Security update for containerd SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2021:1081-1 Final 1 1 2021-07-23T18:06:07Z current 2021-07-23T18:06:07Z 2021-07-23T18:06:07Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for containerd This update for containerd fixes the following issues: - CVE-2021-32760: Fixed a bug which allows untrusted container images to change permissions in the host's filesystem. (bsc#1188282) This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2021-1081 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/JOFB4OTX7BGTKOBQF2ZTPBP4VJT54IQS/ E-Mail link for openSUSE-SU-2021:1081-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1188282 SUSE Bug 1188282 https://www.suse.com/security/cve/CVE-2021-32760/ SUSE CVE CVE-2021-32760 page openSUSE Leap 15.2 containerd-1.4.4-lp152.2.9.1 containerd-ctr-1.4.4-lp152.2.9.1 containerd-1.4.4-lp152.2.9.1 as a component of openSUSE Leap 15.2 containerd-ctr-1.4.4-lp152.2.9.1 as a component of openSUSE Leap 15.2 containerd is a container runtime. A bug was found in containerd versions prior to 1.4.8 and 1.5.4 where pulling and extracting a specially-crafted container image can result in Unix file permission changes for existing files in the host's filesystem. Changes to file permissions can deny access to the expected owner of the file, widen access to others, or set extended bits like setuid, setgid, and sticky. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process. This bug has been fixed in containerd 1.5.4 and 1.4.8. As a workaround, ensure that users only pull images from trusted sources. Linux security modules (LSMs) like SELinux and AppArmor can limit the files potentially affected by this bug through policies and profiles that prevent containerd from interacting with specific files. CVE-2021-32760 openSUSE Leap 15.2:containerd-1.4.4-lp152.2.9.1 openSUSE Leap 15.2:containerd-ctr-1.4.4-lp152.2.9.1 low 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/JOFB4OTX7BGTKOBQF2ZTPBP4VJT54IQS/ https://www.suse.com/security/cve/CVE-2021-32760.html CVE-2021-32760 https://bugzilla.suse.com/1188282 SUSE Bug 1188282