Bug 2262225 (CVE-2024-23652)

Summary: CVE-2024-23652 moby/buildkit: possible host system access from mount stub cleaner
Product: [Other] Security Response Reporter: TEJ RATHI <trathi>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: adudiak, bdettelb, brking, dfreiber, dhanak, doconnor, drow, dsimansk, epacific, gkamathe, gparvin, haoli, hkataria, jburrell, jcammara, jhardy, jmitchel, jneedle, jobarker, jwendell, kingland, kshier, kverlaen, lbainbri, luizcosta, mabashia, matzew, mnovotny, njean, nweather, owatkins, pahickey, pbraun, pierdipi, rcernich, rguimara, rhaigner, rhuss, sdawley, simaishi, smcdonal, stcannon, teagle, tfister, thavo, tkral, twalsh, vkumar, yguenane, zsadeh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: buildkit 0.12.5 Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in the Moby Builder Toolkit, which arose from BuildKit's attempts to clean up temporarily added directories after use. A malicious BuildKit frontend or Dockerfile using RUN --mount could deceive the feature responsible for removing empty files created for the mount points, potentially leading to removing a file outside the container and affecting the host system. Successful exploitation of this issue may result in the arbitrary deletion of files and directories on the underlying host OS when building an image using a malicious Dockerfile or upstream image (for example, when using FROM).
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2317700, 2318162    
Bug Blocks: 2258742    

Description TEJ RATHI 2024-02-01 09:56:28 UTC 
Docker Buildkit <=v0.12.4, as used by the Docker engine. Exploitation of this issue can result in arbitrary file and directory deletion in the underlying host OS when building an image using a malicious Dockerfile or upstream image (i.e, when using FROM)

https://snyk.io/blog/cve-2024-23652-buildkit-build-time-container-teardown-arbitrary-delete/
https://github.com/moby/buildkit/pull/4603
https://github.com/moby/buildkit/security/advisories/GHSA-4v98-7qmw-rqr8