Name | CVE-2024-1753 |
Description | A flaw was found in Buildah (and subsequently Podman Build) which allows containers to mount arbitrary locations on the host filesystem into build containers. A malicious Containerfile can use a dummy image with a symbolic link to the root filesystem as a mount source and cause the mount operation to mount the host root filesystem inside the RUN step. The commands inside the RUN step will then have read-write access to the host filesystem, allowing for full container escape at build time. |
Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Debian Bugs | 1067800 |
Vulnerable and fixed packages
The table below lists information on source packages.
The information below is based on the following data on fixed versions.
Notes
[bookworm] - golang-github-containers-buildah <no-dsa> (Minor issue)
[bullseye] - golang-github-containers-buildah <no-dsa> (Minor issue)
https://github.com/containers/buildah/security/advisories/GHSA-pmf3-c36m-g5cf
at least podman will need a rebuild with a fixed buildah