container-tools:4.0 security and bug fix update

エラータID: AXSA:2022-4429:01

Release date: 
Wednesday, December 14, 2022 - 10:37
Subject: 
container-tools:4.0 security and bug fix update
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
Moderate
Description: 

The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc.

Security Fix(es):

* cri-o: memory exhaustion on the node when access to the kube api (CVE-2022-1708)
* golang: crash in a golang.org/x/crypto/ssh server (CVE-2022-27191)
* runc: incorrect handling of inheritable capabilities (CVE-2022-29162)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2022-1708
A vulnerability was found in CRI-O that causes memory or disk space exhaustion on the node for anyone with access to the Kube API. The ExecSync request runs commands in a container and logs the output of the command. This output is then read by CRI-O after command execution, and it is read in a manner where the entire file corresponding to the output of the command is read in. Thus, if the output of the command is large it is possible to exhaust the memory or the disk space of the node when CRI-O reads the output of the command. The highest threat from this vulnerability is system availability.
CVE-2022-27191
The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey.
CVE-2022-29162
runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. A bug was found in runc prior to version 1.1.2 where `runc exec --cap` created processes with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during execve(2). This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container's bounding set. This bug has been fixed in runc 1.1.2. This fix changes `runc exec --cap` behavior such that the additional capabilities granted to the process being executed (as specified via `--cap` arguments) do not include inheritable capabilities. In addition, `runc spec` is changed to not set any inheritable capabilities in the created example OCI spec (`config.json`) file.

Modularity name: container-tools
Stream name: 4.0

Solution: 

Update packages.

CVEs: 
CVE-2022-1708
A vulnerability was found in CRI-O that causes memory or disk space exhaustion on the node for anyone with access to the Kube API. The ExecSync request runs commands in a container and logs the output of the command. This output is then read by CRI-O after command execution, and it is read in a manner where the entire file corresponding to the output of the command is read in. Thus, if the output of the command is large it is possible to exhaust the memory or the disk space of the node when CRI-O reads the output of the command. The highest threat from this vulnerability is system availability.
CVE-2022-27191
The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey.
CVE-2022-29162
runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. A bug was found in runc prior to version 1.1.2 where `runc exec --cap` created processes with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during execve(2). This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container's bounding set. This bug has been fixed in runc 1.1.2. This fix changes `runc exec --cap` behavior such that the additional capabilities granted to the process being executed (as specified via `--cap` arguments) do not include inheritable capabilities. In addition, `runc spec` is changed to not set any inheritable capabilities in the created example OCI spec (`config.json`) file.
Additional Info: 

N/A

Download: 

