CVE-2022-1227

NameCVE-2022-1227
DescriptionA privilege escalation flaw was found in Podman. This flaw allows an attacker to publish a malicious image to a public registry. Once this image is downloaded by a potential victim, the vulnerability is triggered after a user runs the 'podman top' command. This action gives the attacker access to the host filesystem, leading to information disclosure or denial of service.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)
Debian Bugs1020907

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
golang-github-containers-psgo (PTS)bullseye1.5.2-1+deb11u1vulnerable
bookworm, sid1.7.1+ds1-1fixed
libpod (PTS)bullseye3.0.1+dfsg1-3+deb11u4fixed
bookworm, sid4.3.1+ds1-8fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
golang-github-containers-psgosourcebullseye1.5.2-2~deb11u1
golang-github-containers-psgosource(unstable)1.7.1+ds1-11020907
libpodsourcebullseye3.0.1+dfsg1-3+deb11u2
libpodsource(unstable)3.4.7+ds1-1

Notes

https://bugzilla.redhat.com/show_bug.cgi?id=2070368
https://github.com/containers/psgo/pull/92
https://github.com/containers/psgo/commit/d9467da9f563a9de1ece79dcae86b37b1db75443 (v1.7.2)
Search for package or bug name: Reporting problems