Bug 28885 - skopeo, buildah, podman new security issues CVE-2021-20206, CVE-2021-20291, CVE-2021-3602, CVE-2021-34558, CVE-2021-41190, CVE-2021-4024, CVE-2022-1227, CVE-2022-2989, CVE-2022-2990, CVE-2022-21698, CVE-2022-27191, CVE-2022-27649, CVE-2022-27651
Summary: skopeo, buildah, podman new security issues CVE-2021-20206, CVE-2021-20291, C...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks: 31099
  Show dependency treegraph
 
Reported: 2021-05-06 16:05 CEST by Nicolas Salguero
Modified: 2023-07-07 07:56 CEST (History)
10 users (show)

See Also:
Source RPM: skopeo-1.2.0-1.mga8.src.rpm, buildah-1.18.0-1.mga8.src.rpm, podman-3.0.0-0.20201203.1.dev.git0c2a43b.mga8.src.rpm
CVE: CVE-2022-41723, CVE-2023-0778
Status comment:


Attachments

Description Nicolas Salguero 2021-05-06 16:05:30 CEST
Fedora has issued an advisory on May 6:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SPYOHNG2Q7DCAQZMGYLMENLKALGDLG3X/

Mageia 8 is also affected.
Nicolas Salguero 2021-05-06 16:05:58 CEST

Whiteboard: (none) => MGA8TOO
Source RPM: (none) => skopeo-1.2.0-1.mga8.src.rpm

Comment 1 Aurelien Oudelet 2021-05-06 19:58:09 CEST
Hi, thanks for reporting this.
Assigned to the package maintainer.

(Please set the status to 'assigned' if you are working on it)

CVE: (none) => CVE-2021-20291
Assignee: bugsquad => joequant
CC: (none) => ouaurelien

Comment 2 David Walser 2021-05-29 23:26:03 CEST
Also affects other packages.  I believe the podman and skopeo versions in Cauldron have the fix, but not buildah.

Fedora has issued advisories for this on April 24:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/25LCWXTFK5CEUYRWF74Y4C7VIMWDH2OI/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/R5D7XL7FL24TWFMGQ3K2S72EOUSLZMKL/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/F3ARUFZTP54XZ36JGEVCIBJZPX4LTF3G/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GWKDCFQ4EVHMJJ6V2EAABHSRZK34HUUT/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IKOQ2O3CAYO75ZV2PUCTL6G72K7JVGCT/

CC: (none) => joequant
Source RPM: skopeo-1.2.0-1.mga8.src.rpm => skopeo-1.2.0-1.mga8.src.rpm, buildah-1.18.0-1.mga8.src.rpm, podman-3.0.0-0.20201203.1.dev.git0c2a43b.mga8.src.rpm
Severity: normal => major
Summary: skopeo new security issue CVE-2021-20291 => skopeo, buildah, podman new security issue CVE-2021-20291

Comment 4 David Walser 2021-07-23 22:22:43 CEST
Fedora has issued an advisory today (July 23):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GDWE3ABI6VTR2BO4UV3HXEUYUN5CKUES/

They updated to podman 3.2.3, but the actual fix is in buildah 1.21.3:
https://bugzilla.redhat.com/show_bug.cgi?id=1969264
https://github.com/containers/buildah/security/advisories/GHSA-7638-r9r3-rmjj

Summary: skopeo, buildah, podman new security issue CVE-2021-20291 => skopeo, buildah, podman new security issues CVE-2021-20291 and CVE-2021-3602

Comment 6 David Walser 2021-08-02 16:52:28 CEST
Here's the advisory for buildah itself (from today, August 2):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CAYDF5STQQ2MWYFKJISEVKKCDRW6K3MP/

CC: (none) => luigiwalser

Comment 8 David Walser 2021-08-11 06:55:10 CEST
buildah and podman are also vulnerable to CVE-2021-34558 due to a bundled golang module.

Fedora has issued advisories for this today:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6BTC3JQUASFN5U2XA4UZIGAPZQBD5JSS/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/LBMLUQMN6XRKPVOI5XFFBP4XSR7RNTYR/

Summary: skopeo, buildah, podman new security issues CVE-2021-20291 and CVE-2021-3602 => skopeo, buildah, podman new security issues CVE-2021-20291, CVE-2021-3602, CVE-2021-34558

Comment 9 David Walser 2021-12-05 16:46:04 CET
Fedora has issued an advisory today (December 5):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3TUZNDAH2B26VPBK342UC3BHZNLBUXGX/

The issue is fixed upstream in skopeo 1.5.2.

