CVE-2022-2990: An incorrect handling of the supplementary groups in the Buildah container engine might lead to the sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container. Patch was merged for 1.27.1, please stabilize.
Please cleanup
Sorry, upstream patch is: https://github.com/containers/buildah/pull/4200
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=91158050d0c0989da46655ba58e50439f329f230 commit 91158050d0c0989da46655ba58e50439f329f230 Author: Zac Medico <zmedico@gentoo.org> AuthorDate: 2022-09-19 23:33:33 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2022-09-19 23:33:39 +0000 app-containers/buildah: drop 1.25.1, 1.27.0 Bug: https://bugs.gentoo.org/870934 Signed-off-by: Zac Medico <zmedico@gentoo.org> app-containers/buildah/Manifest | 2 -- app-containers/buildah/buildah-1.25.1.ebuild | 51 ---------------------------- app-containers/buildah/buildah-1.27.0.ebuild | 51 ---------------------------- 3 files changed, 104 deletions(-)
Thanks! Low impact, so no GLSA, all done!