SRPMS
  1. buildah-1.24.5-2.module+el8+1552+7eded6b9.src.rpm
    MD5: 5c2c4fad372c1b40802154ecb0545900
    SHA-256: eb6e54f26824e8f9030a5cddb8123373ef49c4f8777df02aa8e12f172d60e92c
    Size: 13.27 MB
  2. cockpit-podman-46-1.module+el8+1552+7eded6b9.src.rpm
    MD5: e83394d8bf221fbf174dcceabf69261c
    SHA-256: a097af4e69db11eeb92aa490993a77bd4889f84a9d82209c19ee4ecad3e85398
    Size: 738.04 kB
  3. conmon-2.1.4-1.module+el8+1552+7eded6b9.src.rpm
    MD5: a5ca841155fbff46d67d48e15bd2d038
    SHA-256: c86bf78802e629d4a98e2b15011ece7d7c97a5b0b0c92a4ce67b42387a37e72d
    Size: 171.06 kB
  4. containernetworking-plugins-1.1.1-2.module+el8+1552+7eded6b9.src.rpm
    MD5: 36078deded54f255f2fd326cb9c40db0
    SHA-256: 88e16f53f21eaa7c7ece66de6fd273f0672f7682b19295f8122be09feaffd3d6
    Size: 2.80 MB
  5. containers-common-1-35.module+el8+1552+7eded6b9.src.rpm
    MD5: 406feb31636d986bc98bf0b2c7df8f61
    SHA-256: 5d786511bdb0bc423902fe8949a99f2aa08fead23be897fa5308aba44f5717b8
    Size: 42.42 MB
  6. container-selinux-2.189.0-1.module+el8+1552+7eded6b9.src.rpm
    MD5: 70aa9bd16436c66c839740eaa9381425
    SHA-256: ce457f5e20d59cf6c395954f17805fbbfb0c40915977dfaf56cf294f48c706b6
    Size: 56.60 kB
  7. criu-3.15-3.module+el8+1552+7eded6b9.src.rpm
    MD5: b582611fee1e5be48ef22d4390133a96
    SHA-256: e5d86a2a913158e7624fb07c24671eaf7d759d5517eee9b82c0c483e6172e000
    Size: 914.17 kB
  8. crun-1.5-1.module+el8+1552+7eded6b9.src.rpm
    MD5: 961f4aabe7d15e840e6445c44ed52fd0
    SHA-256: 43f552188fc852a109a91ee31d23da2df43455d71905adb63cced74f8e683f58
    Size: 1.89 MB
  9. fuse-overlayfs-1.9-1.module+el8+1552+7eded6b9.src.rpm
    MD5: ef896506a22d6549e10d06c6e9087a81
    SHA-256: c7d51b43a4380f33ab78e8bbe609e8479c1119a27958bf33d32aa1ec67023161
    Size: 115.51 kB
  10. libslirp-4.4.0-1.module+el8+1552+7eded6b9.src.rpm
    MD5: 2e0c8fd9864cba2118093602ceed147c
    SHA-256: 027592a1591671e356a83f55e6ae640440636e2e159ab089e19aa02ecbde4063
    Size: 114.78 kB
  11. oci-seccomp-bpf-hook-1.2.5-1.module+el8+1552+7eded6b9.src.rpm
    MD5: 30b655fdb734f26a00bfa4ad35e0232c
    SHA-256: e3beb7fea351ea40f8146cc9b2884f5893c4bf3f2d6b78ca2304f13d09ee91fb
    Size: 1.20 MB
  12. podman-4.0.2-8.module+el8+1552+7eded6b9.src.rpm
    MD5: 8311407596f482ebf930846364a30ca4
    SHA-256: bc3a1f62d7f2d1e0279a82025b015ec5a06e04ab235b1191f457ed1fb7338162
    Size: 16.45 MB
  13. python-podman-4.0.0-1.module+el8+1552+7eded6b9.src.rpm
    MD5: 090a00fe3f4eaa2b8c7c6e44295e81e3
    SHA-256: 5f13b03359b5dba2bb2dae84b34dbd25078bc58175844acfd4e48e7329ad7f4a
    Size: 79.35 kB
  14. runc-1.1.4-1.module+el8+1552+7eded6b9.src.rpm
    MD5: a234117aa290c3d1a2859d641d12405b
    SHA-256: 1de6e4994ae75bdb2683bd67fe1b6b0aa40f003506476913dc361a9827c8a592
    Size: 2.21 MB
  15. skopeo-1.6.2-5.module+el8+1552+7eded6b9.src.rpm
    MD5: f443f882ddb75703c36e45238b006fed
    SHA-256: 712296126d0aec8a38693a3fa6f18950265ca69952e52018d1358b89a894e0eb
    Size: 6.19 MB
  16. slirp4netns-1.1.8-2.module+el8+1552+7eded6b9.src.rpm
    MD5: a3aa83b5a43c02c2ca5da2cbf2d8845f
    SHA-256: 55c18e228126d113533b2e0a83c0da1d746d1f02e24d7a5dfa17512ba14b6c59
    Size: 69.39 kB
  17. toolbox-0.0.99.3-0.5.module+el8+1552+7eded6b9.src.rpm
    MD5: 7410325204eaf6fceebf5811cde0ad13
    SHA-256: 84e5563092d05f5ffe0720406ad92db29d39e48ce02fa981ad2f598450d76b3c
    Size: 5.88 MB
  18. udica-0.2.6-3.module+el8+1552+7eded6b9.src.rpm
    MD5: f66c4762d3894d67e63fcf5b7de32e93
    SHA-256: 21aff52187f340319e1984206162a15a223a44bd170722d77b12655f5de4a974
    Size: 133.85 kB

