Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 927501 - <app-containers/podman-{5.0.0,4.9.4}: container escape
Summary: <app-containers/podman-{5.0.0,4.9.4}: container escape
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL:
Whiteboard: B1[glsa+]
Keywords: PullRequest, SECURITY
Depends on: 928282
Blocks: CVE-2024-1753
  Show dependency tree
 
Reported: 2024-03-22 10:40 UTC by Rahil Bhimjiani
Modified: 2024-07-05 07:09 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Larry the Git Cow gentoo-dev 2024-03-23 08:29:54 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b86ea5f418a7dbe75847a8dc940edc114e3a17b8

commit b86ea5f418a7dbe75847a8dc940edc114e3a17b8
Author:     Rahil Bhimjiani <me@rahil.rocks>
AuthorDate: 2024-03-20 11:50:37 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-03-23 08:29:03 +0000

    app-containers/podman: update to 5.0.0
    
    1) Podman 5 drops old, slow & insecure stack in favour of shiny new one:
    * slirp4netns -> passt/pasta
    * runc -> crun
    * cni-plugins -> netavark + aardvark-dns
    * cgroupv1 -> cgroupv2
    
    2) remove USE flags: cgroup-hybrid, init, rootless, fuse  because ...
    * cgroupv1 support is deprecated.
    * app-containers/catatonit, net-misc/passt, sys-fs/fuse-overlayfs are very minimal
    dependencies, <1M of installed size in <30s of compile time (ofc it
    varies).
    * These flags didn't do much except pulling in dependencies. So suppose
    someone goes from -init to +init they've to compile whole podman again,
    instead of just emerging catatonit.
    * Forcing fuse-overlayfs on users  makes sure to have a default graph driver in
    rootless mode. containers-storage(5)
    
    3) add python-any-r1.elcass to fix python-exec[-native-symlinks]
    
    Closes: https://bugs.gentoo.org/877719
    Closes: https://bugs.gentoo.org/906073
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=927501
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=927500
    Signed-off-by: Rahil Bhimjiani <me@rahil.rocks>
    Signed-off-by: Sam James <sam@gentoo.org>

 app-containers/podman/Manifest                     |   1 +
 .../podman/files/podman-auto-update-5.0.0.cron     |   5 +
 .../podman/files/podman-auto-update-5.0.0_rc4.cron |   7 --
 app-containers/podman/metadata.xml                 |   6 +-
 app-containers/podman/podman-5.0.0.ebuild          | 128 +++++++++++++++++++++
 app-containers/podman/podman-9999.ebuild           |  73 ++++--------
 6 files changed, 160 insertions(+), 60 deletions(-)
Comment 2 Larry the Git Cow gentoo-dev 2024-03-27 03:02:08 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9569a2ffc816bb40837a3f0e0a872cf57f20bf3f

commit 9569a2ffc816bb40837a3f0e0a872cf57f20bf3f
Author:     Rahil Bhimjiani <me@rahil.rocks>
AuthorDate: 2024-03-26 08:13:57 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2024-03-27 03:02:01 +0000

    app-containers/podman: 4.9.4 fixes CVE-2024-1753 and CVE-2024-24786
    
    also backported some niceities from 5.x ebuild
    * fix failed build with python-exec[-native-symlinks]
    * improvments in init.d/podman, add podman-restart and
    podman-clean-transient scripts, add podman-auto-update cronjob
    
    Bug: https://bugs.gentoo.org/927500
    Bug: https://bugs.gentoo.org/927501
    Signed-off-by: Rahil Bhimjiani <me@rahil.rocks>
    From: https://github.com/gentoo/gentoo/pull/35929
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-containers/podman/Manifest            |   1 +
 app-containers/podman/podman-4.9.4.ebuild | 156 ++++++++++++++++++++++++++++++
 2 files changed, 157 insertions(+)
Comment 3 Larry the Git Cow gentoo-dev 2024-03-31 23:51:16 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=712b89c49c2a45e3b70d7b977344b367b9ad6d2c

commit 712b89c49c2a45e3b70d7b977344b367b9ad6d2c
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2024-03-31 23:50:14 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2024-03-31 23:50:20 +0000

    app-containers/podman: drop 4.9.3
    
    Bug: https://bugs.gentoo.org/927500
    Bug: https://bugs.gentoo.org/927501
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-containers/podman/Manifest            |   1 -
 app-containers/podman/podman-4.9.3.ebuild | 141 ------------------------------
 2 files changed, 142 deletions(-)
Comment 4 Larry the Git Cow gentoo-dev 2024-07-05 07:06:07 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=3671dbb8919b2952a3de8b9a51e7573f2b16d234

commit 3671dbb8919b2952a3de8b9a51e7573f2b16d234
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-07-05 07:05:25 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-07-05 07:06:00 +0000

    [ GLSA 202407-12 ] podman: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/829896
    Bug: https://bugs.gentoo.org/870931
    Bug: https://bugs.gentoo.org/896372
    Bug: https://bugs.gentoo.org/921290
    Bug: https://bugs.gentoo.org/923751
    Bug: https://bugs.gentoo.org/927500
    Bug: https://bugs.gentoo.org/927501
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202407-12.xml | 56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 56 insertions(+)