x/vulndb: potential Go vuln in github.com/containerd/containerd: CVE-2023-25153

[GoVulnBot]

CVE-2023-25153 references github.com/containerd/containerd, which may be a Go module.

Description:
containerd is an open source container runtime. Before versions 1.6.18 and 1.5.18, when importing an OCI image, there was no limit on the number of bytes read for certain files. A maliciously crafted image with a large file where a limit was not applied could cause a denial of service. This bug has been fixed in containerd 1.6.18 and 1.5.18. Users should update to these versions to resolve the issue. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images.

References:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2023-25153
• JSON: https://github.com/CVEProject/cvelist/tree/58b1ebeb511027c67b6161fcb4218e53404d4121/2023/25xxx/CVE-2023-25153.json
• advisory: GHSA-259w-8hf6-59c2
• fix: containerd/containerd@0c31490
• web: https://github.com/containerd/containerd/releases/tag/v1.5.18
• web: https://github.com/containerd/containerd/releases/tag/v1.6.18
• Imported by: https://pkg.go.dev/github.com/containerd/containerd?tab=importedby

Cross references:

• Module github.com/containerd/containerd appears in issue x/vulndb: potential Go vuln in github.com/containerd/containerd: CVE-2021-43816 #278 EFFECTIVELY_PRIVATE
• Module github.com/containerd/containerd appears in issue x/vulndb: potential Go vuln in github.com/containerd/containerd: CVE-2022-23648 #344 EFFECTIVELY_PRIVATE
• Module github.com/containerd/containerd appears in issue x/vulndb: potential Go vuln in github.com/containerd/containerd: CVE-2022-31030 #482 EFFECTIVELY_PRIVATE
• Module github.com/containerd/containerd appears in issue x/vulndb: potential Go vuln in github.com/containerd/containerd/cmd: GHSA-36xw-fx78-c5r4 #784 NOT_IMPORTABLE
• Module github.com/containerd/containerd appears in issue x/vulndb: potential Go vuln in github.com/containerd/containerd: GHSA-742w-89gc-8m9c #803 NOT_IMPORTABLE
• Module github.com/containerd/containerd appears in issue x/vulndb: potential Go vuln in github.com/containerd/containerd: CVE-2021-32760, GHSA-c72p-9xmj-rx3w #921 NOT_IMPORTABLE
• Module github.com/containerd/containerd appears in issue x/vulndb: potential Go vuln in github.com/containerd/containerd: CVE-2021-41103, GHSA-c2h3-6mxw-7mvq #938 NOT_IMPORTABLE
• Module github.com/containerd/containerd appears in issue x/vulndb: potential Go vuln in github.com/containerd/containerd: CVE-2022-23471 #1147 EFFECTIVELY_PRIVATE

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/containerd/containerd
    packages:
      - package: containerd
description: |
    containerd is an open source container runtime. Before versions 1.6.18 and 1.5.18, when importing an OCI image, there was no limit on the number of bytes read for certain files. A maliciously crafted image with a large file where a limit was not applied could cause a denial of service. This bug has been fixed in containerd 1.6.18 and 1.5.18. Users should update to these versions to resolve the issue. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images.
cves:
  - CVE-2023-25153
references:
  - advisory: https://github.com/containerd/containerd/security/advisories/GHSA-259w-8hf6-59c2
  - fix: https://github.com/containerd/containerd/commit/0c314901076a74a7b797a545d2f462285fdbb8c4
  - web: https://github.com/containerd/containerd/releases/tag/v1.5.18
  - web: https://github.com/containerd/containerd/releases/tag/v1.6.18

[timothy-king]

Duplicate of #1573