CVE-2023-25153

NameCVE-2023-25153
Descriptioncontainerd is an open source container runtime. Before versions 1.6.18 and 1.5.18, when importing an OCI image, there was no limit on the number of bytes read for certain files. A maliciously crafted image with a large file where a limit was not applied could cause a denial of service. This bug has been fixed in containerd 1.6.18 and 1.5.18. Users should update to these versions to resolve the issue. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
containerd (PTS)bullseye1.4.13~ds1-1~deb11u4fixed
bullseye (security)1.4.13~ds1-1~deb11u2vulnerable
bookworm1.6.20~ds1-1fixed
trixie1.6.24~ds1-2fixed
sid1.7.18~ds1-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
containerdsourcebullseye1.4.13~ds1-1~deb11u4
containerdsource(unstable)1.6.18~ds1-1

Notes

https://github.com/containerd/containerd/security/advisories/GHSA-259w-8hf6-59c2
Search for package or bug name: Reporting problems