Mageia 2024-0343: buildah, podman, skopeo Security Advisory Updates


MGASA-2024-0343 - Updated buildah, podman, skopeo packages fix security vulnerabilities

Publication date: 01 Nov 2024
URL: https://advisories.mageia.org/MGASA-2024-0343.html
Type: security
Affected Mageia releases: 9
CVE: CVE-2024-1753,
     CVE-2024-3727,
     CVE-2023-45290,
     CVE-2024-28180,
     CVE-2024-28176,
     CVE-2024-9341,
     CVE-2024-6104,
     CVE-2024-9407

A flaw was found in Buildah (and subsequently Podman Build) which allows
containers to mount arbitrary locations on the host filesystem into
build containers. A malicious Containerfile can use a dummy image with a
symbolic link to the root filesystem as a mount source and cause the
mount operation to mount the host root filesystem inside the RUN step.
The commands inside the RUN step will then have read-write access to the
host filesystem, allowing for full container escape at build time.
(CVE-2024-1753)
A flaw was found in the github.com/containers/image library. This flaw
allows attackers to trigger unexpected authenticated registry accesses
on behalf of a victim user, causing resource exhaustion, local path
traversal, and other attacks. (CVE-2024-3727)
When parsing a multipart form (either explicitly with
Request.ParseMultipartForm or implicitly with Request.FormValue,
Request.PostFormValue, or Request.FormFile), limits on the total size of
the parsed form were not applied to the memory consumed while reading a
single form line. This permits a maliciously crafted input containing
very long lines to cause allocation of arbitrarily large amounts of
memory, potentially leading to memory exhaustion. With fix, the
ParseMultipartForm function now correctly limits the maximum size of
form lines. (CVE-2023-45290)
Package jose aims to provide an implementation of the Javascript Object
Signing and Encryption set of standards. An attacker could send a JWE
containing compressed data that used large amounts of memory and CPU
when decompressed by Decrypt or DecryptMulti. Those functions now return
an error if the decompressed data would exceed 250kB or 10x the
compressed size (whichever is larger). This vulnerability has been
patched in versions 4.0.1, 3.0.3 and 2.6.3. (CVE-2024-28180)
jose is JavaScript module for JSON Object Signing and Encryption,
providing support for JSON Web Tokens (JWT), JSON Web Signature (JWS),
JSON Web Encryption (JWE), JSON Web Key (JWK), JSON Web Key Set (JWKS),
and more. A vulnerability has been identified in the JSON Web Encryption
(JWE) decryption interfaces, specifically related to the support for
decompressing plaintext after its decryption. Under certain conditions
it is possible to have the user's environment consume unreasonable
amount of CPU time or memory during JWE Decryption operations. This
issue has been patched in versions 2.0.7 and 4.15.5. (CVE-2024-28176)
A flaw was found in Go. When FIPS mode is enabled on a system, container
runtimes may incorrectly handle certain file paths due to improper
validation in the containers/common Go library. This flaw allows an
attacker to exploit symbolic links and trick the system into mounting
sensitive host directories inside a container. This issue also allows
attackers to access critical host files, bypassing the intended
isolation between containers and the host system. (CVE-2024-9341)
go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them
to its log file. This could lead to go-retryablehttp writing sensitive
HTTP basic auth credentials to its log file. This vulnerability,
CVE-2024-6104, was fixed in go-retryablehttp 0.7.7. (CVE-2024-6104)
A vulnerability exists in the bind-propagation option of the Dockerfile
RUN --mount instruction. The system does not properly validate the input
passed to this option, allowing users to pass arbitrary parameters to
the mount instruction. This issue can be exploited to mount sensitive
directories from the host into a container during the build process and,
in some cases, modify the contents of those mounted files. Even if
SELinux is used, this vulnerability can bypass its protection by
allowing the source directory to be relabeled to give the container
access to host files. (CVE-2024-9407)

References:
- https://bugs.mageia.org/show_bug.cgi?id=33036
- https://github.com/containers/buildah/security/advisories/GHSA-pmf3-c36m-g5cf
- https://github.com/containers/podman/security/advisories/GHSA-874v-pj72-92f3
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CYT3D2P3OJKISNFKOOHGY6HCUCQZYAVR/
- https://lwn.net/Articles/978101/
- https://lwn.net/Articles/978102/
- https://lists.suse.com/pipermail/sle-security-updates/2024-July/018858.html
- https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/PJ4RBOYLRKSRUVS77S4OAZ7SQJWH36K2/
- https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/MYMA7BZJZTURAPGKHV2ACU3HBJTKVYMK/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1753
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3727
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45290
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28180
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28176
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9341
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6104
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9407

SRPMS:
- 9/core/buildah-1.37.4-1.mga9
- 9/core/podman-4.9.5-1.mga9
- 9/core/skopeo-1.16.1-1.mga9
Get the Latest News & Insights
Mageia 2024-0343: buildah, podman, skopeo Security Advisory Updates

Summary

References

Resolution

SRPMS

Related News

Get the Latest News & Insights

News

Advisories

HOWTOs

Features

About Us

Powered By
