Bug 2265513 (CVE-2024-1753) - CVE-2024-1753 buildah: full container escape at build time
Summary: CVE-2024-1753 buildah: full container escape at build time
Keywords:
Status: NEW
Alias: CVE-2024-1753
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2270125 2270124
Blocks: 2265522
TreeView+ depends on / blocked
 
Reported: 2024-02-22 14:04 UTC by Avinash Hanwate
Modified: 2024-05-09 17:13 UTC (History)
13 users (show)

Fixed In Version: buildah 1.35.1, buildah 1.34.3, buildah 1.33.7, buildah 1.32.3, buildah 1.31.5, buildah 1.29.3, buildah 1.27.4, buildah 1.26.7, buildah 1.24.7, podman 4.9.4, podman 5.0.1
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Buildah (and subsequently Podman Build) which allows containers to mount arbitrary locations on the host filesystem into build containers. A malicious Containerfile can use a dummy image with a symbolic link to the root filesystem as a mount source and cause the mount operation to mount the host root filesystem inside the RUN step. The commands inside the RUN step will then have read-write access to the host filesystem, allowing for full container escape at build time.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:2710 0 None None None 2024-05-06 14:32:45 UTC
Red Hat Product Errata RHBA-2024:2761 0 None None None 2024-05-08 14:24:32 UTC
Red Hat Product Errata RHBA-2024:2762 0 None None None 2024-05-08 14:26:35 UTC
Red Hat Product Errata RHSA-2024:2049 0 None None None 2024-05-02 16:56:10 UTC
Red Hat Product Errata RHSA-2024:2055 0 None None None 2024-04-25 08:06:31 UTC
Red Hat Product Errata RHSA-2024:2064 0 None None None 2024-04-25 15:05:54 UTC
Red Hat Product Errata RHSA-2024:2066 0 None None None 2024-04-25 15:29:13 UTC
Red Hat Product Errata RHSA-2024:2077 0 None None None 2024-04-29 00:26:22 UTC
Red Hat Product Errata RHSA-2024:2084 0 None None None 2024-04-29 02:27:17 UTC
Red Hat Product Errata RHSA-2024:2089 0 None None None 2024-04-29 08:48:11 UTC
Red Hat Product Errata RHSA-2024:2098 0 None None None 2024-04-29 11:29:21 UTC
Red Hat Product Errata RHSA-2024:2645 0 None None None 2024-05-01 15:16:19 UTC
Red Hat Product Errata RHSA-2024:2669 0 None None None 2024-05-09 14:11:57 UTC
Red Hat Product Errata RHSA-2024:2672 0 None None None 2024-05-09 17:13:37 UTC

Description Avinash Hanwate 2024-02-22 14:04:16 UTC 
When performing bind mounts as part of a build-time RUN step, the ‘source’ argument is not validated to ensure that it exists within the root
filesystem. A malicious Containerfile can use a dummy image with a symbolic link to the root filesystem as a mount source and cause the mount operation to mount the host root filesystem inside the RUN step. The commands inside the RUN step will then have read-write access to the host filesystem, allowing for full container escape at build time.
Comment 4 Anten Skrabec 2024-03-18 14:12:17 UTC 
Created buildah tracking bugs for this issue:

Affects: fedora-all [bug 2270125]


Created podman tracking bugs for this issue:

Affects: fedora-all [bug 2270124]
Comment 8 Anten Skrabec 2024-04-06 13:19:45 UTC 
removed buildah affects for openshift per comment on OCPBUGS-31004 and related openshift-4/buildah trackers
Comment 9 errata-xmlrpc 2024-04-25 08:06:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2055 https://access.redhat.com/errata/RHSA-2024:2055
Comment 10 errata-xmlrpc 2024-04-25 15:05:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:2064 https://access.redhat.com/errata/RHSA-2024:2064
Comment 11 errata-xmlrpc 2024-04-25 15:29:12 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2024:2066 https://access.redhat.com/errata/RHSA-2024:2066
Comment 12 errata-xmlrpc 2024-04-29 00:26:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:2077 https://access.redhat.com/errata/RHSA-2024:2077
Comment 13 errata-xmlrpc 2024-04-29 02:27:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:2084 https://access.redhat.com/errata/RHSA-2024:2084
Comment 14 errata-xmlrpc 2024-04-29 08:48:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2024:2089 https://access.redhat.com/errata/RHSA-2024:2089
Comment 15 errata-xmlrpc 2024-04-29 11:29:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:2098 https://access.redhat.com/errata/RHSA-2024:2098
Comment 16 errata-xmlrpc 2024-05-01 15:16:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:2645 https://access.redhat.com/errata/RHSA-2024:2645
Comment 17 errata-xmlrpc 2024-05-02 16:56:08 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:2049 https://access.redhat.com/errata/RHSA-2024:2049
Comment 18 errata-xmlrpc 2024-05-09 14:11:55 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:2669 https://access.redhat.com/errata/RHSA-2024:2669
Comment 19 errata-xmlrpc 2024-05-09 17:13:35 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:2672 https://access.redhat.com/errata/RHSA-2024:2672
Note You need to log in before you can comment on or make changes to this bug.