CVE-2024-9341: A flaw was found in Go. When FIPS mode is enabled on a system, container runtimes may incorrectly handle certain file paths due to improper validation in the containers/common Go library. This flaw allows an attacker to exploit symbolic links and trick the system into mounting sensitive host directories inside a container. This issue also allows attackers to access critical host files, bypassing the intended isolation between containers and the host system.
Fix is in 0.60.4 according to https://github.com/containers/common/commit/e7db06585c32e1a782c1d9aa3b71ccd708f5e23f, which is stable. Needs cleanup.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dd2cf88635ffc0c895b2ddd5c30c78814ca91bf4 commit dd2cf88635ffc0c895b2ddd5c30c78814ca91bf4 Author: Zac Medico <zmedico@gentoo.org> AuthorDate: 2025-03-01 21:23:51 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2025-03-01 21:25:39 +0000 app-containers/containers-common: drop 0.59.1 Bug: https://bugs.gentoo.org/941218 Signed-off-by: Zac Medico <zmedico@gentoo.org> app-containers/containers-common/Manifest | 1 - .../containers-common-0.59.1.ebuild | 75 ---------------------- 2 files changed, 76 deletions(-)
