CVE-2024-1753

NameCVE-2024-1753
DescriptionA flaw was found in Buildah (and subsequently Podman Build) which allows containers to mount arbitrary locations on the host filesystem into build containers. A malicious Containerfile can use a dummy image with a symbolic link to the root filesystem as a mount source and cause the mount operation to mount the host root filesystem inside the RUN step. The commands inside the RUN step will then have read-write access to the host filesystem, allowing for full container escape at build time.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1067800

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
golang-github-containers-buildah (PTS)bullseye1.19.6+dfsg1-1vulnerable
bookworm1.28.2+ds1-3+deb12u1vulnerable
trixie1.39.3+ds1-1fixed
forky, sid1.41.5+ds1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
golang-github-containers-buildahsource(unstable)1.33.7+ds1-11067800

Notes

[bookworm] - golang-github-containers-buildah <no-dsa> (Minor issue)
[bullseye] - golang-github-containers-buildah <no-dsa> (Minor issue)
https://github.com/containers/buildah/security/advisories/GHSA-pmf3-c36m-g5cf
at least podman will need a rebuild with a fixed buildah
Search for package or bug name: Reporting problems