Summary: skopeo, buildah, podman new security issues CVE-2021-20291, CVE-2021-3602, CVE-2021-34558 => skopeo, buildah, podman new security issues CVE-2021-20291, CVE-2021-3602, CVE-2021-34558, CVE-2021-41190

Comment 10 David Walser 2021-12-17 19:36:13 CET
Fedora has issued an advisory today (December 17):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IA7RFWWF2TAD6ABTSEOCANQQEGMSU4YP/

The issue is fixed upstream in podman 3.4.4.

Summary: skopeo, buildah, podman new security issues CVE-2021-20291, CVE-2021-3602, CVE-2021-34558, CVE-2021-41190 => skopeo, buildah, podman new security issues CVE-2021-20291, CVE-2021-3602, CVE-2021-34558, CVE-2021-41190, CVE-2021-4024

Comment 11 David Walser 2022-03-04 19:20:29 CET
openSUSE has issued an advisory for this today (March 4):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/5BA2TLW7O5ZURGQUAQUH4HD5SQYNDDZ6/
Comment 12 David Walser 2022-03-09 17:49:25 CET
openSUSE has issued an advisory for buildah today (March 9):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/WFIDXN6UAK2I4PPVFPBE4STNQH2FZQ4A/

It lists CVE-2019-10214 CVE-2020-10696 CVE-2021-20206 with no details, and they updated to 1.23.1, which presumably fixes them.
Comment 14 David Walser 2022-04-07 18:24:46 CEST
Fedora has issued an advisory today (April 7):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2VWH6X6HOFPO6HTESF42HIJZEPXSWVIO/

The issue is fixed upstream in buildah 1.25.0.

Summary: skopeo, buildah, podman new security issues CVE-2021-20291, CVE-2021-3602, CVE-2021-34558, CVE-2021-41190, CVE-2021-4024 => skopeo, buildah, podman new security issues CVE-2021-20291, CVE-2021-3602, CVE-2021-34558, CVE-2021-41190, CVE-2021-4024, CVE-2022-27651

Comment 15 David Walser 2022-05-02 20:07:36 CEST
(In reply to David Walser from comment #14)
> Fedora has issued an advisory today (April 7):
> https://lists.fedoraproject.org/archives/list/package-announce@lists.
> fedoraproject.org/thread/2VWH6X6HOFPO6HTESF42HIJZEPXSWVIO/
> 
> The issue is fixed upstream in buildah 1.25.0.

openSUSE has issued an advisory for this on April 27:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/COAZMKGIFFK6JHHLFRHHTVMQ4HK5XI73/
Comment 16 David Walser 2022-05-02 22:48:13 CEST
Fedora has issued an advisory on April 29:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/J5WPM42UR6XIBQNQPNQHM32X7S4LJTRX/

It fixes four new security issues in podman 3.4.7.

CVE-2022-21698 is also Bug 30054 and CVE-2022-27191 is also Bug 30323.

Summary: skopeo, buildah, podman new security issues CVE-2021-20291, CVE-2021-3602, CVE-2021-34558, CVE-2021-41190, CVE-2021-4024, CVE-2022-27651 => skopeo, buildah, podman new security issues CVE-2021-20291, CVE-2021-3602, CVE-2021-34558, CVE-2021-41190, CVE-2021-4024, CVE-2022-1227, CVE-2022-21698, CVE-2022-27191, CVE-2022-27649, CVE-2022-27651

Comment 17 David Walser 2022-06-12 00:41:26 CEST
Fedora advisory from today (June 11) for buildah for CVE-2022-21698:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2IK53GWZ475OQ6ENABKMJMTOBZG6LXUR/

They updated to buildah 1.23.4.
Comment 18 David Walser 2022-08-18 17:12:42 CEST
openSUSE has issued an advisory for this on August 17:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/3XQI3JGSN3QUR2TTD5PKGO62TDA7VS3I/
Comment 19 David Walser 2022-10-20 14:13:47 CEST
openSUSE has issued an advisory on October 19:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/BOSR3QWWI2B7POIUKKJJMCEE2T3PFI5B/

This fixes an additional issue in buildah (CVE-2022-2990).

