Bug 1221677 (CVE-2024-1753) - VUL-0: CVE-2024-1753: buildah: full container escape at build time
Summary: VUL-0: CVE-2024-1753: buildah: full container escape at build time
Status: IN_PROGRESS
Alias: CVE-2024-1753
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Major
Target Milestone: ---
Assignee: Dan Čermák
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/398079/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-1753:8.6:(AV:L...
Keywords:
Depends on:
Blocks:
 
Reported: 2024-03-19 09:53 UTC by SMASH SMASH
Modified: 2024-07-22 15:30 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2024-03-19 09:53:31 UTC
A flaw was found in Buildah (and subsequently Podman Build) which allows containers to mount arbitrary locations on the host filesystem into build containers. A malicious Containerfile can use a dummy image with a symbolic link to the root filesystem as a mount source and cause the mount operation to mount the host root filesystem inside the RUN step. The commands inside the RUN step will then have read-write access to the host filesystem, allowing for full container escape at build time.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-1753
https://www.cve.org/CVERecord?id=CVE-2024-1753
https://access.redhat.com/security/cve/CVE-2024-1753
https://bugzilla.redhat.com/show_bug.cgi?id=2265513
https://github.com/containers/buildah/security/advisories/GHSA-pmf3-c36m-g5cf
https://github.com/containers/podman/security/advisories/GHSA-874v-pj72-92f3
Comment 3 Dan Čermák 2024-03-19 12:44:34 UTC
SP1:
https://build.suse.de/request/show/324368
Comment 4 Dan Čermák 2024-03-19 13:52:08 UTC
Podman update for SP3:
https://build.suse.de/request/show/324375

Podman update for SP4:
https://build.suse.de/request/show/324374
Comment 5 Alexandre Vicenzi 2024-03-19 14:41:55 UTC
Podman update for SLE 15 SP5:

https://build.suse.de/request/show/324382
Comment 6 Danish Prakash 2024-03-21 07:04:04 UTC
We feel the fix is not required on SLE15-SP1 because the affected feature in question was introduced with buildah v1.24.0 and SLE15-SP1 runs podman v2.1.1 which vendors buildah v1.16.1. We've tested this locally and are waiting currently for upstream to confirm the same[1].

[1] - https://github.com/containers/buildah/discussions/5420
Comment 7 Maintenance Automation 2024-03-28 16:30:08 UTC
SUSE-SU-2024:1059-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1221677
CVE References: CVE-2024-1753
Maintenance Incident: [SUSE:Maintenance:33052](https://smelt.suse.de/incident/33052/)
Sources used:
openSUSE Leap 15.3 (src):
 podman-4.4.4-150300.9.26.2
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src):
 podman-4.4.4-150300.9.26.2
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src):
 podman-4.4.4-150300.9.26.2
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src):
 podman-4.4.4-150300.9.26.2
SUSE Enterprise Storage 7.1 (src):
 podman-4.4.4-150300.9.26.2
SUSE Linux Enterprise Micro 5.1 (src):
 podman-4.4.4-150300.9.26.2
SUSE Linux Enterprise Micro 5.2 (src):
 podman-4.4.4-150300.9.26.2
SUSE Linux Enterprise Micro for Rancher 5.2 (src):
 podman-4.4.4-150300.9.26.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Maintenance Automation 2024-03-28 16:30:11 UTC
SUSE-SU-2024:1058-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1221677
CVE References: CVE-2024-1753
Maintenance Incident: [SUSE:Maintenance:33051](https://smelt.suse.de/incident/33051/)
Sources used:
openSUSE Leap 15.4 (src):
 podman-4.4.4-150400.4.22.1
openSUSE Leap Micro 5.3 (src):
 podman-4.4.4-150400.4.22.1
openSUSE Leap Micro 5.4 (src):
 podman-4.4.4-150400.4.22.1
SUSE Linux Enterprise Micro for Rancher 5.3 (src):
 podman-4.4.4-150400.4.22.1
SUSE Linux Enterprise Micro 5.3 (src):
 podman-4.4.4-150400.4.22.1
SUSE Linux Enterprise Micro for Rancher 5.4 (src):
 podman-4.4.4-150400.4.22.1
SUSE Linux Enterprise Micro 5.4 (src):
 podman-4.4.4-150400.4.22.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src):
 podman-4.4.4-150400.4.22.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src):
 podman-4.4.4-150400.4.22.1
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src):
 podman-4.4.4-150400.4.22.1
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src):
 podman-4.4.4-150400.4.22.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Maintenance Automation 2024-04-08 12:30:41 UTC
SUSE-SU-2024:1146-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1221677
CVE References: CVE-2024-1753
Maintenance Incident: [SUSE:Maintenance:33011](https://smelt.suse.de/incident/33011/)
Sources used:
openSUSE Leap 15.5 (src):
 podman-4.8.3-150500.3.9.1
SUSE Linux Enterprise Micro 5.5 (src):
 podman-4.8.3-150500.3.9.1
Containers Module 15-SP5 (src):
 podman-4.8.3-150500.3.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Maintenance Automation 2024-04-08 12:30:44 UTC
SUSE-SU-2024:1145-1: An update that solves one vulnerability and has two security fixes can now be installed.