Asianux Server 8 for x86_64
  1. buildah-1.24.5-2.module+el8+1552+7eded6b9.x86_64.rpm
    MD5: c68e6b4b8af43ae5e56c40e7e884ddf0
    SHA-256: e78b98209f794dd8d8d1bc8831eea8ef49a2a631918b2b131dc1b699d848bfd9
    Size: 7.81 MB
  2. buildah-debugsource-1.24.5-2.module+el8+1552+7eded6b9.x86_64.rpm
    MD5: 61b95dbda04d46dff59beb459e414c61
    SHA-256: 9d91cc6d3356d3c85ec3b4ae44a32d646d03e6b33259f5b97ebd042708819bae
    Size: 3.30 MB
  3. buildah-tests-1.24.5-2.module+el8+1552+7eded6b9.x86_64.rpm
    MD5: 58d86819345e00ee3ff204d55e76a26a
    SHA-256: 5c3dd76471ed21cc259a195dfbd2ee6447485ece19c3e1bc0320d71101bff5ef
    Size: 17.66 MB
  4. cockpit-podman-46-1.module+el8+1552+7eded6b9.noarch.rpm
    MD5: 0ff9c3a60d83104026b82c37d5198e6d
    SHA-256: 944078a3daed08e25e2a658cee5e5478244f9dc051dd084c5081745d5fce38f2
    Size: 499.61 kB
  5. conmon-2.1.4-1.module+el8+1552+7eded6b9.x86_64.rpm
    MD5: 54e5ad58d72e5690d9e6132dfeb4a61b
    SHA-256: 78b121834506259727cdf0724aa6fac30b7cffe8fcb935775c052bcee66578e1
    Size: 55.02 kB
  6. conmon-debugsource-2.1.4-1.module+el8+1552+7eded6b9.x86_64.rpm
    MD5: 827efcafdc51ad0ffddde28efd1fe2d0
    SHA-256: c168168c14dc2288247e8bd5ed8ddb1bc26ca6cbbd12c1c3ae3bf98c9b2ce351
    Size: 48.31 kB
  7. containernetworking-plugins-1.1.1-2.module+el8+1552+7eded6b9.x86_64.rpm
    MD5: 0d69f8bd2c8e75587859b324133101c9
    SHA-256: c6712b1e057953db78ff6f41b4a5809e2459c63741baddccc6282bac999d1a3b
    Size: 18.09 MB
  8. containernetworking-plugins-debugsource-1.1.1-2.module+el8+1552+7eded6b9.x86_64.rpm
    MD5: 0b382ab665ac5958b62efadc9169f867
    SHA-256: 1b5a6c74370bb4253633f7c4da825f7240891810ebbb069c028658759752afa3
    Size: 375.91 kB
  9. aardvark-dns-1.0.1-35.module+el8+1552+7eded6b9.x86_64.rpm
    MD5: 33e0e72b9631538d154676af28d21591
    SHA-256: 17316b6dd46823ef943d51db95cffde905126cab227139961e2a6cc84164522e
    Size: 1.00 MB
  10. containers-common-1-35.module+el8+1552+7eded6b9.x86_64.rpm
    MD5: e90bb21ab87087ceacef5f896239db07
    SHA-256: d811f3d35f0a1dfb79e76ee8663bd5beb535438e8d4c90fdb41728dbef70b647
    Size: 105.18 kB
  11. netavark-1.0.1-35.module+el8+1552+7eded6b9.x86_64.rpm
    MD5: 9900c686a5a42b7d095e7db2c91fd474
    SHA-256: 2e7e69a22572b56dfece4b4d4d6ef5f8e9ca5dd44fe40094a8213cdb2209946d
    Size: 2.03 MB
  12. container-selinux-2.189.0-1.module+el8+1552+7eded6b9.noarch.rpm
    MD5: 0ae25a63e413b8b0476bd36baeee3df7