Summary: skopeo, buildah, podman new security issues CVE-2021-20291, CVE-2021-3602, CVE-2021-34558, CVE-2021-41190, CVE-2021-4024, CVE-2022-1227, CVE-2022-21698, CVE-2022-27191, CVE-2022-27649, CVE-2022-27651 => skopeo, buildah, podman new security issues CVE-2021-20291, CVE-2021-3602, CVE-2021-34558, CVE-2021-41190, CVE-2021-4024, CVE-2022-1227, CVE-2022-2990, CVE-2022-21698, CVE-2022-27191, CVE-2022-27649, CVE-2022-27651

Comment 20 David Walser 2022-11-01 13:47:56 CET
SUSE and openSUSE have issued advisories on October 31:
https://lists.suse.com/pipermail/sle-security-updates/2022-October/012775.html
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/PL4K6SMPK6ISI4ZPOM3PI6GAYO6XYPYB/

This fixes an additional issue in podman (CVE-2022-2989).

Summary: skopeo, buildah, podman new security issues CVE-2021-20291, CVE-2021-3602, CVE-2021-34558, CVE-2021-41190, CVE-2021-4024, CVE-2022-1227, CVE-2022-2990, CVE-2022-21698, CVE-2022-27191, CVE-2022-27649, CVE-2022-27651 => skopeo, buildah, podman new security issues CVE-2021-20291, CVE-2021-3602, CVE-2021-34558, CVE-2021-41190, CVE-2021-4024, CVE-2022-1227, CVE-2022-2990, CVE-2022-21698, CVE-2022-27191, CVE-2022-27649, CVE-2022-27651, CVE-2022-2989

David Walser 2022-11-09 18:11:00 CET

Summary: skopeo, buildah, podman new security issues CVE-2021-20291, CVE-2021-3602, CVE-2021-34558, CVE-2021-41190, CVE-2021-4024, CVE-2022-1227, CVE-2022-2990, CVE-2022-21698, CVE-2022-27191, CVE-2022-27649, CVE-2022-27651, CVE-2022-2989 => skopeo, buildah, podman new security issues CVE-2021-20291, CVE-2021-3602, CVE-2021-34558, CVE-2021-41190, CVE-2021-4024, CVE-2022-1227, CVE-2022-2989, CVE-2022-2990, CVE-2022-21698, CVE-2022-27191, CVE-2022-27649, CVE-2022-27651

Comment 21 David Walser 2022-11-09 18:11:47 CET
RedHat has issued an advisory for CVE-2022-2989 and CVE-2022-2990 on November 8:
https://access.redhat.com/errata/RHSA-2022:7822
Comment 22 David Walser 2023-01-27 16:21:25 CET
SUSE has issued an advisory today (January 27):
https://lists.suse.com/pipermail/sle-security-updates/2023-January/013557.html

It fixes some of these issues and an additional one (CVE-2021-20206) that was fixed upstream in 3.1.0.

Summary: skopeo, buildah, podman new security issues CVE-2021-20291, CVE-2021-3602, CVE-2021-34558, CVE-2021-41190, CVE-2021-4024, CVE-2022-1227, CVE-2022-2989, CVE-2022-2990, CVE-2022-21698, CVE-2022-27191, CVE-2022-27649, CVE-2022-27651 => skopeo, buildah, podman new security issues CVE-2021-20206, CVE-2021-20291, CVE-2021-3602, CVE-2021-34558, CVE-2021-41190, CVE-2021-4024, CVE-2022-1227, CVE-2022-2989, CVE-2022-2990, CVE-2022-21698, CVE-2022-27191, CVE-2022-27649, CVE-2022-27651

Comment 23 David Walser 2023-01-27 16:27:04 CET
(In reply to David Walser from comment #22)
> SUSE has issued an advisory today (January 27):
> https://lists.suse.com/pipermail/sle-security-updates/2023-January/013557.
> html
> 
> It fixes some of these issues and an additional one (CVE-2021-20206) that
> was fixed upstream in 3.1.0.

