Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 715822 (CVE-2020-10696)

Summary: <app-emulation/buildah-1.14.5: Path traversal vulnerability (CVE-2020-10696)
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: zmedico
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: ~3 [noglsa cve]
Package list:
Runtime testing required: ---

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-01 23:42:20 UTC 
Description:
"A path traversal flaw was found in Buildah in versions before 1.14.5. This flaw allows an attacker to trick a user into building a malicious container image hosted on an HTTP(s) server and then write files to the user's system anywhere that the user has permissions."
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-01 23:42:44 UTC 
@maintainer(s), please create an appropriate ebuild
Comment 2 Larry the Git Cow gentoo-dev 2020-04-02 00:23:54 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bfd2964a5f3220b1aff8aff09caa32dac521e4fc

commit bfd2964a5f3220b1aff8aff09caa32dac521e4fc
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2020-04-02 00:22:18 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2020-04-02 00:23:46 +0000

    app-emulation/buildah: Remove vulnerable versions
    
    Bug: https://bugs.gentoo.org/715822
    Package-Manager: Portage-2.3.96, Repoman-2.3.22
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-emulation/buildah/Manifest                 |  9 -----
 app-emulation/buildah/buildah-1.11.5-r1.ebuild | 56 --------------------------
 app-emulation/buildah/buildah-1.11.6.ebuild    | 56 --------------------------
 app-emulation/buildah/buildah-1.12.0.ebuild    | 50 -----------------------
 app-emulation/buildah/buildah-1.13.1.ebuild    | 50 -----------------------
 app-emulation/buildah/buildah-1.14.0.ebuild    | 50 -----------------------
 app-emulation/buildah/buildah-1.14.2.ebuild    | 50 -----------------------
 app-emulation/buildah/buildah-1.14.3.ebuild    | 47 ---------------------
 app-emulation/buildah/buildah-1.14.4.ebuild    | 47 ---------------------
 9 files changed, 415 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=79b2c618fff2d7d600b22404da0c1f5d16c58dcc

commit 79b2c618fff2d7d600b22404da0c1f5d16c58dcc
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2020-04-02 00:20:56 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2020-04-02 00:23:46 +0000

    app-emulation/buildah: Bump to version 1.14.5
    
    Bug: https://bugs.gentoo.org/715822
    Package-Manager: Portage-2.3.96, Repoman-2.3.22
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-emulation/buildah/Manifest              |  1 +
 app-emulation/buildah/buildah-1.14.5.ebuild | 47 +++++++++++++++++++++++++++++
 2 files changed, 48 insertions(+)
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-02 00:32:11 UTC 
Cleanup done. I'm nominating you for an award for speed this month. Thank you!

Closing because noglsa, tree clean.