927500 – <app-containers/podman-{4.9.4,5.0.0}: Denial of Service with invalid JSON input

Bug 927500 - <app-containers/podman-{4.9.4,5.0.0}: Denial of Service with invalid JSON input

Summary: <app-containers/podman-{4.9.4,5.0.0}: Denial of Service with invalid JSON input

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [glsa+]
Keywords:	PullRequest, SECURITY

Depends on:	928282
Blocks:	CVE-2024-24786
	Show dependency tree

Reported:	2024-03-22 10:33 UTC by Rahil Bhimjiani
Modified:	2024-07-05 07:08 UTC (History)
CC List:	1 user (show)

See Also:	https://github.com/gentoo/gentoo/pull/35929
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Rahil Bhimjiani 2024-03-22 10:33:08 UTC

4.9.3 ships with protobuf 1.31.0

Comment 1 Larry the Git Cow gentoo-dev

2024-03-23 08:29:53 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b86ea5f418a7dbe75847a8dc940edc114e3a17b8

commit b86ea5f418a7dbe75847a8dc940edc114e3a17b8
Author:     Rahil Bhimjiani <me@rahil.rocks>
AuthorDate: 2024-03-20 11:50:37 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-03-23 08:29:03 +0000

    app-containers/podman: update to 5.0.0
    
    1) Podman 5 drops old, slow & insecure stack in favour of shiny new one:
    * slirp4netns -> passt/pasta
    * runc -> crun
    * cni-plugins -> netavark + aardvark-dns
    * cgroupv1 -> cgroupv2
    
    2) remove USE flags: cgroup-hybrid, init, rootless, fuse  because ...
    * cgroupv1 support is deprecated.
    * app-containers/catatonit, net-misc/passt, sys-fs/fuse-overlayfs are very minimal
    dependencies, <1M of installed size in <30s of compile time (ofc it
    varies).
    * These flags didn't do much except pulling in dependencies. So suppose
    someone goes from -init to +init they've to compile whole podman again,
    instead of just emerging catatonit.
    * Forcing fuse-overlayfs on users  makes sure to have a default graph driver in
    rootless mode. containers-storage(5)
    
    3) add python-any-r1.elcass to fix python-exec[-native-symlinks]
    
    Closes: https://bugs.gentoo.org/877719
    Closes: https://bugs.gentoo.org/906073
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=927501
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=927500
    Signed-off-by: Rahil Bhimjiani <me@rahil.rocks>
    Signed-off-by: Sam James <sam@gentoo.org>

 app-containers/podman/Manifest                     |   1 +
 .../podman/files/podman-auto-update-5.0.0.cron     |   5 +
 .../podman/files/podman-auto-update-5.0.0_rc4.cron |   7 --
 app-containers/podman/metadata.xml                 |   6 +-
 app-containers/podman/podman-5.0.0.ebuild          | 128 +++++++++++++++++++++
 app-containers/podman/podman-9999.ebuild           |  73 ++++--------
 6 files changed, 160 insertions(+), 60 deletions(-)

Comment 2 Larry the Git Cow gentoo-dev

2024-03-27 03:02:07 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9569a2ffc816bb40837a3f0e0a872cf57f20bf3f

commit 9569a2ffc816bb40837a3f0e0a872cf57f20bf3f
Author:     Rahil Bhimjiani <me@rahil.rocks>
AuthorDate: 2024-03-26 08:13:57 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2024-03-27 03:02:01 +0000

    app-containers/podman: 4.9.4 fixes CVE-2024-1753 and CVE-2024-24786
    
    also backported some niceities from 5.x ebuild
    * fix failed build with python-exec[-native-symlinks]
    * improvments in init.d/podman, add podman-restart and
    podman-clean-transient scripts, add podman-auto-update cronjob
    
    Bug: https://bugs.gentoo.org/927500
    Bug: https://bugs.gentoo.org/927501
    Signed-off-by: Rahil Bhimjiani <me@rahil.rocks>
    From: https://github.com/gentoo/gentoo/pull/35929
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-containers/podman/Manifest            |   1 +
 app-containers/podman/podman-4.9.4.ebuild | 156 ++++++++++++++++++++++++++++++
 2 files changed, 157 insertions(+)

Comment 3 Larry the Git Cow gentoo-dev

2024-03-31 23:51:15 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=712b89c49c2a45e3b70d7b977344b367b9ad6d2c

commit 712b89c49c2a45e3b70d7b977344b367b9ad6d2c
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2024-03-31 23:50:14 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2024-03-31 23:50:20 +0000

    app-containers/podman: drop 4.9.3
    
    Bug: https://bugs.gentoo.org/927500
    Bug: https://bugs.gentoo.org/927501
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-containers/podman/Manifest            |   1 -
 app-containers/podman/podman-4.9.3.ebuild | 141 ------------------------------
 2 files changed, 142 deletions(-)

Comment 4 Larry the Git Cow gentoo-dev

2024-07-05 07:06:07 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=3671dbb8919b2952a3de8b9a51e7573f2b16d234

commit 3671dbb8919b2952a3de8b9a51e7573f2b16d234
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-07-05 07:05:25 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-07-05 07:06:00 +0000

    [ GLSA 202407-12 ] podman: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/829896
    Bug: https://bugs.gentoo.org/870931
    Bug: https://bugs.gentoo.org/896372
    Bug: https://bugs.gentoo.org/921290
    Bug: https://bugs.gentoo.org/923751
    Bug: https://bugs.gentoo.org/927500
    Bug: https://bugs.gentoo.org/927501
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202407-12.xml | 56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 56 insertions(+)