1039> <https://errata.software-univention.de/#/?erratum=5.0x1040> <https://errata.software-univention.de/#/?erratum=5.0x1041> <https://errata.software-univention.de/#/?erratum=5.0x1042> <https://errata.software-univention.de/#/?erratum=5.0x1043> <https://errata.software-univention.de/#/?erratum=5.0x1044>