    SHA-256: 3625464bb771427cddd73f837a7a7e6efde3cb275a2dfb61cb631a5a0886d8d8
    Size: 58.94 kB
  13. crit-3.15-3.module+el8+1552+7eded6b9.x86_64.rpm
    MD5: 3265f89de9a636a3d951b99ddf6a0df1
    SHA-256: 646a31f767187b74bba0601955c78bd59000003b8fdf062afca57a13d971650f
    Size: 18.59 kB
  14. criu-3.15-3.module+el8+1552+7eded6b9.x86_64.rpm
    MD5: cc2c872ac68cd138cbeec1f303a19082
    SHA-256: d82887f2d54e779fc1e6272c4431d740d6d4e05a8eb80f8c914f937e1d70e5d8
    Size: 516.58 kB
  15. criu-debugsource-3.15-3.module+el8+1552+7eded6b9.x86_64.rpm
    MD5: a035c2f6cce8f6e81570e8fc25e583b9
    SHA-256: 07fa8ec5b05a16d33ff955ad14408783afaedc357ec937281a8420a0b3c32245
    Size: 675.35 kB
  16. criu-devel-3.15-3.module+el8+1552+7eded6b9.x86_64.rpm
    MD5: fecbdbd97dadc6ec3cda54292c3ece5e
    SHA-256: d07b6e627952291ea4fab0c7d9c5ecc39381b8caec83748faa2e13f3f9d1f9c1
    Size: 23.81 kB
  17. criu-libs-3.15-3.module+el8+1552+7eded6b9.x86_64.rpm
    MD5: a2e8ee98c888a4a2e847c915e424f28a
    SHA-256: cd00a1815fdc3689fd751ce03db5518927d77304232c7e0e189e0e71929ec643
    Size: 36.65 kB
  18. python3-criu-3.15-3.module+el8+1552+7eded6b9.x86_64.rpm
    MD5: 0889c0fd3b87a58aaf57cd909e2d8fd0
    SHA-256: 0ede159cdb51b371f8947cb68882d78cf1d51a88ee2d38f81926b469350058e9
    Size: 168.80 kB
  19. crun-1.5-1.module+el8+1552+7eded6b9.x86_64.rpm
    MD5: 49ff9757fad1c11f3b7b1671fc35f0fe
    SHA-256: c474ba384d5e65c50e3a91dfc7c75eb5208d6559c2fb0f9c5e83206ecda38abf
    Size: 211.88 kB
  20. crun-debugsource-1.5-1.module+el8+1552+7eded6b9.x86_64.rpm
    MD5: 485f9140199e353897a2c91fff7e1715
    SHA-256: b9d4b3a67bbe5b9fc2bbe582840560d91e5097d8f67a7c775114e05719206532
    Size: 159.35 kB
  21. fuse-overlayfs-1.9-1.module+el8+1552+7eded6b9.x86_64.rpm
    MD5: 9d842a6d87dc8b59bfa50e00d9cee672
    SHA-256: 2f9eb7d5163963fa78f52b1f4d43ce367db31fb0503b041e253521b55ae224c7
    Size: 72.17 kB
  22. fuse-overlayfs-debugsource-1.9-1.module+el8+1552+7eded6b9.x86_64.rpm
    MD5: e0d4104de9b2bb7a9004b2b7b4e07eed
    SHA-256: 0ed660a7e3d386fe6488a384cb189ecc7cb83e8239a08e8ddfc1e80c5e86537f
    Size: 54.08 kB
  23. libslirp-4.4.0-1.module+el8+1552+7eded6b9.x86_64.rpm
    MD5: 256a4fc4333adf5de321c87bef489d8a
    SHA-256: d1b40c66ac56600f1ee1aa10756d65ae4adc75ec41ba9197e019e4442355157b
    Size: 69.13 kB
  24. libslirp-debugsource-4.4.0-1.module+el8+1552+7eded6b9.x86_64.rpm
    MD5: df42f379c1f868dd1d90dccc13dc5f1c
