Skip to content

x/vulndb: potential Go vuln in github.com/containerd/containerd: GHSA-259w-8hf6-59c2 #1573

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Closed
GoVulnBot opened this issue Feb 16, 2023 · 2 comments
Closed

x/vulndb: potential Go vuln in github.com/containerd/containerd: GHSA-259w-8hf6-59c2 #1573

GoVulnBot opened this issue Feb 16, 2023 · 2 comments
Assignees
@timothy-king
Labels
NeedsReport

Comments

@GoVulnBot
Copy link

In GitHub Security Advisory GHSA-259w-8hf6-59c2, there is a vulnerability in the following Go packages or modules:

Unit Fixed Vulnerable Ranges
github.com/containerd/containerd 1.6.18 >= 1.6.0, < 1.6.18

Cross references:

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/containerd/containerd
    versions:
      - introduced: 1.6.0
        fixed: 1.6.18
    packages:
      - package: github.com/containerd/containerd
  - module: github.com/containerd/containerd
    versions:
      - introduced: TODO (earliest fixed "1.5.18", vuln range "<= 1.5.17")
    packages:
      - package: github.com/containerd/containerd
description: "### Impact\n\nWhen importing an OCI image, there was no limit on the
    number of bytes read for certain files. A maliciously crafted image with a large
    file where a limit was not applied could cause a denial of service.\n\n### Patches\n\nThis
    bug has been fixed in containerd 1.6.18 and 1.5.18.  Users should update to these
    versions to resolve the issue.\n\n### Workarounds\n\nEnsure that only trusted
    images are used and that only trusted users have permissions to import images.
    \n\n### Credits\n\nThe containerd project would like to thank [David Korczynski](https://github.com/DavidKorczynski)
    and [Adam Korczynski](https://github.com/AdamKorcz) of ADA Logics for responsibly
    disclosing this issue in accordance with the [containerd security policy](https://github.com/containerd/project/blob/main/SECURITY.md)
    during a security fuzzing audit sponsored by CNCF.\n\n### For more information\n\nIf
    you have any questions or comments about this advisory:\n\n* Open an issue in
    [containerd](https://github.com/containerd/containerd/issues/new/choose)\n* Email
    us at [security@containerd.io](mailto:security@containerd.io)\n\nTo report a security
    issue in containerd:\n* [Report a new vulnerability](https://github.com/containerd/containerd/security/advisories/new)\n*
    Email us at [security@containerd.io](mailto:security@containerd.io)"
cves:
  - CVE-2023-25153
ghsas:
  - GHSA-259w-8hf6-59c2
references:
  - advisory: https://github.com/containerd/containerd/security/advisories/GHSA-259w-8hf6-59c2
  - advisory: https://github.com/advisories/GHSA-259w-8hf6-59c2
@timothy-king timothy-king mentioned this issue Feb 16, 2023
Closed
@timothy-king timothy-king self-assigned this Feb 16, 2023
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/468995 mentions this issue: data/reports: add GO-2023-1573.yaml

@tatianab tatianab mentioned this issue Nov 8, 2023
Closed
@GoVulnBot GoVulnBot mentioned this issue Dec 19, 2023
Closed
@GoVulnBot GoVulnBot mentioned this issue Feb 1, 2024
Closed
@GoVulnBot GoVulnBot mentioned this issue May 14, 2024
Closed
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/607456 mentions this issue: data/reports: update 6 reports

gopherbot pushed a commit that referenced this issue Aug 21, 2024
@tatianab @gopherbot
data/reports: update 6 reports
37e2de0 
Fix reports which won't pass an upcoming lint check
by merging / collapsing their version ranges.

  - data/reports/GO-2022-0617.yaml
  - data/reports/GO-2023-1573.yaml
  - data/reports/GO-2023-1574.yaml
  - data/reports/GO-2023-1730.yaml
  - data/reports/GO-2023-1946.yaml
  - data/reports/GO-2024-2784.yaml

Updates #617
Updates #1573
Updates #1574
Updates #1730
Updates #1946
Updates #2784

Change-Id: If02308deccab77b00cf10cb3619263e456d1ea64
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/607456
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
This was referenced Mar 17, 2025
Closed
Closed
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@timothy-king timothy-king

Labels
NeedsReport
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@timothy-king @gopherbot @GoVulnBot