927502 – <app-containers/buildah-{1.33.7,1.34.3,1.35.3}: container escape

Bug 927502 - <app-containers/buildah-{1.33.7,1.34.3,1.35.3}: container escape

Summary: <app-containers/buildah-{1.33.7,1.34.3,1.35.3}: container escape

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B1 [glsa+]
Keywords:	PullRequest, SECURITY

Depends on:	927575
Blocks:	CVE-2024-1753
	Show dependency tree

Reported:	2024-03-22 10:43 UTC by Rahil Bhimjiani
Modified:	2024-07-10 06:36 UTC (History)
CC List:	3 users (show)

See Also:	https://github.com/gentoo/gentoo/pull/35943
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Rahil Bhimjiani 2024-03-22 10:43:18 UTC

https://github.com/containers/buildah/releases

Comment 1 Larry the Git Cow gentoo-dev

2024-03-23 08:29:55 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=da62fc25c5269bad61409b528c7cd456de6f2a9d

commit da62fc25c5269bad61409b528c7cd456de6f2a9d
Author:     Rahil Bhimjiani <me@rahil.rocks>
AuthorDate: 2024-03-22 10:45:37 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-03-23 08:29:05 +0000

    app-containers/buildah: add 1.33.7 and 1.34.3 fix security issues
    
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=927502
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=927499
    Signed-off-by: Rahil Bhimjiani <me@rahil.rocks>
    Signed-off-by: Sam James <sam@gentoo.org>

 app-containers/buildah/Manifest              |   2 +
 app-containers/buildah/buildah-1.33.7.ebuild | 122 +++++++++++++++++++++++++++
 app-containers/buildah/buildah-1.34.3.ebuild | 122 +++++++++++++++++++++++++++
 3 files changed, 246 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cb5cdc4d715577eda7f2c05fda26c2dca3976e33

commit cb5cdc4d715577eda7f2c05fda26c2dca3976e33
Author:     Rahil Bhimjiani <me@rahil.rocks>
AuthorDate: 2024-03-20 23:43:27 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-03-23 08:28:59 +0000

    app-containers/buildah: add 1.35.1 to fix HIGH severity security fix
    
    Fixes:
    8.6/10 CVE-2024-1753 https://nvd.nist.gov/vuln/detail/CVE-2024-1753
    
    Let's stabilize this and cleanup old versions ASAP
    
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=927502
    Signed-off-by: Rahil Bhimjiani <me@rahil.rocks>
    Signed-off-by: Sam James <sam@gentoo.org>

 app-containers/buildah/Manifest                    |   3 +-
 app-containers/buildah/buildah-1.34.1.ebuild       | 125 ---------------------
 ...buildah-1.35.0.ebuild => buildah-1.35.1.ebuild} |   0
 3 files changed, 1 insertion(+), 127 deletions(-)

Comment 2 Larry the Git Cow gentoo-dev

2024-03-31 00:13:27 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=43b007f04043855ca1604cc6499576b235703282

commit 43b007f04043855ca1604cc6499576b235703282
Author:     Rahil Bhimjiani <me@rahil.rocks>
AuthorDate: 2024-03-27 05:32:49 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2024-03-31 00:05:41 +0000

    app-containers/buildah: add 1.35.3
    
    Bug: https://bugs.gentoo.org/927499
    Bug: https://bugs.gentoo.org/927502
    Signed-off-by: Rahil Bhimjiani <me@rahil.rocks>
    From: https://github.com/gentoo/gentoo/pull/35943
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-containers/buildah/Manifest              |   1 +
 app-containers/buildah/buildah-1.35.3.ebuild | 128 +++++++++++++++++++++++++++
 2 files changed, 129 insertions(+)

Comment 3 Larry the Git Cow gentoo-dev

2024-04-01 00:36:31 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2548753d633ea5a15c023e8584418a96fd1823a6

commit 2548753d633ea5a15c023e8584418a96fd1823a6
Author:     Rahil Bhimjiani <me@rahil.rocks>
AuthorDate: 2024-03-31 07:23:24 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2024-04-01 00:35:09 +0000

    app-containers/buildah: cleanup vulnerable versions
    
    1.33.5, 1.33.6
    1.34.0
    1.35.1
    
    Signed-off-by: Rahil Bhimjiani <me@rahil.rocks>
    Bug: https://bugs.gentoo.org/927499
    Bug: https://bugs.gentoo.org/927502
    Closes: https://github.com/gentoo/gentoo/pull/36011
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-containers/buildah/Manifest              |   4 -
 app-containers/buildah/buildah-1.33.5.ebuild | 125 -------------------------
 app-containers/buildah/buildah-1.33.6.ebuild | 125 -------------------------
 app-containers/buildah/buildah-1.34.0.ebuild | 125 -------------------------
 app-containers/buildah/buildah-1.35.1.ebuild | 132 ---------------------------
 5 files changed, 511 deletions(-)

Comment 4 Larry the Git Cow gentoo-dev

2024-07-10 06:35:20 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=f5c4590ccc7fba60f1b11c716c6abb083c0f5ddd

commit f5c4590ccc7fba60f1b11c716c6abb083c0f5ddd
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-07-10 06:35:05 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-07-10 06:35:16 +0000

    [ GLSA 202407-25 ] Buildah: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/923650
    Bug: https://bugs.gentoo.org/927499
    Bug: https://bugs.gentoo.org/927502
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202407-25.xml | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)