Source: golang-github-containers-buildah X-Debbugs-CC: [email protected] Severity: important Tags: security
Hi, The following vulnerabilities were published for golang-github-containers-buildah. CVE-2024-9407[0]: | A vulnerability exists in the bind-propagation option of the | Dockerfile RUN --mount instruction. The system does not properly | validate the input passed to this option, allowing users to pass | arbitrary parameters to the mount instruction. This issue can be | exploited to mount sensitive directories from the host into a | container during the build process and, in some cases, modify the | contents of those mounted files. Even if SELinux is used, this | vulnerability can bypass its protection by allowing the source | directory to be relabeled to give the container access to host | files. https://bugzilla.redhat.com/show_bug.cgi?id=2315887 CVE-2024-9675[1]: | A vulnerability was found in Buildah. Cache mounts do not properly | validate that user-specified paths for the cache are within our | cache directory, allowing a `RUN` instruction in a Container file to | mount an arbitrary directory from the host (read/write) into the | container as long as those files can be accessed by the user running | Buildah. https://bugzilla.redhat.com/show_bug.cgi?id=2317458 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-9407 https://www.cve.org/CVERecord?id=CVE-2024-9407 [1] https://security-tracker.debian.org/tracker/CVE-2024-9675 https://www.cve.org/CVERecord?id=CVE-2024-9675 Please adjust the affected versions in the BTS as needed.
