Your message dated Tue, 15 Oct 2024 05:55:59 -0400
with message-id <[email protected]>
and subject line Re: Upstream considers this unfixable in podman, needs changes
in linux
has caused the Debian Bug report #1083188,
regarding podman: CVE-2024-3056
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1083188: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1083188
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: podman
X-Debbugs-CC: [email protected]
Severity: normal
Tags: security
Hi,
The following vulnerability was published for podman.
CVE-2024-3056[0]:
| A flaw was found in Podman. This issue may allow an attacker to
| create a specially crafted container that, when configured to share
| the same IPC with at least one other container, can create a large
| number of IPC resources in /dev/shm. The malicious container will
| continue to exhaust resources until it is out-of-memory (OOM)
| killed. While the malicious container's cgroup will be removed, the
| IPC resources it created are not. Those resources are tied to the
| IPC namespace that will not be removed until all containers using it
| are stopped, and one non-malicious container is holding the
| namespace open. The malicious container is restarted, either
| automatically or by attacker control, repeating the process and
| increasing the amount of memory consumed. With a container
| configured to restart always, such as `podman run --restart=always`,
| this can result in a memory-based denial of service of the system.
https://bugzilla.redhat.com/show_bug.cgi?id=2270717
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-3056
https://www.cve.org/CVERecord?id=CVE-2024-3056
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
On 2024-10-13 08:14, Moritz Mühlenhoff wrote:
Am Tue, Oct 08, 2024 at 06:03:43AM -0400 schrieb Reinhard Tartler:
Hi Moritz,
I've forwarded this bug upstream on their Matrix channel, and to their
github at: https://github.com/containers/podman/issues/24192
Seems upstream believes a remediation requires code changes in the
Linux
kernel. What's the best way to proceed with this bug here?
And for the BTS please simply close the bugs (1083188 and 1083202) with
a reference to the upstream issue.
Sounds good.
I've reached out to [email protected] to get the CVE descriptions and
https://bugzilla.redhat.com/show_bug.cgi?id=2270717 updated.
Best,
-rt
--- End Message ---
_______________________________________________
Pkg-go-maintainers mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-go-maintainers
