**Please refer to tracker for full CVE details** The above is fixed in 1.37.5.
CVE-2024-9675: A vulnerability was found in Buildah. Cache mounts do not properly validate that user-specified paths for the cache are within our cache directory, allowing a RUN instruction in a Container file to mount an arbitrary directory from the host (read/write) into the container as long as those files can be accessed by the user running Buildah. Also fixed in 1.37.5.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=774e610664d8a8f9ca1e3f0ed7e186df98ad0c88 commit 774e610664d8a8f9ca1e3f0ed7e186df98ad0c88 Author: Zac Medico <zmedico@gentoo.org> AuthorDate: 2024-10-31 03:34:26 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2024-10-31 03:36:33 +0000 app-containers/buildah: add 1.37.5 Bug: https://bugs.gentoo.org/942557 Signed-off-by: Zac Medico <zmedico@gentoo.org> app-containers/buildah/Manifest | 1 + app-containers/buildah/buildah-1.37.5.ebuild | 129 +++++++++++++++++++++++++++ 2 files changed, 130 insertions(+)
