Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 838232 (CVE-2022-27191) - <app-containers/podman-4.1.0: multiple vulnerabilities
Summary: <app-containers/podman-4.1.0: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2022-27191
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [noglsa]
Keywords:
Depends on: 849419
Blocks:
  Show dependency tree
 
Reported: 2022-04-13 18:32 UTC by John Helmert III
Modified: 2022-06-05 16:50 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-04-13 18:32:34 UTC
CVE-2022-27649 (https://github.com/containers/podman/security/advisories/GHSA-qvf8-p83w-v58j):

A flaw was found in Podman, where containers were started incorrectly with non-empty default permissions. A vulnerability was found in Moby (Docker Engine), where containers were started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs.

https://bugzilla.redhat.com/show_bug.cgi?id=2066568
https://github.com/containers/podman/commit/aafa80918a245edcbdaceb1191d749570f1872d0

CVE-2022-27191 (https://groups.google.com/g/golang-announce/c/-cp44ypCT5s):

golang.org/x/crypto/ssh before 0.0.0-20220314234659-1baeb1ce4c0b in Go through 1.16.15 and 1.17.x through 1.17.8 allows an attacker to crash a server in certain circumstances involving AddHostKey.


Fixes in 3.4.6, please bump.
Comment 1 Zac Medico gentoo-dev 2022-04-14 01:55:27 UTC
The fix was cherry-picked and podman-4.0.3 has it already: 

https://github.com/containers/podman/commit/7b368768c2990b9781b2b6813e1c7f91c7e6cb13
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-04-14 19:01:25 UTC
(In reply to Zac Medico from comment #1)
> The fix was cherry-picked and podman-4.0.3 has it already: 
> 
> https://github.com/containers/podman/commit/
> 7b368768c2990b9781b2b6813e1c7f91c7e6cb13

Are we still affected by the Go issue, though?
Comment 3 Zac Medico gentoo-dev 2022-04-15 02:59:56 UTC
(In reply to John Helmert III from comment #2)
> Are we still affected by the Go issue, though?

Well, podman-4.0.3 has a vulnerable version. However, the commit which pulls the fix into 3.4.6 says that podman does not call the affected logic:

https://github.com/containers/podman/commit/c02d993f6a88f338c69a4428e4d27e8ae2c7b0b8
Comment 4 Larry the Git Cow gentoo-dev 2022-05-07 16:09:59 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2487b5c1c4aa0ec1d18cb666c0166418f57b831e

commit 2487b5c1c4aa0ec1d18cb666c0166418f57b831e
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2022-05-07 16:06:47 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2022-05-07 16:09:29 +0000

    app-containers/podman: add 4.1.0
    
    Bug: https://bugs.gentoo.org/838232
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-containers/podman/Manifest            |   1 +
 app-containers/podman/podman-4.1.0.ebuild | 164 ++++++++++++++++++++++++++++++
 2 files changed, 165 insertions(+)
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-05-10 16:03:25 UTC
Thanks! Please stabilize when ready.
Comment 6 Larry the Git Cow gentoo-dev 2022-06-05 15:13:56 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=23313af83c15d70067555bb93e25ed56eb2f133c

commit 23313af83c15d70067555bb93e25ed56eb2f133c
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2022-06-05 15:13:17 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2022-06-05 15:13:30 +0000

    app-containers/podman: drop 4.0.3
    
    Bug: https://bugs.gentoo.org/838232
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-containers/podman/Manifest            |   1 -
 app-containers/podman/podman-4.0.3.ebuild | 164 ------------------------------
 2 files changed, 165 deletions(-)
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-06-05 16:50:16 UTC
Thanks! All done.