Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 927499 - <app-containers/buildah-{1.33.7,1.34.3,1.35.3}: Denial of Service with invalid JSON input
Summary: <app-containers/buildah-{1.33.7,1.34.3,1.35.3}: Denial of Service with invali...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: https://github.com/containers/buildah...
Whiteboard: B3 [glsa+]
Keywords: PullRequest, SECURITY
Depends on: 927575 935051
Blocks: CVE-2024-24786
  Show dependency tree
 
Reported: 2024-03-22 10:22 UTC by Rahil Bhimjiani
Modified: 2024-07-10 06:36 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Rahil Bhimjiani 2024-03-22 10:22:05 UTC
https://github.com/containers/buildah/releases
Comment 1 Larry the Git Cow gentoo-dev 2024-03-23 08:29:51 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=da62fc25c5269bad61409b528c7cd456de6f2a9d

commit da62fc25c5269bad61409b528c7cd456de6f2a9d
Author:     Rahil Bhimjiani <me@rahil.rocks>
AuthorDate: 2024-03-22 10:45:37 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-03-23 08:29:05 +0000

    app-containers/buildah: add 1.33.7 and 1.34.3 fix security issues
    
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=927502
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=927499
    Signed-off-by: Rahil Bhimjiani <me@rahil.rocks>
    Signed-off-by: Sam James <sam@gentoo.org>

 app-containers/buildah/Manifest              |   2 +
 app-containers/buildah/buildah-1.33.7.ebuild | 122 +++++++++++++++++++++++++++
 app-containers/buildah/buildah-1.34.3.ebuild | 122 +++++++++++++++++++++++++++
 3 files changed, 246 insertions(+)
Comment 2 Larry the Git Cow gentoo-dev 2024-03-31 00:13:26 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=43b007f04043855ca1604cc6499576b235703282

commit 43b007f04043855ca1604cc6499576b235703282
Author:     Rahil Bhimjiani <me@rahil.rocks>
AuthorDate: 2024-03-27 05:32:49 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2024-03-31 00:05:41 +0000

    app-containers/buildah: add 1.35.3
    
    Bug: https://bugs.gentoo.org/927499
    Bug: https://bugs.gentoo.org/927502
    Signed-off-by: Rahil Bhimjiani <me@rahil.rocks>
    From: https://github.com/gentoo/gentoo/pull/35943
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-containers/buildah/Manifest              |   1 +
 app-containers/buildah/buildah-1.35.3.ebuild | 128 +++++++++++++++++++++++++++
 2 files changed, 129 insertions(+)
Comment 3 Larry the Git Cow gentoo-dev 2024-04-01 00:36:30 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2548753d633ea5a15c023e8584418a96fd1823a6

commit 2548753d633ea5a15c023e8584418a96fd1823a6
Author:     Rahil Bhimjiani <me@rahil.rocks>
AuthorDate: 2024-03-31 07:23:24 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2024-04-01 00:35:09 +0000

    app-containers/buildah: cleanup vulnerable versions
    
    1.33.5, 1.33.6
    1.34.0
    1.35.1
    
    Signed-off-by: Rahil Bhimjiani <me@rahil.rocks>
    Bug: https://bugs.gentoo.org/927499
    Bug: https://bugs.gentoo.org/927502
    Closes: https://github.com/gentoo/gentoo/pull/36011
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-containers/buildah/Manifest              |   4 -
 app-containers/buildah/buildah-1.33.5.ebuild | 125 -------------------------
 app-containers/buildah/buildah-1.33.6.ebuild | 125 -------------------------
 app-containers/buildah/buildah-1.34.0.ebuild | 125 -------------------------
 app-containers/buildah/buildah-1.35.1.ebuild | 132 ---------------------------
 5 files changed, 511 deletions(-)
Comment 4 Larry the Git Cow gentoo-dev 2024-07-10 06:35:19 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=f5c4590ccc7fba60f1b11c716c6abb083c0f5ddd

commit f5c4590ccc7fba60f1b11c716c6abb083c0f5ddd
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-07-10 06:35:05 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-07-10 06:35:16 +0000

    [ GLSA 202407-25 ] Buildah: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/923650
    Bug: https://bugs.gentoo.org/927499
    Bug: https://bugs.gentoo.org/927502
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202407-25.xml | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)