From 3ec002a7accc8e79fb3a80f82795f6a061058eee Mon Sep 17 00:00:00 2001 From: Lokesh Mandvekar Date: Tue, 5 Oct 2021 09:42:10 -0400 Subject: [PATCH 1/2] Bump containerd to v1.5.7 Fixes: GHSA-c2h3-6mxw-7mvq Vulnerable versions: >= 1.5.0, < 1.5.7 Patched version: 1.5.7 `Impact` A bug was found in containerd where container root directories and some plugins had insufficiently restricted permissions, allowing otherwise unprivileged Linux users to traverse directory contents and execute programs. When containers included executable programs with extended permission bits (such as setuid), unprivileged Linux users could discover and execute those programs. When the UID of an unprivileged Linux user on the host collided with the file owner or group inside a container, the unprivileged Linux user on the host could discover, read, and modify those files. `Patches` This vulnerability has been fixed in containerd 1.4.11 and containerd 1.5.7. Users should update to these version when they are released and may restart containers or update directory permissions to mitigate the vulnerability. `Workarounds` Limit access to the host to trusted users. Update directory permission on container bundles directories. Signed-off-by: Lokesh Mandvekar --- go.mod | 2 +- go.sum | 4 +++- vendor/modules.txt | 2 +- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 1a3c3e43454..471077c5bd4 100644 --- a/go.mod +++ b/go.mod @@ -3,7 +3,7 @@ module github.com/containers/buildah go 1.13 require ( - github.com/containerd/containerd v1.5.5 + github.com/containerd/containerd v1.5.7 github.com/containernetworking/cni v0.8.1 github.com/containers/common v0.44.2 github.com/containers/image/v5 v5.16.0 diff --git a/go.sum b/go.sum index 4fe329c5d85..f07ebf19e78 100644 --- a/go.sum +++ b/go.sum @@ -77,6 +77,7 @@ github.com/Microsoft/hcsshim v0.8.15/go.mod h1:x38A4YbHbdxJtc0sF6oIz+RG0npwSCAvn github.com/Microsoft/hcsshim v0.8.16/go.mod h1:o5/SZqmR7x9JNKsW3pu+nqHm0MF8vbA+VxGOoXdC600= github.com/Microsoft/hcsshim v0.8.18/go.mod h1:+w2gRZ5ReXQhFOrvSQeNfhrYB/dg3oDwTOcER2fw4I4= github.com/Microsoft/hcsshim v0.8.20/go.mod h1:+w2gRZ5ReXQhFOrvSQeNfhrYB/dg3oDwTOcER2fw4I4= +github.com/Microsoft/hcsshim v0.8.21/go.mod h1:+w2gRZ5ReXQhFOrvSQeNfhrYB/dg3oDwTOcER2fw4I4= github.com/Microsoft/hcsshim v0.8.22 h1:CulZ3GW8sNJExknToo+RWD+U+6ZM5kkNfuxywSDPd08= github.com/Microsoft/hcsshim v0.8.22/go.mod h1:91uVCVzvX2QD16sMCenoxxXo6L1wJnLMX2PSufFMtF0= github.com/Microsoft/hcsshim/test v0.0.0-20201218223536-d3e5debf77da/go.mod h1:5hlzMzRKMLyo42nCZ9oml8AdTlq/0cvIaBv6tK1RehU= @@ -178,8 +179,9 @@ github.com/containerd/containerd v1.5.0-beta.3/go.mod h1:/wr9AVtEM7x9c+n0+stptlo github.com/containerd/containerd v1.5.0-beta.4/go.mod h1:GmdgZd2zA2GYIBZ0w09ZvgqEq8EfBp/m3lcVZIvPHhI= github.com/containerd/containerd v1.5.0-rc.0/go.mod h1:V/IXoMqNGgBlabz3tHD2TWDoTJseu1FGOKuoA4nNb2s= github.com/containerd/containerd v1.5.1/go.mod h1:0DOxVqwDy2iZvrZp2JUx/E+hS0UNTVn7dJnIOwtYR4g= -github.com/containerd/containerd v1.5.5 h1:q1gxsZsGZ8ddVe98yO6pR21b5xQSMiR61lD0W96pgQo= github.com/containerd/containerd v1.5.5/go.mod h1:oSTh0QpT1w6jYcGmbiSbxv9OSQYaa88mPyWIuU79zyo= +github.com/containerd/containerd v1.5.7 h1:rQyoYtj4KddB3bxG6SAqd4+08gePNyJjRqvOIfV3rkM= +github.com/containerd/containerd v1.5.7/go.mod h1:gyvv6+ugqY25TiXxcZC3L5yOeYgEw0QMhscqVp1AR9c= github.com/containerd/continuity v0.0.0-20190426062206-aaeac12a7ffc/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y= github.com/containerd/continuity