Bug 1219437 (CVE-2024-23650) - VUL-0: CVE-2024-23650: buildkit: BuildKit daemon could crash via malicious BuildKit client or frontend request
Summary: VUL-0: CVE-2024-23650: buildkit: BuildKit daemon could crash via malicious Bu...
Status: NEW
Alias: CVE-2024-23650
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Danish Prakash
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/392682/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-23650:6.2:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2024-02-01 10:15 UTC by SMASH SMASH
Modified: 2024-06-04 07:58 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2024-02-01 10:15:43 UTC 
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. A malicious BuildKit client or frontend could craft a request that could lead to BuildKit daemon crashing with a panic. The issue has been fixed in v0.12.5. As a workaround, avoid using BuildKit frontends from untrusted sources.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-23650
https://github.com/moby/buildkit/releases/tag/v0.12.5
https://github.com/moby/buildkit/security/advisories/GHSA-9p26-698r-w4hx
https://www.cve.org/CVERecord?id=CVE-2024-23650

Patch:
https://github.com/moby/buildkit/pull/4601
Comment 1 Andrea Mattiazzo 2024-02-01 10:28:22 UTC 
Tracking as affected:
- SUSE:ALP:Source:Standard:1.0
- openSUSE:Factory