Bug 1221677 (CVE-2024-1753)

Summary:	VUL-0: CVE-2024-1753: buildah: full container escape at build time
Product:	[Novell Products] SUSE Security Incidents	Reporter:	SMASH SMASH <smash_bz>
Component:	Incidents	Assignee:	Dan Čermák <dcermak>
Status:	IN_PROGRESS ---	QA Contact:	Security Team bot <security-team>
Severity:	Major
Priority:	P3 - Medium	CC:	alexandre.vicenzi, containers-bugowner, danish.prakash, meissner
Version:	unspecified
Target Milestone:	---
Hardware:	Other
OS:	Other
URL:	https://smash.suse.de/issue/398079/
Whiteboard:	CVSSv3.1:SUSE:CVE-2024-1753:8.6:(AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)
Found By:	Security Response Team	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Description SMASH SMASH 2024-03-19 09:53:31 UTC

A flaw was found in Buildah (and subsequently Podman Build) which allows containers to mount arbitrary locations on the host filesystem into build containers. A malicious Containerfile can use a dummy image with a symbolic link to the root filesystem as a mount source and cause the mount operation to mount the host root filesystem inside the RUN step. The commands inside the RUN step will then have read-write access to the host filesystem, allowing for full container escape at build time.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-1753
https://www.cve.org/CVERecord?id=CVE-2024-1753
https://access.redhat.com/security/cve/CVE-2024-1753
https://bugzilla.redhat.com/show_bug.cgi?id=2265513
https://github.com/containers/buildah/security/advisories/GHSA-pmf3-c36m-g5cf
https://github.com/containers/podman/security/advisories/GHSA-874v-pj72-92f3

Comment 1 Dan Čermák 2024-03-19 11:30:00 UTC

15 SP5:
https://build.suse.de/request/show/324356

Factory: 
https://build.opensuse.org/request/show/1159325

Comment 2 Dan Čermák 2024-03-19 11:37:12 UTC

15 SP3:
https://build.suse.de/request/show/324360

15 SP4:
https://build.suse.de/request/show/324361

Comment 3 Dan Čermák 2024-03-19 12:44:34 UTC

SP1:
https://build.suse.de/request/show/324368

Comment 4 Dan Čermák 2024-03-19 13:52:08 UTC

Podman update for SP3:
https://build.suse.de/request/show/324375

Podman update for SP4:
https://build.suse.de/request/show/324374

Comment 5 Alexandre Vicenzi 2024-03-19 14:41:55 UTC

Podman update for SLE 15 SP5:

https://build.suse.de/request/show/324382

Comment 6 Danish Prakash 2024-03-21 07:04:04 UTC

We feel the fix is not required on SLE15-SP1 because the affected feature in question was introduced with buildah v1.24.0 and SLE15-SP1 runs podman v2.1.1 which vendors buildah v1.16.1. We've tested this locally and are waiting currently for upstream to confirm the same[1].

[1] - https://github.com/containers/buildah/discussions/5420

Comment 7 Maintenance Automation 2024-03-28 16:30:08 UTC

SUSE-SU-2024:1059-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1221677
CVE References: CVE-2024-1753
Maintenance Incident: [SUSE:Maintenance:33052](https://smelt.suse.de/incident/33052/)
Sources used:
openSUSE Leap 15.3 (src):
 podman-4.4.4-150300.9.26.2
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src):
 podman-4.4.4-150300.9.26.2
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src):
 podman-4.4.4-150300.9.26.2
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src):
 podman-4.4.4-150300.9.26.2
SUSE Enterprise Storage 7.1 (src):
 podman-4.4.4-150300.9.26.2
SUSE Linux Enterprise Micro 5.1 (src):
 podman-4.4.4-150300.9.26.2
SUSE Linux Enterprise Micro 5.2 (src):
 podman-4.4.4-150300.9.26.2
SUSE Linux Enterprise Micro for Rancher 5.2 (src):
 podman-4.4.4-150300.9.26.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 8 Maintenance Automation 2024-03-28 16:30:11 UTC

SUSE-SU-2024:1058-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1221677
CVE References: CVE-2024-1753
Maintenance Incident: [SUSE:Maintenance:33051](https://smelt.suse.de/incident/33051/)
Sources used:
openSUSE Leap 15.4 (src):
 podman-4.4.4-150400.4.22.1
openSUSE Leap Micro 5.3 (src):
 podman-4.4.4-150400.4.22.1
openSUSE Leap Micro 5.4 (src):
 podman-4.4.4-150400.4.22.1
SUSE Linux Enterprise Micro for Rancher 5.3 (src):
 podman-4.4.4-150400.4.22.1
SUSE Linux Enterprise Micro 5.3 (src):
 podman-4.4.4-150400.4.22.1
SUSE Linux Enterprise Micro for Rancher 5.4 (src):
 podman-4.4.4-150400.4.22.1
SUSE Linux Enterprise Micro 5.4 (src):
 podman-4.4.4-150400.4.22.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src):
 podman-4.4.4-150400.4.22.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src):
 podman-4.4.4-150400.4.22.1
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src):
 podman-4.4.4-150400.4.22.1
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src):
 podman-4.4.4-150400.4.22.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 9 Maintenance Automation 2024-04-08 12:30:41 UTC

SUSE-SU-2024:1146-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1221677
CVE References: CVE-2024-1753
Maintenance Incident: [SUSE:Maintenance:33011](https://smelt.suse.de/incident/33011/)
Sources used:
openSUSE Leap 15.5 (src):
 podman-4.8.3-150500.3.9.1
SUSE Linux Enterprise Micro 5.5 (src):
 podman-4.8.3-150500.3.9.1
Containers Module 15-SP5 (src):
 podman-4.8.3-150500.3.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 10 Maintenance Automation 2024-04-08 12:30:44 UTC

SUSE-SU-2024:1145-1: An update that solves one vulnerability and has two security fixes can now be installed.

