Bug 2265513 (CVE-2024-1753)

Summary:	CVE-2024-1753 buildah: full container escape at build time
Product:	[Other] Security Response	Reporter:	Avinash Hanwate <ahanwate>
Component:	vulnerability	Assignee:	Product Security <prodsec-ir-bot>
Status:	NEW ---	QA Contact:
Severity:	high	Docs Contact:
Priority:	high
Version:	unspecified	CC:	adam.kaplan, ddarrah, dfreiber, drow, jburrell, jnovy, mheon, nalin, rogbas, security-response-team, sidakwo, tsweeney, vkumar
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	buildah 1.35.1, buildah 1.34.3, buildah 1.33.7, buildah 1.32.3, buildah 1.31.5, buildah 1.29.3, buildah 1.27.4, buildah 1.26.7, buildah 1.24.7, podman 4.9.4, podman 5.0.1	Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in Buildah (and subsequently Podman Build) which allows containers to mount arbitrary locations on the host filesystem into build containers. A malicious Containerfile can use a dummy image with a symbolic link to the root filesystem as a mount source and cause the mount operation to mount the host root filesystem inside the RUN step. The commands inside the RUN step will then have read-write access to the host filesystem, allowing for full container escape at build time.	Story Points:	---
Clone Of:		Environment:
Last Closed:		Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	2270124, 2270125
Bug Blocks:	2265522

Description Avinash Hanwate 2024-02-22 14:04:16 UTC

When performing bind mounts as part of a build-time RUN step, the ‘source’ argument is not validated to ensure that it exists within the root
filesystem. A malicious Containerfile can use a dummy image with a symbolic link to the root filesystem as a mount source and cause the mount operation to mount the host root filesystem inside the RUN step. The commands inside the RUN step will then have read-write access to the host filesystem, allowing for full container escape at build time.

Comment 4 Anten Skrabec 2024-03-18 14:12:17 UTC

Created buildah tracking bugs for this issue:

Affects: fedora-all [bug 2270125]


Created podman tracking bugs for this issue:

Affects: fedora-all [bug 2270124]

Comment 8 Anten Skrabec 2024-04-06 13:19:45 UTC

removed buildah affects for openshift per comment on OCPBUGS-31004 and related openshift-4/buildah trackers

Comment 9 errata-xmlrpc 2024-04-25 08:06:30 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2055 https://access.redhat.com/errata/RHSA-2024:2055

Comment 10 errata-xmlrpc 2024-04-25 15:05:52 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:2064 https://access.redhat.com/errata/RHSA-2024:2064

Comment 11 errata-xmlrpc 2024-04-25 15:29:12 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2024:2066 https://access.redhat.com/errata/RHSA-2024:2066

Comment 12 errata-xmlrpc 2024-04-29 00:26:21 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:2077 https://access.redhat.com/errata/RHSA-2024:2077

Comment 13 errata-xmlrpc 2024-04-29 02:27:16 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:2084 https://access.redhat.com/errata/RHSA-2024:2084

Comment 14 errata-xmlrpc 2024-04-29 08:48:10 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2024:2089 https://access.redhat.com/errata/RHSA-2024:2089

Comment 15 errata-xmlrpc 2024-04-29 11:29:20 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:2098 https://access.redhat.com/errata/RHSA-2024:2098

Comment 16 errata-xmlrpc 2024-05-01 15:16:18 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:2645 https://access.redhat.com/errata/RHSA-2024:2645

Comment 17 errata-xmlrpc 2024-05-02 16:56:08 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:2049 https://access.redhat.com/errata/RHSA-2024:2049

Comment 18 errata-xmlrpc 2024-05-09 14:11:55 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:2669 https://access.redhat.com/errata/RHSA-2024:2669

Comment 19 errata-xmlrpc 2024-05-09 17:13:35 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:2672 https://access.redhat.com/errata/RHSA-2024:2672

Comment 23 errata-xmlrpc 2024-05-16 18:31:07 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2024:2784 https://access.redhat.com/errata/RHSA-2024:2784

Comment 24 errata-xmlrpc 2024-05-22 11:38:12 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:3254 https://access.redhat.com/errata/RHSA-2024:3254

Comment 25 errata-xmlrpc 2024-05-23 18:41:49 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:2877 https://access.redhat.com/errata/RHSA-2024:2877