CVE-2022-27651

NameCVE-2022-27651
DescriptionA flaw was found in buildah where containers were incorrectly started with non-empty default permissions. A bug was found in Moby (Docker Engine) where containers were incorrectly started with non-empty inheritable Linux process capabilities, enabling an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs. This has the potential to impact confidentiality and integrity.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1009882

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
golang-github-containers-buildah (PTS)bullseye1.19.6+dfsg1-1vulnerable
bookworm1.28.2+ds1-3fixed
trixie1.33.5+ds1-4fixed
sid1.33.7+ds1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
golang-github-containers-buildahsourceexperimental1.27.0+ds1-2
golang-github-containers-buildahsource(unstable)1.28.0+ds1-21009882

Notes

[bullseye] - golang-github-containers-buildah <no-dsa> (Minor issue)
https://github.com/containers/buildah/commit/e7e55c988c05dd74005184ceb64f097a0cfe645b (v1.25.1)
https://github.com/containers/buildah/security/advisories/GHSA-c3g4-w6cv-6v7h
Search for package or bug name: Reporting problems