    SHA-256: cb7688f5d663ea3a01584d3c3fd1f4bed9102215aa35e28e8cd95b121d95ade1
    Size: 114.43 kB
  25. libslirp-devel-4.4.0-1.module+el8+1552+7eded6b9.x86_64.rpm
    MD5: e56ffc38da0f6d691a8eb0bfb945d643
    SHA-256: ae10abddb612564fb7a9efda2fcfa0591b3d3a6a6b5f7f893b2258dabb33b1db
    Size: 11.29 kB
  26. oci-seccomp-bpf-hook-1.2.5-1.module+el8+1552+7eded6b9.x86_64.rpm
    MD5: 2ec511240592e7848c085647c7477899
    SHA-256: dea5a0a32157bd65ab24aaa15e0c6f7d5a5abc453b7aec02d3a6bad020ba4b6c
    Size: 1.00 MB
  27. oci-seccomp-bpf-hook-debugsource-1.2.5-1.module+el8+1552+7eded6b9.x86_64.rpm
    MD5: 0f6e5303e890ae1c2cdc76d1b1d22b71
    SHA-256: 4a2d4a089a074822294a4f4f1257aec3d4f19057627a6d313cf6082641057a07
    Size: 174.27 kB
  28. podman-4.0.2-8.module+el8+1552+7eded6b9.x86_64.rpm
    MD5: 4183f66586916d53a55996c329ef1d21
    SHA-256: 64662ae8dd9c85568f1190567cd6c3874f558fbbd2b4f32d1ed5bb4dbec4c2f2
    Size: 12.82 MB
  29. podman-catatonit-4.0.2-8.module+el8+1552+7eded6b9.x86_64.rpm
    MD5: 53696c8c0b1cc587c368463e08bc7a29
    SHA-256: 02a9871e549c2163e7dd760b9f99664b9fe8258f82ccf0fefe6cdf33c670631b
    Size: 353.49 kB
  30. podman-debugsource-4.0.2-8.module+el8+1552+7eded6b9.x86_64.rpm
    MD5: 917dcf08602a1c23e002961b93a5e521
    SHA-256: 2eda1bf90e41a19da567dc1970944ce21bbaf9bf66d53517bdbd352464165668
    Size: 5.87 MB
  31. podman-docker-4.0.2-8.module+el8+1552+7eded6b9.noarch.rpm
    MD5: d1e743281ff7d4ca28530169d2f8bf6d
    SHA-256: 325e8e9bcc712332c56c171b611623361d668c10f16b84e95a55307b3b831298
    Size: 67.19 kB
  32. podman-gvproxy-4.0.2-8.module+el8+1552+7eded6b9.x86_64.rpm
    MD5: 14667e6d3506a9d59a8ff5ede7c7cd55
    SHA-256: 86d3c864ee2e5eac139160a95dc91083f8e7f4df70b9d1f64169ea22e8f30bc3
    Size: 3.31 MB
  33. podman-plugins-4.0.2-8.module+el8+1552+7eded6b9.x86_64.rpm
    MD5: 38b837e2928f9c58b15b0adb128a74c8
    SHA-256: d27706eb002aea99eda9d6e0097d120f5e436cd1bdb101f667a9547b7d6e4f7d
    Size: 3.08 MB
  34. podman-remote-4.0.2-8.module+el8+1552+7eded6b9.x86_64.rpm
    MD5: 47aa1059ed07befe7580a4442d2b4707
    SHA-256: 13af2eb2b3dd153b614fa8d5a0ed04b9753bc7471e91e202bad54c3e7829fd30
    Size: 7.89 MB
  35. podman-tests-4.0.2-8.module+el8+1552+7eded6b9.x86_64.rpm
    MD5: 97b694fcf34512991e24be6dbddd0e29
    SHA-256: 3791bb54af79da99e18521a3d5549555ed0f34a77835357e987112720199474c
    Size: 174.61 kB
  36. python3-podman-4.0.0-1.module+el8+1552+7eded6b9.noarch.rpm
