Bug 33036

Summary: buildah and podman new security issues CVE-2024-1753, CVE-2023-45290, CVE-2024-28180 and CVE-2024-28176; buildah and skopeo new security issue CVE-2024-3727; podman new security issue CVE-2024-6104
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: Joseph Wang <joequant>
Status: NEW --- QA Contact: Sec team <security>
Severity: major    
Priority: Normal    
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA9TOO
Source RPM: buildah-1.35.0-1.mga10.src.rpm, podman-4.8.3-1.mga10.src.rpm, skopeo-1.12.0-1.mga9.src.rpm CVE: CVE-2024-1753, CVE-2024-3727, CVE-2023-45290, CVE-2024-28180, CVE-2024-28176
Status comment: Fixed upstream in buildah 1.35.4 and podman 4.9.4

Description Nicolas Salguero 2024-03-29 14:52:41 CET 
That CVE was announced here:
https://github.com/containers/buildah/security/advisories/GHSA-pmf3-c36m-g5cf
https://github.com/containers/podman/security/advisories/GHSA-874v-pj72-92f3

That problem is fixed in buildah 1.35.1 and podman 4.9.4 (or 5.0.1).

Mageia 9 is also affected.
Nicolas Salguero 2024-03-29 14:53:18 CET

CVE: (none) => CVE-2024-1753
Source RPM: (none) => buildah-1.35.0-1.mga10.src.rpm, podman-4.8.3-1.mga10.src.rpm
Status comment: (none) => Fixed upstream in buildah 1.35.1 and podman 4.9.4
Whiteboard: (none) => MGA9TOO

Comment 1 Lewis Smith 2024-03-31 21:09:29 CEST 
Both new version cures.
Assigning to Joseph who currently maintains these pkgs.

Assignee: bugsquad => joequant

Comment 2 Nicolas Salguero 2024-05-21 09:30:56 CEST 
Fedora has issued an advisory on May 19:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CYT3D2P3OJKISNFKOOHGY6HCUCQZYAVR/

Status comment: Fixed upstream in buildah 1.35.1 and podman 4.9.4 => Fixed upstream in buildah 1.35.4 and podman 4.9.4
Summary: buildah and podman new security issue CVE-2024-1753 => buildah and podman new security issue CVE-2024-1753, buildah new security issue CVE-2024-3727
CVE: CVE-2024-1753 => CVE-2024-1753, CVE-2024-3727

Comment 3 Nicolas Salguero 2024-06-11 15:30:43 CEST 
SUSE has issued an advisory on June 11:
https://lwn.net/Articles/977925/

Skopeo version 1.14.4 solves the problem so only Mageia 9 is affected.

Source RPM: buildah-1.35.0-1.mga10.src.rpm, podman-4.8.3-1.mga10.src.rpm => buildah-1.35.0-1.mga10.src.rpm, podman-4.8.3-1.mga10.src.rpm, skopeo-1.12.0-1.mga9.src.rpm
Summary: buildah and podman new security issue CVE-2024-1753, buildah new security issue CVE-2024-3727 => buildah and podman new security issue CVE-2024-1753, buildah and skopeo new security issue CVE-2024-3727

Comment 4 Nicolas Salguero 2024-06-13 10:01:29 CEST 
RedHat has issued advisories on June 12:
https://lwn.net/Articles/978101/
https://lwn.net/Articles/978102/

CVE: CVE-2024-1753, CVE-2024-3727 => CVE-2024-1753, CVE-2024-3727, CVE-2023-45290, CVE-2024-28180, CVE-2024-28176
Summary: buildah and podman new security issue CVE-2024-1753, buildah and skopeo new security issue CVE-2024-3727 => buildah and podman new security issues CVE-2024-1753, CVE-2023-45290, CVE-2024-28180 and CVE-2024-28176; buildah and skopeo new security issue CVE-2024-3727

Comment 5 Nicolas Salguero 2024-07-04 09:18:29 CEST 
SUSE has issued an advisory on July 3:
https://lists.suse.com/pipermail/sle-security-updates/2024-July/018858.html

Summary: buildah and podman new security issues CVE-2024-1753, CVE-2023-45290, CVE-2024-28180 and CVE-2024-28176; buildah and skopeo new security issue CVE-2024-3727 => buildah and podman new security issues CVE-2024-1753, CVE-2023-45290, CVE-2024-28180 and CVE-2024-28176; buildah and skopeo new security issue CVE-2024-3727; podman new security issue CVE-2024-6104