x/vulndb: potential Go vuln in github.com/containerd/containerd: GHSA-259w-8hf6-59c2

[GoVulnBot]

In GitHub Security Advisory GHSA-259w-8hf6-59c2, there is a vulnerability in the following Go packages or modules:

Unit	Fixed	Vulnerable Ranges
github.com/containerd/containerd	1.6.18	>= 1.6.0, < 1.6.18

Cross references:

• Module github.com/containerd/containerd appears in issue x/vulndb: potential Go vuln in github.com/containerd/containerd: CVE-2021-43816 #278 EFFECTIVELY_PRIVATE
• Module github.com/containerd/containerd appears in issue x/vulndb: potential Go vuln in github.com/containerd/containerd: CVE-2022-23648 #344 EFFECTIVELY_PRIVATE
• Module github.com/containerd/containerd appears in issue x/vulndb: potential Go vuln in github.com/containerd/containerd: CVE-2022-31030 #482 EFFECTIVELY_PRIVATE
• Module github.com/containerd/containerd appears in issue x/vulndb: potential Go vuln in github.com/containerd/containerd/cmd: GHSA-36xw-fx78-c5r4 #784 NOT_IMPORTABLE
• Module github.com/containerd/containerd appears in issue x/vulndb: potential Go vuln in github.com/containerd/containerd: GHSA-742w-89gc-8m9c #803 NOT_IMPORTABLE
• Module github.com/containerd/containerd appears in issue x/vulndb: potential Go vuln in github.com/containerd/containerd: CVE-2021-32760, GHSA-c72p-9xmj-rx3w #921 NOT_IMPORTABLE
• Module github.com/containerd/containerd appears in issue x/vulndb: potential Go vuln in github.com/containerd/containerd: CVE-2021-41103, GHSA-c2h3-6mxw-7mvq #938 NOT_IMPORTABLE
• Module github.com/containerd/containerd appears in issue x/vulndb: potential Go vuln in github.com/containerd/containerd: CVE-2022-23471 #1147 EFFECTIVELY_PRIVATE

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/containerd/containerd
    versions:
      - introduced: 1.6.0
        fixed: 1.6.18
    packages:
      - package: github.com/containerd/containerd
  - module: github.com/containerd/containerd
    versions:
      - introduced: TODO (earliest fixed "1.5.18", vuln range "<= 1.5.17")
    packages:
      - package: github.com/containerd/containerd
description: "### Impact\n\nWhen importing an OCI image, there was no limit on the
    number of bytes read for certain files. A maliciously crafted image with a large
    file where a limit was not applied could cause a denial of service.\n\n### Patches\n\nThis
    bug has been fixed in containerd 1.6.18 and 1.5.18.  Users should update to these
    versions to resolve the issue.\n\n### Workarounds\n\nEnsure that only trusted
    images are used and that only trusted users have permissions to import images.
    \n\n### Credits\n\nThe containerd project would like to thank [David Korczynski](https://github.com/DavidKorczynski)
    and [Adam Korczynski](https://github.com/AdamKorcz) of ADA Logics for responsibly
    disclosing this issue in accordance with the [containerd security policy](https://github.com/containerd/project/blob/main/SECURITY.md)
    during a security fuzzing audit sponsored by CNCF.\n\n### For more information\n\nIf
    you have any questions or comments about this advisory:\n\n* Open an issue in
    [containerd](https://github.com/containerd/containerd/issues/new/choose)\n* Email
    us at [security@containerd.io](mailto:security@containerd.io)\n\nTo report a security
    issue in containerd:\n* [Report a new vulnerability](https://github.com/containerd/containerd/security/advisories/new)\n*
    Email us at [security@containerd.io](mailto:security@containerd.io)"
cves:
  - CVE-2023-25153
ghsas:
  - GHSA-259w-8hf6-59c2
references:
  - advisory: https://github.com/containerd/containerd/security/advisories/GHSA-259w-8hf6-59c2
  - advisory: https://github.com/advisories/GHSA-259w-8hf6-59c2

[gopherbot]

Change https://go.dev/cl/468995 mentions this issue: data/reports: add GO-2023-1573.yaml

[gopherbot]

Change https://go.dev/cl/607456 mentions this issue: data/reports: update 6 reports