Bug 924107

Summary:	app-containers/podman-tui multiple vulnerabilities
Product:	Gentoo Security	Reporter:	Rahil Bhimjiani <me>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED INVALID
Severity:	normal	CC:	me
Priority:	Normal	Keywords:	PullRequest
Version:	unspecified
Hardware:	All
OS:	Linux
See Also:	https://github.com/gentoo/gentoo/pull/34558
Whiteboard:
Package list:		Runtime testing required:	---

Description Rahil Bhimjiani 2024-02-08 14:01:13 UTC

CVE-2024-23651 https://github.com/advisories/GHSA-m3r6-h7wv-7xxv, CVE-2024-23652 https://github.com/advisories/GHSA-4v98-7qmw-rqr8, and CVE-2024-23653 https://github.com/advisories/GHSA-wr6v-9f75-vh2g 

https://github.com/containers/podman/releases/tag/v4.9.2

https://github.com/containers/podman-tui/releases/tag/v0.17.0

Comment 1 Hans de Graaff gentoo-dev

2024-02-08 14:27:11 UTC

These are CVEs for podman, how do they apply to podman-tui (given that there is a runtime dependency on app-containers/podman)?

Comment 2 Rahil Bhimjiani 2024-02-08 14:40:41 UTC

This is a go package. Podman is statically built into podman-tui. If you see *DEPEND in ebuild, app-containers/podman isn't mentioned there. 

If you look at https://github.com/containers/podman-tui/releases/tag/v0.17.0 it updated to podman-4.9.2 which fixes CVEs

Comment 3 Rahil Bhimjiani 2024-02-08 14:48:57 UTC

Okay after doing some research. I can confirm you're right.

CVEs are in moby/buildkit and podman-tui doens't have that module built-in. So no risk. 

But anyway it would be great to merge this 40 days old PR and which keep the API it in sync with podman-4.9.2

Comment 4 Hans de Graaff gentoo-dev

2024-02-08 17:58:23 UTC

(In reply to Rahil Bhimjiani from comment #2)
> If you see
> *DEPEND in ebuild, app-containers/podman isn't mentioned there. 

This is what is in podman-tui-0.14.0 (and your PR):

RDEPEND="
        >=app-containers/podman-4.0.2
"

Anyway, not relevant for the resolution of this issue.

Comment 5 Rahil Bhimjiani 2024-02-08 18:29:45 UTC

(In reply to Hans de Graaff from comment #4)
> (In reply to Rahil Bhimjiani from comment #2)
> > If you see
> > *DEPEND in ebuild, app-containers/podman isn't mentioned there. 
> 
> This is what is in podman-tui-0.14.0 (and your PR):

lmao...thanks for reporting, it shouldn't be like that. 

You didn't let this bug id (924107) go to waste. At least we found and fixed something. PR updated.

Comment 6 Larry the Git Cow gentoo-dev

2024-02-09 06:35:54 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=51caf6c8ba9089a752b415039fa92fdd9e66b90b

commit 51caf6c8ba9089a752b415039fa92fdd9e66b90b
Author:     Rahil Bhimjiani <me@rahil.rocks>
AuthorDate: 2023-12-30 02:22:21 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2024-02-09 06:35:52 +0000

    app-containers/podman-tui: add 0.17.0
    
    Bug: https://bugs.gentoo.org/924107
    Signed-off-by: Rahil Bhimjiani <me@rahil.rocks>
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 app-containers/podman-tui/Manifest                 |  1 +
 app-containers/podman-tui/podman-tui-0.17.0.ebuild | 34 ++++++++++++++++++++++
 app-containers/podman-tui/podman-tui-9999.ebuild   |  5 +---
 3 files changed, 36 insertions(+), 4 deletions(-)