    MD5: 22559048b78b35fa54fc374d8cddcab6
    SHA-256: 67c8cd0d1ba89dfbe352e5642e91c2e0469e73445b0dd8e8c06ae8e83682c0b1
    Size: 148.04 kB
  37. runc-1.1.4-1.module+el8+1552+7eded6b9.x86_64.rpm
    MD5: 6d22969913877c21f170012aef88ed99
    SHA-256: 6c32f01a9443e645ad397c63c2b35c96833aab845a575d91f068db94ec07e1ba
    Size: 2.94 MB
  38. runc-debugsource-1.1.4-1.module+el8+1552+7eded6b9.x86_64.rpm
    MD5: 411d7df9f463668ee4b5c5af036baf15
    SHA-256: 9c46b5d6ffc3b59ac378ead165d557578d390dbebeebe34019c3c0c64bc96c5e
    Size: 867.31 kB
  39. skopeo-1.6.2-5.module+el8+1552+7eded6b9.x86_64.rpm
    MD5: f1e0bd7a20f160c265661cab1b316113
    SHA-256: ae692ad2f01c8593f3ee9556395caf4148157f8eaed0c15c83e1436fcb53c082
    Size: 6.45 MB
  40. skopeo-debugsource-1.6.2-5.module+el8+1552+7eded6b9.x86_64.rpm
    MD5: a6718cb801a4985344d437a83468feca
    SHA-256: 0fb52b8975d603c817b9dc656fe799f0ffc1b94236c60d0a444e4708c28d285b
    Size: 2.48 MB
  41. skopeo-tests-1.6.2-5.module+el8+1552+7eded6b9.x86_64.rpm
    MD5: e6049745044c25c189bd3428edc9e9fa
    SHA-256: ae0589c43a5147166c18f4e2458915eafcd3a34d525b52b6f7ba4d1167a200e6
    Size: 779.54 kB
  42. slirp4netns-1.1.8-2.module+el8+1552+7eded6b9.x86_64.rpm
    MD5: 91bcab0599fa5abbb7123f0e0096180b
    SHA-256: 1ca1c1f0702409180bc69b7995253c6f024c569225f304a7c7c7af3a6885e743
    Size: 50.17 kB
  43. slirp4netns-debugsource-1.1.8-2.module+el8+1552+7eded6b9.x86_64.rpm
    MD5: 16fb8c5a146048cb7938917d4eac3a8c
    SHA-256: 5bdbbb3aa2704bb387f1e19ebda1de2fc5d4a90fafdd821151f5dc487f01621b
    Size: 38.74 kB
  44. toolbox-0.0.99.3-0.5.module+el8+1552+7eded6b9.x86_64.rpm
    MD5: d7db711ad91361447f0030aeb2caaf56
    SHA-256: b9265ed6e4b52379f721d45114122a1a44f122e7814777748cc4edd7e50ad8c9
    Size: 2.21 MB
  45. toolbox-debugsource-0.0.99.3-0.5.module+el8+1552+7eded6b9.x86_64.rpm
    MD5: 6ed53506b403470a32daee8054f6dfd0
    SHA-256: b496a1f7081f43e257e514dfde0f77b5d5b81681d3a2c04d483e48cae3668e51
    Size: 449.52 kB
  46. toolbox-tests-0.0.99.3-0.5.module+el8+1552+7eded6b9.x86_64.rpm
    MD5: a41afd1d724826e3c4294a5e683b8e2a
    SHA-256: d3d8b2add9b38a39ec21db4ae079cf66222744b1dc9d884af757c9f1246c8360
    Size: 30.27 kB
  47. udica-0.2.6-3.module+el8+1552+7eded6b9.noarch.rpm
    MD5: 3a13f49d78ebb564f377fe4122cc427f
    SHA-256: e2b4d6a9af4580f2ff0912d8dda21a251f971111a337c53ac80c687e71a3e7d2
    Size: 47.92 kB