v0.0.0-20190815185530-f2a389ac0a02/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y= github.com/containerd/continuity v0.0.0-20191127005431-f65d91d395eb/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y= diff --git a/vendor/modules.txt b/vendor/modules.txt index c0ad85bc481..24497629c76 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -47,7 +47,7 @@ github.com/cespare/xxhash/v2 github.com/chzyer/readline # github.com/containerd/cgroups v1.0.1 github.com/containerd/cgroups/stats/v1 -# github.com/containerd/containerd v1.5.5 +# github.com/containerd/containerd v1.5.7 github.com/containerd/containerd/errdefs github.com/containerd/containerd/log github.com/containerd/containerd/pkg/userns From 11ad7951fef7411b88f79c620a7e1d36b377119e Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Mon, 24 Jan 2022 14:46:47 -0500 Subject: [PATCH 2/2] Bump to v1.23.2 Signed-off-by: Nalin Dahyabhai --- CHANGELOG.md | 8 ++++++++ changelog.txt | 7 +++++++ contrib/rpm/buildah.spec | 9 ++++++++- define/types.go | 2 +- 4 files changed, 24 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 685c4f4d36a..2f23473b673 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,14 @@ # Changelog +## v1.23.2 (2022-01-24) + + Bump containerd to v1.5.7 + copier: RemoveAll possibly-directories + copier.Put: check for is-not-a-directory using lstat, not stat + Cirrus: Reduce CI tasks to releive (sic) maint. burden + Backport PR #3562: Cirrus: Fix defunct package metadata breaking cache + ## v1.23.1 (2021-09-27) Vendor containers/common v0.44.2 diff --git a/changelog.txt b/changelog.txt index 8926b2e6f37..63c920e59d0 100644 --- a/changelog.txt +++ b/changelog.txt @@ -1,3 +1,10 @@ +- Changelog for v1.23.2 (2022-01-24) + * Bump containerd to v1.5.7 + * copier: RemoveAll possibly-directories + * copier.Put: check for is-not-a-directory using lstat, not stat + * Cirrus: Reduce CI tasks to releive (sic) maint. burden + * Backport PR #3562: Cirrus: Fix defunct package metadata breaking cache + - Changelog for v1.23.1 (2021-09-27) * Vendor containers/common v0.44.2 * post-1.23 branch fixups diff --git a/contrib/rpm/buildah.spec b/contrib/rpm/buildah.spec index 79ed573b1af..52d53116442 100644 --- a/contrib/rpm/buildah.spec +++ b/contrib/rpm/buildah.spec @@ -26,7 +26,7 @@ Name: buildah # Bump version in define/types.go too -Version: 1.23.1 +Version: 1.23.2 Release: 1.git%{shortcommit}%{?dist} Summary: A command line tool used to creating OCI Images License: ASL 2.0 @@ -100,6 +100,13 @@ make DESTDIR=%{buildroot} PREFIX=%{_prefix} install install.completions %{_datadir}/bash-completion/completions/* %changelog +* Mon Jan 24, 2022 Nalin Dahyabhai 1.23.2-1 +- Bump containerd to v1.5.7 +- copier: RemoveAll possibly-directories +- copier.Put: check for is-not-a-directory using lstat, not stat +- Cirrus: Reduce CI tasks to releive (sic) maint. burden +- Backport PR #3562: Cirrus: Fix defunct package metadata breaking cache + * Mon Sep 27, 2021 Ashley Cui 1.23.1-1 - Vendor containers/common v0.44.2 - post-1.23 branch fixups diff --git a/define/types.go b/define/types.go index 4f3ebf01a49..1bd0c067f13 100644 --- a/define/types.go +++ b/define/types.go @@ -29,7 +29,7 @@ const ( Package = "buildah" // Version for the Package. Bump version in contrib/rpm/buildah.spec // too. - Version = "1.23.1" + Version = "1.23.2" // DefaultRuntime if containers.conf fails. DefaultRuntime = "runc"