Category: security (important)
Bug References: 1219563, 1220568, 1221677
CVE References: CVE-2024-1753
Maintenance Incident: [SUSE:Maintenance:32911](https://smelt.suse.de/incident/32911/)
Sources used:
openSUSE Leap 15.3 (src):
 buildah-1.34.1-150300.8.22.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src):
 buildah-1.34.1-150300.8.22.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src):
 buildah-1.34.1-150300.8.22.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src):
 buildah-1.34.1-150300.8.22.1
SUSE Enterprise Storage 7.1 (src):
 buildah-1.34.1-150300.8.22.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Maintenance Automation 2024-04-08 12:30:46 UTC
SUSE-SU-2024:1144-1: An update that solves one vulnerability and has two security fixes can now be installed.

Category: security (important)
Bug References: 1219563, 1220568, 1221677
CVE References: CVE-2024-1753
Maintenance Incident: [SUSE:Maintenance:32912](https://smelt.suse.de/incident/32912/)
Sources used:
openSUSE Leap 15.4 (src):
 buildah-1.34.1-150400.3.27.1
openSUSE Leap Micro 5.3 (src):
 cni-plugins-0.8.6-150100.3.22.3, cni-0.7.1-150100.3.18.1
openSUSE Leap Micro 5.4 (src):
 cni-plugins-0.8.6-150100.3.22.3, cni-0.7.1-150100.3.18.1
SUSE Linux Enterprise Micro for Rancher 5.3 (src):
 cni-plugins-0.8.6-150100.3.22.3, cni-0.7.1-150100.3.18.1
SUSE Linux Enterprise Micro 5.3 (src):
 cni-plugins-0.8.6-150100.3.22.3, cni-0.7.1-150100.3.18.1
SUSE Linux Enterprise Micro for Rancher 5.4 (src):
 cni-plugins-0.8.6-150100.3.22.3, cni-0.7.1-150100.3.18.1
SUSE Linux Enterprise Micro 5.4 (src):
 cni-plugins-0.8.6-150100.3.22.3, cni-0.7.1-150100.3.18.1
Public Cloud Module 15-SP2 (src):
 cni-plugins-0.8.6-150100.3.22.3, cni-0.7.1-150100.3.18.1
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src):
 cni-plugins-0.8.6-150100.3.22.3, cni-0.7.1-150100.3.18.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src):
 cni-plugins-0.8.6-150100.3.22.3, cni-0.7.1-150100.3.18.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src):
 cni-plugins-0.8.6-150100.3.22.3, cni-0.7.1-150100.3.18.1, buildah-1.34.1-150400.3.27.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src):
 cni-plugins-0.8.6-150100.3.22.3, cni-0.7.1-150100.3.18.1, buildah-1.34.1-150400.3.27.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src):
 cni-plugins-0.8.6-150100.3.22.3, cni-0.7.1-150100.3.18.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src):
 cni-plugins-0.8.6-150100.3.22.3, cni-0.7.1-150100.3.18.1
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src):
 cni-plugins-0.8.6-150100.3.22.3, cni-0.7.1-150100.3.18.1, buildah-1.34.1-150400.3.27.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src):
 cni-plugins-0.8.6-150100.3.22.3, cni-0.7.1-150100.3.18.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src):
 cni-plugins-0.8.6-150100.3.22.3, cni-0.7.1-150100.3.18.1
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src):
 cni-plugins-0.8.6-150100.3.22.3, cni-0.7.1-150100.3.18.1, buildah-1.34.1-150400.3.27.1
SUSE Enterprise Storage 7.1 (src):
 cni-plugins-0.8.6-150100.3.22.3, cni-0.7.1-150100.3.18.1
SUSE Linux Enterprise Micro 5.1 (src):
 cni-plugins-0.8.6-150100.3.22.3, cni-0.7.1-150100.3.18.1
SUSE Linux Enterprise Micro 5.2 (src):
 cni-plugins-0.8.6-150100.3.22.3, cni-0.7.1-150100.3.18.1
SUSE Linux Enterprise Micro for Rancher 5.2 (src):
 cni-plugins-0.8.6-150100.3.22.3, cni-0.7.1-150100.3.18.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Maintenance Automation 2024-04-08 12:30:49 UTC
SUSE-SU-2024:1143-1: An update that solves one vulnerability and has two security fixes can now be installed.

Category: security (important)
Bug References: 1219563, 1220568, 1221677
CVE References: CVE-2024-1753
Maintenance Incident: [SUSE:Maintenance:32913](https://smelt.suse.de/incident/32913/)
Sources used:
openSUSE Leap 15.5 (src):
 buildah-1.34.1-150500.3.7.1
Containers Module 15-SP5 (src):
 buildah-1.34.1-150500.3.7.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Maintenance Automation 2024-04-08 12:30:51 UTC
SUSE-SU-2024:1142-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1221677
CVE References: CVE-2024-1753
Maintenance Incident: [SUSE:Maintenance:33005](https://smelt.suse.de/incident/33005/)
Sources used:
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src):
 buildah-1.25.1-150100.3.23.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src):
 buildah-1.25.1-150100.3.23.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src):
 buildah-1.25.1-150100.3.23.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.