CVE-2022-27651

NameCVE-2022-27651
DescriptionA flaw was found in buildah where containers were incorrectly started with non-empty default permissions. A bug was found in Moby (Docker Engine) where containers were incorrectly started with non-empty inheritable Linux process capabilities, enabling an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs. This has the potential to impact confidentiality and integrity.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)
Debian Bugs1009882

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
golang-github-containers-buildah (PTS)bullseye1.19.6+dfsg1-1vulnerable
bookworm, sid1.23.1+ds1-3vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
golang-github-containers-buildahsource(unstable)(unfixed)1009882

Notes

https://github.com/containers/buildah/commit/e7e55c988c05dd74005184ceb64f097a0cfe645b (v1.25.1)
https://github.com/containers/buildah/security/advisories/GHSA-c3g4-w6cv-6v7h

Search for package or bug name: Reporting problems