Bug 1219437 (CVE-2024-23650)

Summary: VUL-0: CVE-2024-23650: buildkit: BuildKit daemon could crash via malicious BuildKit client or frontend request
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Danish Prakash <danish.prakash>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: andrea.mattiazzo, rbrown, stoyan.manolov
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/392682/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-23650:6.2:(AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-02-01 10:15:43 UTC 
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. A malicious BuildKit client or frontend could craft a request that could lead to BuildKit daemon crashing with a panic. The issue has been fixed in v0.12.5. As a workaround, avoid using BuildKit frontends from untrusted sources.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-23650
https://github.com/moby/buildkit/releases/tag/v0.12.5
https://github.com/moby/buildkit/security/advisories/GHSA-9p26-698r-w4hx
https://www.cve.org/CVERecord?id=CVE-2024-23650

Patch:
https://github.com/moby/buildkit/pull/4601
Comment 1 Andrea Mattiazzo 2024-02-01 10:28:22 UTC 
Tracking as affected:
- SUSE:ALP:Source:Standard:1.0
- openSUSE:Factory