CVE-2021-41089

Name	CVE-2021-41089
Description	Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where attempting to copy files using `docker cp` into a specially-crafted container can result in Unix file permission changes for existing files in the host’s filesystem, widening access to others. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process. This bug has been fixed in Moby (Docker Engine) 20.10.9. Users should update to this version as soon as possible. Running containers do not need to be restarted.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
docker.io (PTS)	bullseye	20.10.5+dfsg1-1+deb11u2	fixed
	bullseye (security)	20.10.5+dfsg1-1+deb11u3	fixed
	bookworm	20.10.24+dfsg1-1+deb12u1	fixed
	sid, trixie	26.1.5+dfsg1-4	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
docker.io	source	bullseye	20.10.5+dfsg1-1+deb11u1
docker.io	source	(unstable)	20.10.10+dfsg1-1

Notes

[buster] - docker.io <no-dsa> (Minor issue)
https://github.com/moby/moby/security/advisories/GHSA-v994-f8vw-g7j4
https://github.com/moby/moby/commit/bce32e5c93be4caf1a592582155b9cb837fc129a