CVE-2022-27649 (https://github.com/containers/podman/security/advisories/GHSA-qvf8-p83w-v58j): A flaw was found in Podman, where containers were started incorrectly with non-empty default permissions. A vulnerability was found in Moby (Docker Engine), where containers were started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs. https://bugzilla.redhat.com/show_bug.cgi?id=2066568 https://github.com/containers/podman/commit/aafa80918a245edcbdaceb1191d749570f1872d0 CVE-2022-27191 (https://groups.google.com/g/golang-announce/c/-cp44ypCT5s): golang.org/x/crypto/ssh before 0.0.0-20220314234659-1baeb1ce4c0b in Go through 1.16.15 and 1.17.x through 1.17.8 allows an attacker to crash a server in certain circumstances involving AddHostKey. Fixes in 3.4.6, please bump.
The fix was cherry-picked and podman-4.0.3 has it already: https://github.com/containers/podman/commit/7b368768c2990b9781b2b6813e1c7f91c7e6cb13
(In reply to Zac Medico from comment #1) > The fix was cherry-picked and podman-4.0.3 has it already: > > https://github.com/containers/podman/commit/ > 7b368768c2990b9781b2b6813e1c7f91c7e6cb13 Are we still affected by the Go issue, though?
(In reply to John Helmert III from comment #2) > Are we still affected by the Go issue, though? Well, podman-4.0.3 has a vulnerable version. However, the commit which pulls the fix into 3.4.6 says that podman does not call the affected logic: https://github.com/containers/podman/commit/c02d993f6a88f338c69a4428e4d27e8ae2c7b0b8
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2487b5c1c4aa0ec1d18cb666c0166418f57b831e commit 2487b5c1c4aa0ec1d18cb666c0166418f57b831e Author: Zac Medico <zmedico@gentoo.org> AuthorDate: 2022-05-07 16:06:47 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2022-05-07 16:09:29 +0000 app-containers/podman: add 4.1.0 Bug: https://bugs.gentoo.org/838232 Signed-off-by: Zac Medico <zmedico@gentoo.org> app-containers/podman/Manifest | 1 + app-containers/podman/podman-4.1.0.ebuild | 164 ++++++++++++++++++++++++++++++ 2 files changed, 165 insertions(+)
Thanks! Please stabilize when ready.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=23313af83c15d70067555bb93e25ed56eb2f133c commit 23313af83c15d70067555bb93e25ed56eb2f133c Author: Zac Medico <zmedico@gentoo.org> AuthorDate: 2022-06-05 15:13:17 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2022-06-05 15:13:30 +0000 app-containers/podman: drop 4.0.3 Bug: https://bugs.gentoo.org/838232 Signed-off-by: Zac Medico <zmedico@gentoo.org> app-containers/podman/Manifest | 1 - app-containers/podman/podman-4.0.3.ebuild | 164 ------------------------------ 2 files changed, 165 deletions(-)
Thanks! All done.