836840 – (CVE-2022-27651) <app-containers/buildah-1.25.1: containers started with non-empty inheritable capabilities

Bug 836840 (CVE-2022-27651) - <app-containers/buildah-1.25.1: containers started with non-empty inheritable capabilities

Summary: <app-containers/buildah-1.25.1: containers started with non-empty inheritable...

Status:	RESOLVED FIXED

Alias:	CVE-2022-27651

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor
Assignee:	Gentoo Security

URL:	https://github.com/containers/buildah...
Whiteboard:	B4 [glsa?]
Keywords:

Depends on:	836966
Blocks:
	Show dependency tree

Reported:	2022-04-05 14:15 UTC by John Helmert III
Modified:	2022-04-11 14:58 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2022-04-05 14:15:55 UTC

CVE-2022-27651:

A flaw was found in buildah where containers were incorrectly started with non-empty default permissions. A bug was found in Moby (Docker Engine) where containers were incorrectly started with non-empty inheritable Linux process capabilities, enabling an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs. This has the potential to impact confidentiality and integrity.

Patch: https://github.com/containers/buildah/commit/e7e55c988c05dd74005184ceb64f097a0cfe645b

Please bump to 1.25.

Comment 1 Larry the Git Cow gentoo-dev

2022-04-06 00:51:33 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c02c4bcb593825d12d89aae1b7a94e55c953f5e2

commit c02c4bcb593825d12d89aae1b7a94e55c953f5e2
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2022-04-06 00:49:23 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2022-04-06 00:49:32 +0000

    app-containers/buildah: add 1.25.1
    
    Bug: https://bugs.gentoo.org/836840
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-containers/buildah/Manifest              |  1 +
 app-containers/buildah/buildah-1.25.1.ebuild | 51 ++++++++++++++++++++++++++++
 2 files changed, 52 insertions(+)

Comment 2 Sam James archtester

2022-04-06 01:49:23 UTC

Thanks! Please stable when ready.

Comment 3 John Helmert III archtester

2022-04-11 02:13:46 UTC

Please cleanup

Comment 4 Larry the Git Cow gentoo-dev

2022-04-11 03:42:35 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d0cbe38451f71d1a5445958c44cba3906f4c1b9b

commit d0cbe38451f71d1a5445958c44cba3906f4c1b9b
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2022-04-11 03:41:59 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2022-04-11 03:42:04 +0000

    app-containers/buildah: drop vulnerable versions
    
    Bug: https://bugs.gentoo.org/836840
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-containers/buildah/Manifest                 |  3 --
 app-containers/buildah/buildah-1.23.1-r1.ebuild | 51 -------------------------
 app-containers/buildah/buildah-1.24.2.ebuild    | 51 -------------------------
 app-containers/buildah/buildah-1.24.3.ebuild    | 51 -------------------------
 4 files changed, 156 deletions(-)

Comment 5 John Helmert III archtester

2022-04-11 14:58:10 UTC

Thanks! Relatively low impact so no GLSA. All done!