927499 – app-containers/buildah: Denial of Service with invalid JSON input

Bug 927499 - app-containers/buildah: Denial of Service with invalid JSON input

Summary: app-containers/buildah: Denial of Service with invalid JSON input

Status:	UNCONFIRMED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://github.com/containers/buildah...
Whiteboard:
Keywords:	PullRequest, SECURITY

Depends on:	927575
Blocks:	CVE-2024-24786
	Show dependency tree

Reported:	2024-03-22 10:22 UTC by Rahil Bhimjiani
Modified:	2024-04-01 00:36 UTC (History)
CC List:	1 user (show)

See Also:	https://github.com/gentoo/gentoo/pull/35943
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Rahil Bhimjiani 2024-03-22 10:22:05 UTC

https://github.com/containers/buildah/releases

Comment 1 Larry the Git Cow gentoo-dev

2024-03-23 08:29:51 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=da62fc25c5269bad61409b528c7cd456de6f2a9d

commit da62fc25c5269bad61409b528c7cd456de6f2a9d
Author:     Rahil Bhimjiani <me@rahil.rocks>
AuthorDate: 2024-03-22 10:45:37 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-03-23 08:29:05 +0000

    app-containers/buildah: add 1.33.7 and 1.34.3 fix security issues
    
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=927502
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=927499
    Signed-off-by: Rahil Bhimjiani <me@rahil.rocks>
    Signed-off-by: Sam James <sam@gentoo.org>

 app-containers/buildah/Manifest              |   2 +
 app-containers/buildah/buildah-1.33.7.ebuild | 122 +++++++++++++++++++++++++++
 app-containers/buildah/buildah-1.34.3.ebuild | 122 +++++++++++++++++++++++++++
 3 files changed, 246 insertions(+)

Comment 2 Larry the Git Cow gentoo-dev

2024-03-31 00:13:26 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=43b007f04043855ca1604cc6499576b235703282

commit 43b007f04043855ca1604cc6499576b235703282
Author:     Rahil Bhimjiani <me@rahil.rocks>
AuthorDate: 2024-03-27 05:32:49 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2024-03-31 00:05:41 +0000

    app-containers/buildah: add 1.35.3
    
    Bug: https://bugs.gentoo.org/927499
    Bug: https://bugs.gentoo.org/927502
    Signed-off-by: Rahil Bhimjiani <me@rahil.rocks>
    From: https://github.com/gentoo/gentoo/pull/35943
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-containers/buildah/Manifest              |   1 +
 app-containers/buildah/buildah-1.35.3.ebuild | 128 +++++++++++++++++++++++++++
 2 files changed, 129 insertions(+)

Comment 3 Larry the Git Cow gentoo-dev

2024-04-01 00:36:30 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2548753d633ea5a15c023e8584418a96fd1823a6

commit 2548753d633ea5a15c023e8584418a96fd1823a6
Author:     Rahil Bhimjiani <me@rahil.rocks>
AuthorDate: 2024-03-31 07:23:24 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2024-04-01 00:35:09 +0000

    app-containers/buildah: cleanup vulnerable versions
    
    1.33.5, 1.33.6
    1.34.0
    1.35.1
    
    Signed-off-by: Rahil Bhimjiani <me@rahil.rocks>
    Bug: https://bugs.gentoo.org/927499
    Bug: https://bugs.gentoo.org/927502
    Closes: https://github.com/gentoo/gentoo/pull/36011
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-containers/buildah/Manifest              |   4 -
 app-containers/buildah/buildah-1.33.5.ebuild | 125 -------------------------
 app-containers/buildah/buildah-1.33.6.ebuild | 125 -------------------------
 app-containers/buildah/buildah-1.34.0.ebuild | 125 -------------------------
 app-containers/buildah/buildah-1.35.1.ebuild | 132 ---------------------------
 5 files changed, 511 deletions(-)