CVE-2024-25621

NameCVE-2024-25621
Descriptioncontainerd is an open-source container runtime. Versions 0.1.0 through 1.7.28, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4 and 2.2.0-beta.0 through 2.2.0-rc.1 have an overly broad default permission vulnerability. Directory paths `/var/lib/containerd`, `/run/containerd/io.containerd.grpc.v1.cri` and `/run/containerd/io.containerd.sandbox.controller.v1.shim` were all created with incorrect permissions. This issue is fixed in versions 1.7.29, 2.0.7, 2.1.5 and 2.2.0. Workarounds include updating system administrator permissions so the host can manually chmod the directories to not have group or world accessible permissions, or to run containerd in rootless mode.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1120285

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
containerd (PTS)bullseye1.4.13~ds1-1~deb11u4vulnerable
bullseye (security)1.4.13~ds1-1~deb11u5vulnerable
bookworm1.6.20~ds1-1+deb12u1vulnerable
trixie1.7.24~ds1-6vulnerable
forky1.7.24~ds1-8vulnerable
sid1.7.24~ds1-9fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
containerdsource(unstable)1.7.24~ds1-91120285

Notes

https://github.com/containerd/containerd/security/advisories/GHSA-pwhc-rpq9-4c8w
Fixed by: https://github.com/containerd/containerd/commit/910171e90ec3a402c6669333483fbec9d0b414d7 (v2.2.0)
Fixed by: https://github.com/containerd/containerd/commit/0450f046e6942e513d0ebf1ef5c2aff13daa187f (v1.7.29)
Search for package or bug name: Reporting problems