Bug 838232

Summary:	<app-containers/podman-4.1.0: multiple vulnerabilities
Product:	Gentoo Security	Reporter:	John Helmert III <ajak>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	zmedico
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	B3 [noglsa]
Package list:		Runtime testing required:	---
Bug Depends on:	849419
Bug Blocks:	883667

Description John Helmert III archtester

2022-04-13 18:32:34 UTC

CVE-2022-27649 (https://github.com/containers/podman/security/advisories/GHSA-qvf8-p83w-v58j):

A flaw was found in Podman, where containers were started incorrectly with non-empty default permissions. A vulnerability was found in Moby (Docker Engine), where containers were started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs.

https://bugzilla.redhat.com/show_bug.cgi?id=2066568
https://github.com/containers/podman/commit/aafa80918a245edcbdaceb1191d749570f1872d0

CVE-2022-27191 (https://groups.google.com/g/golang-announce/c/-cp44ypCT5s):

golang.org/x/crypto/ssh before 0.0.0-20220314234659-1baeb1ce4c0b in Go through 1.16.15 and 1.17.x through 1.17.8 allows an attacker to crash a server in certain circumstances involving AddHostKey.


Fixes in 3.4.6, please bump.

Comment 1 Zac Medico gentoo-dev

2022-04-14 01:55:27 UTC

The fix was cherry-picked and podman-4.0.3 has it already: 

https://github.com/containers/podman/commit/7b368768c2990b9781b2b6813e1c7f91c7e6cb13

Comment 2 John Helmert III archtester

2022-04-14 19:01:25 UTC

(In reply to Zac Medico from comment #1)
> The fix was cherry-picked and podman-4.0.3 has it already: 
> 
> https://github.com/containers/podman/commit/
> 7b368768c2990b9781b2b6813e1c7f91c7e6cb13

Are we still affected by the Go issue, though?

Comment 3 Zac Medico gentoo-dev

2022-04-15 02:59:56 UTC

(In reply to John Helmert III from comment #2)
> Are we still affected by the Go issue, though?

Well, podman-4.0.3 has a vulnerable version. However, the commit which pulls the fix into 3.4.6 says that podman does not call the affected logic:

https://github.com/containers/podman/commit/c02d993f6a88f338c69a4428e4d27e8ae2c7b0b8

Comment 4 Larry the Git Cow gentoo-dev

2022-05-07 16:09:59 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2487b5c1c4aa0ec1d18cb666c0166418f57b831e

commit 2487b5c1c4aa0ec1d18cb666c0166418f57b831e
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2022-05-07 16:06:47 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2022-05-07 16:09:29 +0000

    app-containers/podman: add 4.1.0
    
    Bug: https://bugs.gentoo.org/838232
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-containers/podman/Manifest            |   1 +
 app-containers/podman/podman-4.1.0.ebuild | 164 ++++++++++++++++++++++++++++++
 2 files changed, 165 insertions(+)

Comment 5 John Helmert III archtester

2022-05-10 16:03:25 UTC

Thanks! Please stabilize when ready.

Comment 6 Larry the Git Cow gentoo-dev

2022-06-05 15:13:56 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=23313af83c15d70067555bb93e25ed56eb2f133c

commit 23313af83c15d70067555bb93e25ed56eb2f133c
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2022-06-05 15:13:17 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2022-06-05 15:13:30 +0000

    app-containers/podman: drop 4.0.3
    
    Bug: https://bugs.gentoo.org/838232
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-containers/podman/Manifest            |   1 -
 app-containers/podman/podman-4.0.3.ebuild | 164 ------------------------------
 2 files changed, 165 deletions(-)

Comment 7 John Helmert III archtester

2022-06-05 16:50:16 UTC

Thanks! All done.