Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 927502 - <app-containers/buildah-{1.33.7,1.34.3,1.35.3}: container escape
Summary: <app-containers/buildah-{1.33.7,1.34.3,1.35.3}: container escape
Status: UNCONFIRMED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B1[glsa]
Keywords: PullRequest, SECURITY
Depends on: CVE-2024-1753 927575
Blocks:
  Show dependency tree
 
Reported: 2024-03-22 10:43 UTC by Rahil Bhimjiani
Modified: 2024-05-11 08:40 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Rahil Bhimjiani 2024-03-22 10:43:18 UTC
https://github.com/containers/buildah/releases
Comment 1 Larry the Git Cow gentoo-dev 2024-03-23 08:29:55 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=da62fc25c5269bad61409b528c7cd456de6f2a9d

commit da62fc25c5269bad61409b528c7cd456de6f2a9d
Author:     Rahil Bhimjiani <me@rahil.rocks>
AuthorDate: 2024-03-22 10:45:37 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-03-23 08:29:05 +0000

    app-containers/buildah: add 1.33.7 and 1.34.3 fix security issues
    
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=927502
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=927499
    Signed-off-by: Rahil Bhimjiani <me@rahil.rocks>
    Signed-off-by: Sam James <sam@gentoo.org>

 app-containers/buildah/Manifest              |   2 +
 app-containers/buildah/buildah-1.33.7.ebuild | 122 +++++++++++++++++++++++++++
 app-containers/buildah/buildah-1.34.3.ebuild | 122 +++++++++++++++++++++++++++
 3 files changed, 246 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cb5cdc4d715577eda7f2c05fda26c2dca3976e33

commit cb5cdc4d715577eda7f2c05fda26c2dca3976e33
Author:     Rahil Bhimjiani <me@rahil.rocks>
AuthorDate: 2024-03-20 23:43:27 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-03-23 08:28:59 +0000

    app-containers/buildah: add 1.35.1 to fix HIGH severity security fix
    
    Fixes:
    8.6/10 CVE-2024-1753 https://nvd.nist.gov/vuln/detail/CVE-2024-1753
    
    Let's stabilize this and cleanup old versions ASAP
    
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=927502
    Signed-off-by: Rahil Bhimjiani <me@rahil.rocks>
    Signed-off-by: Sam James <sam@gentoo.org>

 app-containers/buildah/Manifest                    |   3 +-
 app-containers/buildah/buildah-1.34.1.ebuild       | 125 ---------------------
 ...buildah-1.35.0.ebuild => buildah-1.35.1.ebuild} |   0
 3 files changed, 1 insertion(+), 127 deletions(-)
Comment 2 Larry the Git Cow gentoo-dev 2024-03-31 00:13:27 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=43b007f04043855ca1604cc6499576b235703282

commit 43b007f04043855ca1604cc6499576b235703282
Author:     Rahil Bhimjiani <me@rahil.rocks>
AuthorDate: 2024-03-27 05:32:49 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2024-03-31 00:05:41 +0000

    app-containers/buildah: add 1.35.3
    
    Bug: https://bugs.gentoo.org/927499
    Bug: https://bugs.gentoo.org/927502
    Signed-off-by: Rahil Bhimjiani <me@rahil.rocks>
    From: https://github.com/gentoo/gentoo/pull/35943
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-containers/buildah/Manifest              |   1 +
 app-containers/buildah/buildah-1.35.3.ebuild | 128 +++++++++++++++++++++++++++
 2 files changed, 129 insertions(+)
Comment 3 Larry the Git Cow gentoo-dev 2024-04-01 00:36:31 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2548753d633ea5a15c023e8584418a96fd1823a6

commit 2548753d633ea5a15c023e8584418a96fd1823a6
Author:     Rahil Bhimjiani <me@rahil.rocks>
AuthorDate: 2024-03-31 07:23:24 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2024-04-01 00:35:09 +0000

    app-containers/buildah: cleanup vulnerable versions
    
    1.33.5, 1.33.6
    1.34.0
    1.35.1
    
    Signed-off-by: Rahil Bhimjiani <me@rahil.rocks>
    Bug: https://bugs.gentoo.org/927499
    Bug: https://bugs.gentoo.org/927502
    Closes: https://github.com/gentoo/gentoo/pull/36011
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-containers/buildah/Manifest              |   4 -
 app-containers/buildah/buildah-1.33.5.ebuild | 125 -------------------------
 app-containers/buildah/buildah-1.33.6.ebuild | 125 -------------------------
 app-containers/buildah/buildah-1.34.0.ebuild | 125 -------------------------
 app-containers/buildah/buildah-1.35.1.ebuild | 132 ---------------------------
 5 files changed, 511 deletions(-)