Source: golang-github-containers-buildah Version: 1.33.5+ds1-4 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for golang-github-containers-buildah. CVE-2024-1753[0]: | A flaw was found in Buildah (and subsequently Podman Build) which | allows containers to mount arbitrary locations on the host | filesystem into build containers. A malicious Containerfile can use | a dummy image with a symbolic link to the root filesystem as a mount | source and cause the mount operation to mount the host root | filesystem inside the RUN step. The commands inside the RUN step | will then have read-write access to the host filesystem, allowing | for full container escape at build time. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-1753 https://www.cve.org/CVERecord?id=CVE-2024-1753 [1] https://github.com/containers/buildah/security/advisories/GHSA-pmf3-c36m-g5cf Please adjust the affected versions in the BTS as needed. Regards, Salvatore