Bug 923650

Summary:	<app-containers/buildah-1.33.5 multiple vulnerabilities
Product:	Gentoo Security	Reporter:	Rahil Bhimjiani <me>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	UNCONFIRMED ---
Severity:	normal	CC:	me
Priority:	Normal	Keywords:	PullRequest
Version:	unspecified
Hardware:	All
OS:	Linux
See Also:	https://github.com/gentoo/gentoo/pull/35159 https://bugs.gentoo.org/show_bug.cgi?id=923751 https://github.com/gentoo/gentoo/pull/35502
Whiteboard:	B3 [glsa?]
Package list:		Runtime testing required:	---
Bug Depends on:	924456
Bug Blocks:	924288

Description Rahil Bhimjiani 2024-02-03 01:49:03 UTC

CVE-2024-23651 https://github.com/advisories/GHSA-m3r6-h7wv-7xxv, CVE-2024-23652 https://github.com/advisories/GHSA-4v98-7qmw-rqr8, and CVE-2024-23653 https://github.com/advisories/GHSA-wr6v-9f75-vh2g 

https://github.com/containers/podman/releases/tag/v4.9.2

Comment 1 Sam James archtester

2024-02-03 13:39:22 UTC

We only put fixed versions in the summary (so we update it to the first fixed versions in tree once stuff is merged).

Could you also split this into podman vs buildah (file a new bug for one of them)? Thanks.

Comment 2 Larry the Git Cow gentoo-dev

2024-02-08 03:17:23 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fe94090c6c36be4cf9ea7f989ee41e908b8019a2

commit fe94090c6c36be4cf9ea7f989ee41e908b8019a2
Author:     Rahil Bhimjiani <me@rahil.rocks>
AuthorDate: 2024-02-03 00:57:28 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2024-02-08 03:17:17 +0000

    app-containers/buildah: add 1.33.5
    
    This release addresses a number of Buildkit vulnerabilities including but not limited to: CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653.
    
    Bug: https://bugs.gentoo.org/923650
    Signed-off-by: Rahil Bhimjiani <me@rahil.rocks>
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-containers/buildah/Manifest              |   1 +
 app-containers/buildah/buildah-1.33.5.ebuild | 125 +++++++++++++++++++++++++++
 2 files changed, 126 insertions(+)

Comment 3 Larry the Git Cow gentoo-dev

2024-03-07 01:08:13 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bac2d4fb3007aa999ed3ae25c276a79ee19c66f8

commit bac2d4fb3007aa999ed3ae25c276a79ee19c66f8
Author:     Rahil Bhimjiani <me@rahil.rocks>
AuthorDate: 2024-02-23 07:33:29 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2024-03-07 01:01:26 +0000

    app-containers/buildah: add 1.34.1
    
    security fixes and some more features
    https://github.com/containers/buildah/releases/tag/v1.34.1
    
    Bug: https://bugs.gentoo.org/923650
    Signed-off-by: Rahil Bhimjiani <me@rahil.rocks>
    Closes: https://github.com/gentoo/gentoo/pull/35502
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-containers/buildah/Manifest              |   1 +
 app-containers/buildah/buildah-1.34.1.ebuild | 125 +++++++++++++++++++++++++++
 app-containers/buildah/buildah-9999.ebuild   |   2 +-
 3 files changed, 127 insertions(+), 1 deletion(-)