New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
containerd: 1.4.2 -> 1.4.3 #105595
containerd: 1.4.2 -> 1.4.3 #105595
Conversation
Access controls for the shim’s API socket verified that the connecting process had an effective UID of 0, but did not otherwise restrict access to the abstract Unix domain socket. This would allow malicious containers running in the same network namespace as the shim, with an effective UID of 0 but otherwise reduced privileges, to cause new processes to be run with elevated privileges. Fixes: CVE-2020-15257
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM 🐯
@@ -4,15 +4,15 @@ with lib; | |||
|
|||
buildGoPackage rec { | |||
pname = "containerd"; | |||
version = "1.4.2"; | |||
version = "1.4.3"; | |||
# git commit for the above version's tag | |||
commit = "7ad184331fa3e55e52b890ea95e65ba581ae3429"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't this be changed if the version is changing?
If this is unused, should be removed
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is passed into buildFlags, so yeah, this probably should've been updated. Will push a fix asap.
❯ ./bin/containerd -v
containerd github.com/containerd/containerd v1.4.3 7ad184331fa3e55e52b890ea95e65ba581ae3429
This is clearly wrong now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed in 2d55b8d
Result of 14 packages built:
|
1 similar comment
Result of 14 packages built:
|
Was backported in 3276ff5. |
Motivation for this change
Access controls for the shim’s API socket verified that the connecting
process had an effective UID of 0, but did not otherwise restrict
access to the abstract Unix domain socket. This would allow malicious
containers running in the same network namespace as the shim, with an
effective UID of 0 but otherwise reduced privileges, to cause new
processes to be run with elevated privileges.
Fixes: CVE-2020-15257
https://www.openwall.com/lists/oss-security/2020/11/30/6
GHSA-36xw-fx78-c5r4
Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)