Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 870931 (CVE-2022-2989) - <app-containers/podman-4.3.0: incorrect handling of supplementary groups
Summary: <app-containers/podman-4.3.0: incorrect handling of supplementary groups
Status: IN_PROGRESS
Alias: CVE-2022-2989
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://www.benthamsgaze.org/2022/08/...
Whiteboard: B4 [stable?]
Keywords:
Depends on:
Blocks:
 
Reported: 2022-09-17 17:59 UTC by John Helmert III
Modified: 2022-10-20 01:14 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-17 17:59:19 UTC
CVE-2022-2989:

An incorrect handling of the supplementary groups in the Podman container engine might lead to the sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container.

The RedHat bug has no reference to upstream: https://bugzilla.redhat.com/show_bug.cgi?id=2121445
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-19 20:07:43 UTC
(In reply to John Helmert III from comment #0)
> CVE-2022-2989:
> 
> An incorrect handling of the supplementary groups in the Podman container
> engine might lead to the sensitive information disclosure or possible data
> modification if an attacker has direct access to the affected container
> where supplementary groups are used to set access permissions and is able to
> execute a binary code in that container.
> 
> The RedHat bug has no reference to upstream:
> https://bugzilla.redhat.com/show_bug.cgi?id=2121445

Now there is! Unreleased patch is: https://github.com/containers/podman/commit/5c7f28336171f0a5137edd274e45608120d31289
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-26 20:44:22 UTC
(In reply to John Helmert III from comment #1)
> (In reply to John Helmert III from comment #0)
> > CVE-2022-2989:
> > 
> > An incorrect handling of the supplementary groups in the Podman container
> > engine might lead to the sensitive information disclosure or possible data
> > modification if an attacker has direct access to the affected container
> > where supplementary groups are used to set access permissions and is able to
> > execute a binary code in that container.
> > 
> > The RedHat bug has no reference to upstream:
> > https://bugzilla.redhat.com/show_bug.cgi?id=2121445
> 
> Now there is! Unreleased patch is:
> https://github.com/containers/podman/commit/
> 5c7f28336171f0a5137edd274e45608120d31289

In v4.3.0-rc1
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-19 13:21:40 UTC
And now in 4.3.0. Please bump.
Comment 4 Larry the Git Cow gentoo-dev 2022-10-20 00:03:29 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6e114cc38eb7cb4d434e366d6fff10281b483827

commit 6e114cc38eb7cb4d434e366d6fff10281b483827
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2022-10-20 00:02:49 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2022-10-20 00:02:57 +0000

    app-containers/podman: add 4.3.0
    
    Bug: https://bugs.gentoo.org/870931
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-containers/podman/Manifest            |   1 +
 app-containers/podman/podman-4.3.0.ebuild | 165 ++++++++++++++++++++++++++++++
 2 files changed, 166 insertions(+)
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-20 01:14:53 UTC
Thank you! Please stabilize when ready.