Equivalent openSUSE advisory:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/NKDIDANN2OO6H6AMGCEODFI5ZES7PJYI/
Comment 24 David Walser 2023-02-22 15:52:41 CET
Fedora has issued an advisory today (February 22):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/HX2XHVJTED7LYWP3LLJ3FTJMPQ4KYG44/

CVE list overflowed from bug title into CVE field (CVE-2023-0778 added).

CVE: CVE-2021-20291 => CVE-2023-0778

Comment 25 David Walser 2023-04-06 19:28:29 CEST
podman/conmon security update from Fedora today (April 6):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/I5RR5DUZHU2FFOE3EKYH6T74SA43EB4T/

podman and conmon need to be updated (and built against the pending golang update).

Since these issues have gotten no response for two years, it's time to drop these packages.

Blocks: (none) => 30163

Comment 26 David Walser 2023-04-13 18:02:48 CEST
Fedora has issued an advisory for skopeo on April 12:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4MA5XS5DAOJ5PKKNG5TUXKPQOFHT5VBC/

Adding CVE-2022-41723 to the CVE field.

CVE: CVE-2023-0778 => CVE-2022-41723, CVE-2023-0778

Comment 27 David Walser 2023-06-20 15:15:40 CEST
Another podman issue:
https://ubuntu.com/security/notices/USN-6170-1
Comment 28 Joseph Wang 2023-06-21 05:42:44 CEST
I've been pretty active at building new podman, skopeo, and buildah packages, and I can do another build in the next two or three days for mageia release.
Comment 29 Joseph Wang 2023-06-21 05:48:17 CEST
Also from a security point of view it makes no sense to drop podman.  The alternative is docker which is run as root and it turns out to be reasonably easy to create an image that has total access to the entire machine. 

Podman runs rootless so that any problems in podman are much more confined and are limited to the actual user.

I've been pretty active at making sure that the podman infrastructure is updated, and the only thing that has kept me from pushing new versions is the version freeze.
Comment 30 David Walser 2023-06-21 06:02:06 CEST
This bug was filed over two years ago, with more and more issues piling up, and you have not once responded to it or taken any action as a result of it.  It would not be appropriate to ship these packages in Mageia 9, where they would continue to be unmaintained.  If you only want to maintain packages in Cauldron, then those packages should only be available in Cauldron, and not shipped in Stable releases.  If you want to make them available for a stable release, perhaps a COPR or backports would be more appropriate.
Comment 31 David GEIGER 2023-06-21 06:17:59 CEST
I agree with David, you have many many packages with regular security vulnerabilities that you don't take care of at all during the release stable cycle!

CC: (none) => geiger.david68210

Comment 32 Joseph Wang 2023-06-21 12:38:55 CEST
The bug was filed and I fixed the bugs.  If you look at the commit logs I have been pretty active at keeping the packages up to date.  So I have been pretty active at keeping the packages up to date in cauldron.

The trouble with pulling this from Mageia 9 is that in that situation we end up shipping docker which has a lot more security issues than podman because podman does not give the user access to root.  Podman runs in user mode which means that whatever security issues exist do not give the user access to the full machine,

It may be better to put this in COPR, but it does seem really odd that we would be shipping system that encourages people to use a technology that is inherently unsafe.
Comment 33 Joseph Wang 2023-06-21 13:51:20 CEST
I've upgraded buildah, skopeo and podman to the latest versions 

buildah 1.30.0
skopeo 1.12.0
podman 4.5.1

We can talk about the general issue on the list, but it seems really,
really weird to drop the podman stack for security reasons when the 
alternative is one big security hole.
Comment 34 David Walser 2023-06-21 14:59:01 CEST
It's laughable that you talk about security when these packages are unmaintained, outdated, and riddled with security issues. You have not made one single commit to these packages since Mageia 8 was branched.  Again, it would be irresponsible and against our founding philosophies to ship these unmaintained packages again in Mageia 9.  Like I said before, if you're only interested in maintaining them in Cauldron, then at best they should only be available there, not in a stable release where they won't be maintained.
Comment 35 Joseph Wang 2023-06-21 15:27:51 CEST
The problem is that virtualization is pretty essential core functionality.  I can commit to keeping the packages updated in Mageia 9 if that is the issue.