Category: security (important)
Bug References: 1219563, 1220568, 1221677
CVE References: CVE-2024-1753
Maintenance Incident: [SUSE:Maintenance:32911](https://smelt.suse.de/incident/32911/)
Sources used:
openSUSE Leap 15.3 (src):
 buildah-1.34.1-150300.8.22.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src):
 buildah-1.34.1-150300.8.22.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src):
 buildah-1.34.1-150300.8.22.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src):
 buildah-1.34.1-150300.8.22.1
SUSE Enterprise Storage 7.1 (src):
 buildah-1.34.1-150300.8.22.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 11 Maintenance Automation 2024-04-08 12:30:46 UTC

SUSE-SU-2024:1144-1: An update that solves one vulnerability and has two security fixes can now be installed.

Category: security (important)
Bug References: 1219563, 1220568, 1221677
CVE References: CVE-2024-1753
Maintenance Incident: [SUSE:Maintenance:32912](https://smelt.suse.de/incident/32912/)
Sources used:
openSUSE Leap 15.4 (src):
 buildah-1.34.1-150400.3.27.1
openSUSE Leap Micro 5.3 (src):
 cni-plugins-0.8.6-150100.3.22.3, cni-0.7.1-150100.3.18.1
openSUSE Leap Micro 5.4 (src):
 cni-plugins-0.8.6-150100.3.22.3, cni-0.7.1-150100.3.18.1
SUSE Linux Enterprise Micro for Rancher 5.3 (src):
 cni-plugins-0.8.6-150100.3.22.3, cni-0.7.1-150100.3.18.1
SUSE Linux Enterprise Micro 5.3 (src):
 cni-plugins-0.8.6-150100.3.22.3, cni-0.7.1-150100.3.18.1
SUSE Linux Enterprise Micro for Rancher 5.4 (src):
 cni-plugins-0.8.6-150100.3.22.3, cni-0.7.1-150100.3.18.1
SUSE Linux Enterprise Micro 5.4 (src):
 cni-plugins-0.8.6-150100.3.22.3, cni-0.7.1-150100.3.18.1
Public Cloud Module 15-SP2 (src):
 cni-plugins-0.8.6-150100.3.22.3, cni-0.7.1-150100.3.18.1
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src):
 cni-plugins-0.8.6-150100.3.22.3, cni-0.7.1-150100.3.18.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src):
 cni-plugins-0.8.6-150100.3.22.3, cni-0.7.1-150100.3.18.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src):
 cni-plugins-0.8.6-150100.3.22.3, cni-0.7.1-150100.3.18.1, buildah-1.34.1-150400.3.27.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src):
 cni-plugins-0.8.6-150100.3.22.3, cni-0.7.1-150100.3.18.1, buildah-1.34.1-150400.3.27.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src):
 cni-plugins-0.8.6-150100.3.22.3, cni-0.7.1-150100.3.18.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src):
 cni-plugins-0.8.6-150100.3.22.3, cni-0.7.1-150100.3.18.1
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src):
 cni-plugins-0.8.6-150100.3.22.3, cni-0.7.1-150100.3.18.1, buildah-1.34.1-150400.3.27.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src):
 cni-plugins-0.8.6-150100.3.22.3, cni-0.7.1-150100.3.18.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src):
 cni-plugins-0.8.6-150100.3.22.3, cni-0.7.1-150100.3.18.1
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src):
 cni-plugins-0.8.6-150100.3.22.3, cni-0.7.1-150100.3.18.1, buildah-1.34.1-150400.3.27.1
SUSE Enterprise Storage 7.1 (src):
 cni-plugins-0.8.6-150100.3.22.3, cni-0.7.1-150100.3.18.1
SUSE Linux Enterprise Micro 5.1 (src):
 cni-plugins-0.8.6-150100.3.22.3, cni-0.7.1-150100.3.18.1
SUSE Linux Enterprise Micro 5.2 (src):
 cni-plugins-0.8.6-150100.3.22.3, cni-0.7.1-150100.3.18.1
SUSE Linux Enterprise Micro for Rancher 5.2 (src):
 cni-plugins-0.8.6-150100.3.22.3, cni-0.7.1-150100.3.18.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 12 Maintenance Automation 2024-04-08 12:30:49 UTC

SUSE-SU-2024:1143-1: An update that solves one vulnerability and has two security fixes can now be installed.

Category: security (important)
Bug References: 1219563, 1220568, 1221677
CVE References: CVE-2024-1753
Maintenance Incident: [SUSE:Maintenance:32913](https://smelt.suse.de/incident/32913/)
Sources used:
openSUSE Leap 15.5 (src):
 buildah-1.34.1-150500.3.7.1
Containers Module 15-SP5 (src):
 buildah-1.34.1-150500.3.7.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 13 Maintenance Automation 2024-04-08 12:30:51 UTC

SUSE-SU-2024:1142-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1221677
CVE References: CVE-2024-1753
Maintenance Incident: [SUSE:Maintenance:33005](https://smelt.suse.de/incident/33005/)
Sources used:
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src):
 buildah-1.25.1-150100.3.23.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src):
 buildah-1.25.1-150100.3.23.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src):
 buildah-1.25.1-150100.3.23.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.