Update module github.com/containerd/containerd to v1.6.18 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
github.com/containerd/containerd	replace	patch	v1.6.15 -> v1.6.18

---

⚠ Dependency Lookup Warnings ⚠

Warnings were logged while processing this repo. Please check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2023-25173

Impact

A bug was found in containerd where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container.

Downstream applications that use the containerd client library may be affected as well.

Patches

This bug has been fixed in containerd v1.6.18 and v.1.5.18. Users should update to these versions and recreate containers to resolve this issue. Users who rely on a downstream application that uses containerd's client library should check that application for a separate advisory and instructions.

Workarounds

Ensure that the "USER $USERNAME" Dockerfile instruction is not used. Instead, set the container entrypoint to a value similar to ENTRYPOINT ["su", "-", "user"] to allow su to properly set up supplementary groups.

References

• https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/
• Docker/Moby: CVE-2022-36109, fixed in Docker 20.10.18
• CRI-O: CVE-2022-2995, fixed in CRI-O 1.25.0
• Podman: CVE-2022-2989, fixed in Podman 3.0.1 and 4.2.0
• Buildah: CVE-2022-2990, fixed in Buildah 1.27.1

Note that CVE IDs apply to a particular implementation, even if an issue is common.

For more information

If you have any questions or comments about this advisory:

• Open an issue in containerd
• Email us at security@containerd.io

To report a security issue in containerd:

• Report a new vulnerability
• Email us at security@containerd.io

CVE-2023-25153

Impact

When importing an OCI image, there was no limit on the number of bytes read for certain files. A maliciously crafted image with a large file where a limit was not applied could cause a denial of service.

Patches

This bug has been fixed in containerd 1.6.18 and 1.5.18. Users should update to these versions to resolve the issue.

Workarounds

Ensure that only trusted images are used and that only trusted users have permissions to import images.

Credits

The containerd project would like to thank David Korczynski and Adam Korczynski of ADA Logics for responsibly disclosing this issue in accordance with the containerd security policy during a security fuzzing audit sponsored by CNCF.

For more information

If you have any questions or comments about this advisory:

• Open an issue in containerd
• Email us at security@containerd.io

To report a security issue in containerd:

• Report a new vulnerability
• Email us at security@containerd.io

---

Release Notes

containerd/containerd (github.com/containerd/containerd)

v1.6.18: containerd 1.6.18

Compare Source

Welcome to the v1.6.18 release of containerd!

The eighteenth patch release for containerd 1.6 includes fixes for CVE-2023-25153 and CVE-2023-25173
along with a security update for Go.

Notable Updates

• Fix OCI image importer memory exhaustion (GHSA-259w-8hf6-59c2)
• Fix supplementary groups not being set up properly (GHSA-hmfx-3pcx-653p)
• Revert removal of /sbin/apparmor_parser check (#​8087)
• Update Go to 1.19.6 (#​8111)

See the changelog for complete list of changes

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Akihiro Suda
• Derek McGowan
• Ye Sijun
• Samuel Karp
• Bjorn Neergaard
• Wei Fu
• Brian Goff
• Iceber Gu
• Kazuyoshi Kato
• Phil Estes
• Swagat Bora

Changes

24 commits

• [release/1.6] Prepare release notes for v1.6.18 (#​8118)
  • 44e61d764 Add release notes for v1.6.18
• Github Security Advisory GHSA-hmfx-3pcx-653p
  • 286a01f35 oci: fix additional GIDs
  • 301823453 oci: fix loop iterator aliasing
  • 0070ab70f oci: skip checking gid for WithAppendAdditionalGroups
  • 16d52de64 refactor: reduce duplicate code
  • b45e30292 add WithAdditionalGIDs test
  • 0a06c284a add WithAppendAdditionalGroups helper
• Github Security Advisory GHSA-259w-8hf6-59c2
  • 84936fd1f importer: stream oci-layout and manifest.json
• [1.6] Add fallback for windows platforms without osversion (#​8106)
  • b327af6a4 Add fallback for windows platforms without osversion
• [release/1.6] Go 1.19.6 (#​8111)
  • 54ead5b7b Go 1.19.6
• [release/1.6] ctr/run: flags --detach and --rm cannot be specified together (#​8094)
  • 2b4b35ab4 ctr/run: flags --detach and --rm cannot be specified together
• [release/1.6] Fix retry logic within devmapper device deactivation (#​8088)
  • d5284157b Fix retry logic within devmapper device deactivation
• [release/1.6 backport] Revert apparmor_parser regression (#​8087)
  • 624ff636b pkg/apparmor: clarify Godoc
  • 3a0a35b36 Revert "Don't check for apparmor_parser to be present"
• [release/1.6] CI: skip some jobs when repo != containerd/containerd (#​8083)
  • 664a938a3 CI: skip some jobs when repo != containerd/containerd

Dependency Changes

This release has no dependency changes

Previous release can be found at v1.6.17

v1.6.17: containerd 1.6.17

Compare Source

Welcome to the v1.6.17 release of containerd!

