Hi, On Fri, Nov 03, 2023 at 10:03:32PM +0200, Faidon Liambotis wrote: > Hi folks, > > TL;DR, please mark CVE-2023-0778 as not affecting bullseye.
TL;DR does not count ;-) It always needs a reasoning. > I was looking into CVE-2023-0778, a vulnerability in podman > (src:libpod). The vulnerability's description is: > > This issue may allow a malicious user to replace a normal file in a > > volume with a symlink while exporting the volume, allowing for access > > to arbitrary files on the host file system." > > RedHat's bug, https://bugzilla.redhat.com/show_bug.cgi?id=2168256 says: > > An attacker who has control on a container using a Volume can traverse > > arbitrary files on the host filesystem (which essentially is an > > escape) when an administrator tries to export this Volume, by > > exploiting a TOCTTOU vulnerability to replace a normal file in the > > Volume as a symlink. > > security-tracker lists this as fixed in bookworm/trixie/sid, and links > to the 6ca857f commit from upstream git, included in > v4.3.1/v4.7.1/v4.7.2. This is correct. > > security-tracker also lists bullseye (3.0.1+dfsg1-3+deb11u4) as > vulnerable, given (presumably) that it does not include the > aforementioned commit. Not necessarily if it's not clear, rather err on the safe side and mark soemthing as affected, rather than wrongly as not-affected. I just wanted to mention that, final comment see below: > I looked more into it, and it seems that bullseye is actually NOT > affected. bullseye has podman v3.0.1, but "volume export" was introduced > with v3.4.0, and specifically upstream commit edddfe8, v3.4.0-rc1~96^2. > > >From a bullseye machine: > root@ae004bcf150b:~# cat /etc/debian_version > 11.7 > root@ae004bcf150b:~# dpkg-query -W podman > podman 3.0.1+dfsg1-3+deb11u4 > root@ae004bcf150b:~# podman volume export > Error: unrecognized command `podman volume export` > Try 'podman volume --help' for more information. > root@ae004bcf150b:~# podman volume --help > Manage volumes > > Description: > Volumes are created in and can be shared between containers > > Usage: > podman volume [command] > > Available Commands: > create Create a new volume > inspect Display detailed information on one or more volumes > ls List volumes > prune Remove all unused volumes > rm Remove one or more volumes > > I also looked at the source. TarToFilesystem(), that the commit replaces, > exists, but is not referenced from anywhere. > cmd/podman/volumes/export.go does not exist. That all makes sense and it looks correct. I had a look at the edddfe8c4f7761b12dc64ea4aa0a83b755aa124f commit and your reasoning and inspection makes it sufficiently clear that the entry can be updated. I just have done so with https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e828136e0342397af3b1131bcce1d58203ede2d5 . Thank you! Regards, Salvatore _______________________________________________ Pkg-go-maintainers mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-go-maintainers
