Bug 2265513 (CVE-2024-1753) - CVE-2024-1753 buildah: full container escape at build time
Summary: CVE-2024-1753 buildah: full container escape at build time
Keywords:
Status: NEW
Alias: CVE-2024-1753
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2270125 2270124
Blocks: 2265522
TreeView+ depends on / blocked
 
Reported: 2024-02-22 14:04 UTC by Avinash Hanwate
Modified: 2024-04-25 15:29 UTC (History)
13 users (show)

Fixed In Version: buildah 1.35.1, buildah 1.34.3, buildah 1.33.7, buildah 1.32.3, buildah 1.31.5, buildah 1.29.3, buildah 1.27.4, buildah 1.26.7, buildah 1.24.7, podman 4.9.4, podman 5.0.1
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Buildah (and subsequently Podman Build) which allows containers to mount arbitrary locations on the host filesystem into build containers. A malicious Containerfile can use a dummy image with a symbolic link to the root filesystem as a mount source and cause the mount operation to mount the host root filesystem inside the RUN step. The commands inside the RUN step will then have read-write access to the host filesystem, allowing for full container escape at build time.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2024:2055 0 None None None 2024-04-25 08:06:31 UTC
Red Hat Product Errata RHSA-2024:2064 0 None None None 2024-04-25 15:05:54 UTC
Red Hat Product Errata RHSA-2024:2066 0 None None None 2024-04-25 15:29:13 UTC

Description Avinash Hanwate 2024-02-22 14:04:16 UTC 
When performing bind mounts as part of a build-time RUN step, the ‘source’ argument is not validated to ensure that it exists within the root
filesystem. A malicious Containerfile can use a dummy image with a symbolic link to the root filesystem as a mount source and cause the mount operation to mount the host root filesystem inside the RUN step. The commands inside the RUN step will then have read-write access to the host filesystem, allowing for full container escape at build time.
Comment 4 Anten Skrabec 2024-03-18 14:12:17 UTC 
Created buildah tracking bugs for this issue:

Affects: fedora-all [bug 2270125]


Created podman tracking bugs for this issue:

Affects: fedora-all [bug 2270124]
Comment 8 Anten Skrabec 2024-04-06 13:19:45 UTC 
removed buildah affects for openshift per comment on OCPBUGS-31004 and related openshift-4/buildah trackers
Comment 9 errata-xmlrpc 2024-04-25 08:06:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2055 https://access.redhat.com/errata/RHSA-2024:2055
Comment 10 errata-xmlrpc 2024-04-25 15:05:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:2064 https://access.redhat.com/errata/RHSA-2024:2064
Comment 11 errata-xmlrpc 2024-04-25 15:29:12 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2024:2066 https://access.redhat.com/errata/RHSA-2024:2066
Note You need to log in before you can comment on or make changes to this bug.