Yes, I did mess up because I only updated the packages in cauldron and didn't do a backport back to Mageia 8.  But I am a volunteer like everyone else, and things get missed.  I've spent a decent amount of time making sure that everything is updated on cauldron, and a gentle reminder that I forgot to put in a backport would have gotten me to do it.
Comment 36 David Walser 2023-06-21 15:51:11 CEST
Joseph, this bug has been assigned to you since the beginning, and through 27 comments, you completely ignored it.  You had more than one general reminder, and your failure to maintain anything in stable releases has been highlighted plenty of other times and places outside of this bug.  How can we trust you to maintain this in Mageia 9 when you've shown no interest in helping with stable releases for anything, ever?

Why don't we try starting by doing what we do with nextcloud, shipping it in backports only, and see if you can maintain it there.
Comment 37 Joseph Wang 2023-06-21 16:23:07 CEST
Because this isn't just about me.

If it turns out that I suck as a maintainer, then I happen to think that this stack is important enough that *someone* should maintain it.  What packages 
should be included and what shouldn't isn't something that just about me, and
if we are going to remove something as critical as podman just because I suck
then I don't think that is a good way of maintaining a distro.

I happen to also maintain the cinnamon stack, golang and large other pieces
of infrastructure.  Are you going to can cinnamon just because I suck.

And the issue is that I am a volunteer, and I do miss things.  There are 
about a dozen packages which I *do* think need to be removed.

Look, I happen to think that podman is important enough infrastructure
that *someone* should maintain it.  I'm willing to do it, but if it turns
out that I suck, then we still need a discussion on what to do.

Okay, maybe I suck as a maintainer, but the point that canning podman because
I suck will make the distribution less secure.  And the thing about podman
is that it gets so many security notices because people are using.  There
are about 50 packages that I maintain that are likely to have more serious
security issues, and I've come up with about a dozen or so packages I would not
have a problem removed from the distro.

It's just that removing podman because I suck seems to be a weird thing to do.
Comment 38 David Walser 2023-06-21 16:34:47 CEST
I'm not debating the merits of the software, but they are leaf packages, and despite its disadvantages, docker (which is maintained), provides the same core functionality, so we don't absolutely have to have these packages.  There are a lot of nice things that we could ship if we had people to maintain them, but we don't.  We don't have enough packagers, the ones we do have are either overburdened or don't have enough time, and the problem has gotten worse over time.  Importing packages that you can't maintain isn't helping the distribution.  Expecting the few, overburdened,  other packagers that we do have, to maintain all of this stuff for you, isn't either.

If we can find someone or someones who can maintain this stuff, we can always reintroduce it later.  Just because we drop a package doesn't necessarily mean that it's gone forever.  If you think these packages are that important, then your focus should be on finding people in the Mageia community who use them and care about them enough to step up and learn how to maintain them.  Shipping a bunch of unmaintained bitrot with known issues isn't a good way to maintain a distro either.
Comment 39 Joseph Wang 2023-06-21 16:51:47 CEST
docker does *NOT* have the same core functionality as podman

1) docker effectively requires that all users be root which is bad, bad, bad. 
2) because docker saves all volumes in a central location it makes resource management impossible
3) also the people that run docker are people that have shown microsoft-ish behavior.  Once you have
everyone run on docker, I think they will just do a rug pull like mongodb.  The fact that everything
runs through a central server makes it easy for the people at docker to put in enhanced functionality
that will lock other people out.

And the build system for skopeo and buildah allows you to run things locally.

And we are overburdened, but just killing packages without talking it through is not
going to help things.  There are a lot of packages which I would be glad to get rid of (i.e.
there is no point in keeping odoo or spack around).  There are a lot of failed experiments
that can be removed.  I am overstreched, but I am happen to think that podman is important
enough so that I will prioritize that over stuff like getting julia working.

There are about a dozen packages I don't mind dropping.  Podman is just not one of them. 

As far as bitrot.  Dropping a package because it has a lot of CVE's just creates some perverse
incentives.  Podman has a ton of CVE's because it has an active community that is security
focused.  There are about a dozen "experiments that went nowhere" that I would prefer to drop
and those don't have any CVE's because no one uses them.

