MGASA-2021-0484 - Updated docker-containerd packages fix security vulnerability

Publication date: 23 Oct 2021
URL: https://advisories.mageia.org/MGASA-2021-0484.html
Type: security
Affected Mageia releases: 8
CVE: CVE-2021-32760,
     CVE-2021-41103

A bug was found in containerd where pulling and extracting a
specially-crafted container image can result in Unix file permission
changes for existing files in the host’s filesystem. Changes to file
permissions can deny access to the expected owner of the file, widen
access to others, or set extended bits like setuid, setgid, and sticky.
This bug does not directly allow files to be read, modified, or executed
without an additional cooperating process.

References:
- https://bugs.mageia.org/show_bug.cgi?id=29268
- https://github.com/containerd/containerd/security/advisories/GHSA-c72p-9xmj-rx3w
- https://ubuntu.com/security/notices/USN-5012-1
- https://lists.opensuse.org/archives/list/[email protected]/thread/KOVJMTDKAFMTONFNVO7Z327OFE52V7FK/
- https://lists.fedoraproject.org/archives/list/[email protected]/thread/DDMNDPJJTP3J5GOEDB66F6MGXUTRG3Y3/
- https://github.com/containerd/containerd/security/advisories/GHSA-c2h3-6mxw-7mvq
- https://ubuntu.com/security/notices/USN-5100-1
- https://lists.suse.com/pipermail/sle-security-updates/2021-October/009566.html
- https://lists.fedoraproject.org/archives/list/[email protected]/thread/M7ZZTABKTSJ5DYVDIQ7CVZG5HABGM2EC/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32760
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41103

SRPMS:
- 8/core/docker-containerd-1.5.7-1.mga8