I've uploaded a fixed version of buildah to sid yesterday, and a new upstream version of libpod that builds against the fixed buildah just now.
thanks for filing this report, I believe we should be all set now once the builds reach the archive. On Tue, Mar 26, 2024 at 6:00 PM Salvatore Bonaccorso <[email protected]> wrote: > Source: golang-github-containers-buildah > Version: 1.33.5+ds1-4 > Severity: important > Tags: security upstream > X-Debbugs-Cc: [email protected], Debian Security Team < > [email protected]> > > Hi, > > The following vulnerability was published for > golang-github-containers-buildah. > > CVE-2024-1753[0]: > | A flaw was found in Buildah (and subsequently Podman Build) which > | allows containers to mount arbitrary locations on the host > | filesystem into build containers. A malicious Containerfile can use > | a dummy image with a symbolic link to the root filesystem as a mount > | source and cause the mount operation to mount the host root > | filesystem inside the RUN step. The commands inside the RUN step > | will then have read-write access to the host filesystem, allowing > | for full container escape at build time. > > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2024-1753 > https://www.cve.org/CVERecord?id=CVE-2024-1753 > [1] > https://github.com/containers/buildah/security/advisories/GHSA-pmf3-c36m-g5cf > > Please adjust the affected versions in the BTS as needed. > > Regards, > Salvatore > > -- regards, Reinhard
