Bug 2323971 (CVE-2024-0134)

Summary: CVE-2024-0134 nvidia-container-toolkit: specially-crafted container image can lead to the creation of unauthorized files on the host
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: debarshir, jeder, rgatica
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the NVIDIA Container Toolkit and NVIDIA GPU Operator for Linux. They contain a UNIX vulnerability where a specially crafted container image can create unauthorized files on the host. An attacker cannot control the name and location of the files. A successful exploit of this vulnerability might lead to data tampering.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2324080, 2324081, 2324082, 2324083, 2324084, 2324085    
Bug Blocks:    

Description OSIDB Bzimport 2024-11-05 19:01:42 UTC 
NVIDIA Container Toolkit and NVIDIA GPU Operator for Linux contain a UNIX vulnerability where a specially crafted container image can lead to the creation of unauthorized files on the host. The name and location of the files cannot be controlled by an attacker. A successful exploit of this vulnerability might lead to data tampering.
Comment 2 Debarshi Ray 2024-11-05 23:52:15 UTC 
Isn't this supposed to be CVE-2024-0132 and CVE-2024-0133, not CVE-2024-0134?

References:
https://nvidia.custhelp.com/app/answers/detail/a_id/5582
https://github.com/NVIDIA/nvidia-container-toolkit/releases/tag/v1.16.2
Comment 3 Debarshi Ray 2025-01-24 18:24:43 UTC 
(In reply to Debarshi Ray from comment #2)
> Isn't this supposed to be CVE-2024-0132 and CVE-2024-0133, not CVE-2024-0134?

Never mind.  I see that CVE-2024-0134 is a thing:
https://nvidia.custhelp.com/app/answers/detail/a_id/5585
https://github.com/NVIDIA/nvidia-container-toolkit/releases/tag/v1.17.0
https://github.com/advisories/GHSA-7jm9-xpwx-v999