Version: 1.37.5+ds1-1
Matthias Geerdsen <[email protected]> writes:
> The following vulnerability was published for
> golang-github-containers-buildah.
>
> CVE-2024-9676[0]:
> | A vulnerability was found in Podman, Buildah, and CRI-O. A symlink
> | traversal vulnerability in the containers/storage library can cause
> | Podman, Buildah, and CRI-O to hang and result in a denial of service
> | via OOM kill when running a malicious image using an automatically
> | assigned user namespace (`--userns=auto` in Podman and Buildah). The
> | containers/storage library will read /etc/passwd inside the
> | container, but does not properly validate if that file is a symlink,
> | which can be used to cause the library to read an arbitrary file on
> | the host.
This was fixed in containers/storage:
golang-github-containers-storage (1.55.1+ds1-1) unstable; urgency=medium
* New upstream release: v1.55.1
- Bump dependency on securejoin, addresses CVE-2024-9676
-- Reinhard Tartler <[email protected]> Sat, 19 Oct 2024 09:34:17 -0400
This version of containers/storage was picked up in commit
c78b1b7e0fbb14056a033aca157bb4792dab7912 and relased as:
golang-github-containers-buildah (1.37.5+ds1-1) unstable; urgency=medium
* New upstream release
- Bump containers/storage to incoroprate the fixes for CVE-2024-3675
* drop 0005-Properly-validate-cache-IDs-and-sources.patch, merged upstream
-- Reinhard Tartler <[email protected]> Sun, 20 Oct 2024 19:17:05 -0400
Let me know if you have further questions.
