Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 836840 (CVE-2022-27651)

Summary: <app-containers/buildah-1.25.1: containers started with non-empty inheritable capabilities
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: zmedico
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/containers/buildah/security/advisories/GHSA-c3g4-w6cv-6v7h
Whiteboard: B4 [glsa?]
Package list:
Runtime testing required: ---
Bug Depends on: 836966    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-04-05 14:15:55 UTC 
CVE-2022-27651:

A flaw was found in buildah where containers were incorrectly started with non-empty default permissions. A bug was found in Moby (Docker Engine) where containers were incorrectly started with non-empty inheritable Linux process capabilities, enabling an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs. This has the potential to impact confidentiality and integrity.

Patch: https://github.com/containers/buildah/commit/e7e55c988c05dd74005184ceb64f097a0cfe645b

Please bump to 1.25.
Comment 1 Larry the Git Cow gentoo-dev 2022-04-06 00:51:33 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c02c4bcb593825d12d89aae1b7a94e55c953f5e2

commit c02c4bcb593825d12d89aae1b7a94e55c953f5e2
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2022-04-06 00:49:23 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2022-04-06 00:49:32 +0000

    app-containers/buildah: add 1.25.1
    
    Bug: https://bugs.gentoo.org/836840
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-containers/buildah/Manifest              |  1 +
 app-containers/buildah/buildah-1.25.1.ebuild | 51 ++++++++++++++++++++++++++++
 2 files changed, 52 insertions(+)
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-04-06 01:49:23 UTC 
Thanks! Please stable when ready.
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-04-11 02:13:46 UTC 
Please cleanup
Comment 4 Larry the Git Cow gentoo-dev 2022-04-11 03:42:35 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d0cbe38451f71d1a5445958c44cba3906f4c1b9b

commit d0cbe38451f71d1a5445958c44cba3906f4c1b9b
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2022-04-11 03:41:59 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2022-04-11 03:42:04 +0000

    app-containers/buildah: drop vulnerable versions
    
    Bug: https://bugs.gentoo.org/836840
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-containers/buildah/Manifest                 |  3 --
 app-containers/buildah/buildah-1.23.1-r1.ebuild | 51 -------------------------
 app-containers/buildah/buildah-1.24.2.ebuild    | 51 -------------------------
 app-containers/buildah/buildah-1.24.3.ebuild    | 51 -------------------------
 4 files changed, 156 deletions(-)
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-04-11 14:58:10 UTC 
Thanks! Relatively low impact so no GLSA. All done!