Bug 2317467 (CVE-2024-9676)

Summary: CVE-2024-9676 Podman: Buildah: CRI-O: symlink traversal vulnerability in the containers/storage library can cause Denial of Service (DoS)
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: asdas, bdettelb, bmontgom, doconnor, dpaolell, eparis, jburrell, jdelft, jupierce, lgarciaa, mbenatto, mbiarnes, nstielau, security-response-team, sidsharm, talessio, teagle, tsweeney, vlaad, ximhan, yuxzhu
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in Podman, Buildah, and CRI-O. A symlink traversal vulnerability in the containers/storage library can cause Podman, Buildah, and CRI-O to hang and result in a denial of service via OOM kill when running a malicious image using an automatically assigned user namespace (`--userns=auto` in Podman and Buildah). The containers/storage library will read /etc/passwd inside the container, but does not properly validate if that file is a symlink, which can be used to cause the library to read an arbitrary file on the host.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2319015, 2319016, 2319017, 2319018, 2319019, 2319020    
Bug Blocks:    
Deadline: 2024-10-15   

Description OSIDB Bzimport 2024-10-09 03:04:42 UTC 
A symlink traversal vulnerability in the containers/storage library can
cause Podman, Buildah, and CRI-O to hang and potentially be DoSed via OOM
kill when running a malicious image using an automatically assigned user
namespace (`--userns=auto` in Podman and Buildah). The containers/storage library will read /etc/passwd inside the container, but does not properly validate if that file is a symlink, which can be used to cause the library to read an arbitrary file on the host. This file is only read, and if it does not properly parse as a copy of `/etc/passwd` it will cause an error (there is a small risk of information disclosure via the error message here as elements of the file that failed to parse can be included, but this is only as the user running Podman/Buildah/CRI-O so it
wouldn't be a file they did not already have access to). The report here
discovered that you can symlink /etc/passwd in the container to a FIFO on
the host, causing a hang as the file cannot be completely read (or an OOM
condition if the FIFO is continuously written to, which was then ready by
Podman). This hang could occur in a critical section in the c/storage
library, blocking other processes from creating containers, but could be
easily solved via a SIGKILL of the affected process. The ability to
potentially crash the CRI-O service via OOM kill could be more relevant,
though the attacker would have to know the path of a FIFO that is regularly
being written to on the host in order to do this.
Comment 1 errata-xmlrpc 2024-10-29 17:58:07 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2024:8437 https://access.redhat.com/errata/RHSA-2024:8437
Comment 2 errata-xmlrpc 2024-10-30 01:29:56 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2024:8418 https://access.redhat.com/errata/RHSA-2024:8418
Comment 3 errata-xmlrpc 2024-10-31 03:56:48 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:8428 https://access.redhat.com/errata/RHSA-2024:8428
Comment 4 errata-xmlrpc 2024-11-06 03:42:59 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2024:8686 https://access.redhat.com/errata/RHSA-2024:8686
Comment 5 errata-xmlrpc 2024-11-06 14:48:29 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:8690 https://access.redhat.com/errata/RHSA-2024:8690
Comment 6 errata-xmlrpc 2024-11-07 03:29:17 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12
  Ironic content for Red Hat OpenShift Container Platform 4.12

Via RHSA-2024:8694 https://access.redhat.com/errata/RHSA-2024:8694
Comment 7 errata-xmlrpc 2024-11-08 15:00:19 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:8700 https://access.redhat.com/errata/RHSA-2024:8700
Comment 8 errata-xmlrpc 2024-11-11 01:27:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:9051 https://access.redhat.com/errata/RHSA-2024:9051
Comment 9 errata-xmlrpc 2024-11-12 11:12:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:9454 https://access.redhat.com/errata/RHSA-2024:9454
Comment 10 errata-xmlrpc 2024-11-12 11:13:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:9459 https://access.redhat.com/errata/RHSA-2024:9459
Comment 11 errata-xmlrpc 2024-11-13 04:23:52 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2024:8984 https://access.redhat.com/errata/RHSA-2024:8984
Comment 12 errata-xmlrpc 2024-11-19 01:51:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2024:9926 https://access.redhat.com/errata/RHSA-2024:9926
Comment 13 errata-xmlrpc 2024-11-26 06:43:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:10289 https://access.redhat.com/errata/RHSA-2024:10289
Comment 14 errata-xmlrpc 2025-02-05 13:37:49 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2025:0876 https://access.redhat.com/errata/RHSA-2025:0876
Comment 19 errata-xmlrpc 2025-03-13 05:47:02 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2025:2454 https://access.redhat.com/errata/RHSA-2025:2454
Comment 20 errata-xmlrpc 2025-03-19 20:55:06 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2025:2710 https://access.redhat.com/errata/RHSA-2025:2710
Comment 21 errata-xmlrpc 2025-04-03 00:21:37 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2025:3301 https://access.redhat.com/errata/RHSA-2025:3301