The seventeenth patch release for containerd 1.6 includes various updates.

Notable Updates

• Add network plugin metrics (#​8018)
• Update mkdir permission on /etc/cni to 0755 instead of 0700 (#​8030)
• Export remote snapshotter label handler (#​8054)
• Add support for default hosts.toml configuration (#​8065)

See the changelog for complete list of changes

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Derek McGowan
• Akihiro Suda
• Jess
• Antonio Ojea
• Kohei Tokunaga
• Phil Estes
• Wei Fu

Changes

11 commits

• [release/1.6] Prepare release notes for v1.6.17 (#​8080)
  • a1aa9b900 Prepare release notes for v1.6.17
• [1.6] Backport default registry hosts config (#​8065)
  • 1436641b8 Support default hosts.toml configuration
  • 87acecd04 Update hosts doc
• [release/1.6 backport] Export remote snapshotter label handler (#​8054)
  • a6544ed7d Export remote snapshotter label handler
• [release/1.6] cri: mkdir /etc/cni with 0755, not 0700 (#​8030)
  • ae02a24a3 cri: mkdir /etc/cni with 0755, not 0700
• [release/1.6] add network plugin metrics (#​8018)
  • 6c6cc5ec1 add network plugin metrics

Dependency Changes

This release has no dependency changes

Previous release can be found at v1.6.16

v1.6.16: containerd 1.6.16

Compare Source

Welcome to the v1.6.16 release of containerd!

The sixteenth patch release for containerd 1.6 includes various bug fixes and updates.

Notable Updates

• Fix push error propagation (#​7990)
• Fix slice append error with HugepageLimits for Linux (#​7995)
• Update default seccomp profile for PKU and CAP_SYS_NICE (#​8001)
• Fix overlayfs error when upperdirlabel option is set (#​8002)

See the changelog for complete list of changes

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Akihiro Suda
• Derek McGowan
• Samuel Karp
• Sebastiaan van Stijn
• Phil Estes
• Craig Ingram
• Justin Chadwell
• Qasim Sarfraz
• Wei Fu
• bin liu
• cardy.tang
• rongfu.leng

Changes

30 commits

• [release/1.6] Prepare v1.6.16 (#​8016)
  • d3c595aa3 Prepare release notes for v1.6.16
• [release/1.6 backport] Fix tx closed error when upperdirlabel specified (#​8002)
  • 8c704036a Fix tx closed error when upperdirlabel specified
• [release/1.6 backport] assorted test-fixes (#​8000)
  • 91a68edd7 cri: Fix TestUpdateOCILinuxResource for host w/o swap controller
  • 5594f706e Fix TestUpdateContainerResources_Memory* on cgroup v2 hosts
• [release/1.6 backport] seccomp updates (#​8001)
  • 7037f5313 seccomp: add get_mempolicy, mbind, set_mempolicy, with CAP_SYS_NICE
  • d22919a1c seccomp: seccomp: add syscalls related to PKU in default policy
• [release/1.6 backport] Harden GITHUB_TOKEN permissions (#​7999)
  • 8b8a21fe4 Harden GITHUB_TOKEN permissions
• [release/1.6 backport] assorted updates to Vagrantfile (#​7996)
  • 8009948bb Vagrantfile: fix comments about SELinux
  • 550424f92 Vagrantfile: install-rootless-podman: remove setenforce 0
  • 2c32f8559 CI: update Fedora to 37
  • 556bb0cc8 Vagrantfile: explicitly specify rsync as the shared folder driver
  • edfac1834 fix install cni script
  • 91d5e53fb Vagrantfile: dump containerd log after critest
• [release/1.6 backport] Fix slice append error (#​7995)
  • ab193eb20 pkg/cri: optimize slice initialization
  • e6cf5ec58 Fix slice append error
• [release/1.6] update to go1.18.10 (#​7992)
  • 6a8a6531f [release/1.6] update to go1.18.10
• [release/1.6 backport] release/Dockerfile: set DEBIAN_FRONTEND=noninteractive (#​7991)
  • d0dc7988a release/Dockerfile: set DEBIAN_FRONTEND=noninteractive
• [release/1.6 backport] pushWriter: correctly propagate errors (#​7990)
  • 1584c2581 pushWriter: correctly propagate errors
• [release/1.6] mod: update github.com/pelletier/go-toml@v1.9.5 (#​7942)
  • 545f22091 mod: update github.com/pelletier/go-toml@v1.9.5

Dependency Changes

• github.com/pelletier/go-toml v1.9.3 -> v1.9.5

Previous release can be found at v1.6.15

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.