The problem is that our maintainer model simply will not scale and that creates another discussion
since it means we aren't shipping stuff like rust and and the golang files aren't getting new security
updates.
Comment 40 David Walser 2023-06-21 16:56:51 CEST
Regardless of the finer points of docker vs. podman, my point stands that we don't absolutely need to ship podman.  Not shipping packages that we can't maintain absolutely does help.  And yes, if there are other good candidates for dropping, please take care of that.  And yes, I know that more active software tends to get more CVEs, but remember that those are also known security issues, which at least in some cases may be actively exploited.  Like I said, let's try shipping these in backports instead of core, and that will give you the flexibility to upgrade them without having to be as careful about maintaining backward compatibility.
Comment 41 Joseph Wang 2023-06-21 17:14:06 CEST
As long as its installable via urpmi, its not a huge issue for me, but it is odd to me that among "packages we should drop" that podman got put in on the high list.
Comment 42 Joseph Wang 2023-06-24 19:14:56 CEST
Ive uploaded

skopeo 1.12.0 
buildah 1.30.0
podman 3.4.7

To mageia 8 updates_testing

and

skopeo 1.12.0
buildah 1.30.0
podman 4.5.1

to cauldron updates_testing

Also if there are any other packages that need TLC, let me know.

Resolution: (none) => FIXED
Status: NEW => RESOLVED

David Walser 2023-06-24 20:43:48 CEST

Resolution: FIXED => (none)
Status: RESOLVED => REOPENED

Comment 43 David Walser 2023-06-24 20:45:40 CEST
Do these versions address all issues in this bug?  Have you sent a freeze move request to the dev ml?  You need to list the packages for the Mageia 8 update, provide an advisory, and assign to QA.  You don't just close the bug.
Comment 44 Morgan Leijström 2023-06-24 22:22:11 CEST
As we are keeping them

Blocks: 30163 => (none)
CC: (none) => fri

Comment 45 Morgan Leijström 2023-06-25 08:35:53 CEST
Mga9: freeze push was asked and executed

Mga8: packages are in core updates_testing

* Thank you Joseph! *

You still need to for Mageia 8:

 1) here provide a list of the rpm packages QA are to test, and then

 2) set bug to QA Team (qa-bugs@ml.mageia.org)

 3) write an advisory for the updated packages.
    It is OK to write it in this bug, and someone can review and upload.

Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8

Comment 46 David Walser 2023-06-25 18:21:51 CEST
Morgan, you confirmed that the new versions fix all of these issues?
Comment 47 Morgan Leijström 2023-06-25 23:01:02 CEST
mga9: Sorry, no - I just noticed on dev list they got freeze moved, so changed status from Cauldron to 8.

For mga8 I expect packager to state what is fixed in the advisory.
Comment 48 Joseph Wang 2023-06-26 02:32:28 CEST
Will do this evening.  I was waffling back and forth between 3.4.7 which has some known vulnerablilities or just upgrading to 4.5.1 which has everything fixed.  Let me try building 4.5.1 on Mageia 8 first.

Assignee: joequant => qa-bugs

David Walser 2023-06-26 03:08:43 CEST

Assignee: qa-bugs => joequant

Comment 49 Morgan Leijström 2023-06-26 09:00:39 CEST
@Joseph: sign to QA when new packages are built, and you have here provided a list of mga8 rpm packages to test. :)
Comment 50 Joseph Wang 2023-06-27 02:16:44 CEST
QA,

Please test the following packages in mageia 8

podman-4.5.1-1.mga8
conmon-2.1.5-1.mga8
skopeo-1.12.0-2.mga8 <- Note release is 2
buildah-1.30.0.mga8

According to the NVD database there are no known vulnerabilities in
these versions

These versions will fix the following security issues

CVE-2021-20206 - fixed buildah >= 1.23.1
CVE-2021-20291 - fixed skopeo >=  1.2.3, buildah >= 1.20.1
CVE-2021-3602 - fixed podman >= 1.2.3, buildah >= 1.21.1
CVE-2021-34558 - fixed buildah >= 1.21.4
CVE-2021-41190 - fixed buildah >= 1.5.2
CVE-2022-2989 - fixed buildah >= 1.27.0, fixed podman > 4.3.1
CVE-2022-2990 - fixed buildah >= 1.27.0
CVE-2022-21698 - fixed skopeo >= 1.7.0, podman >= 4.0.0
CVE-2022-27191 - fixed buildah >= 1.23.3, pdoman >= 4.0.0
CVE-2022-27651 - fixed buildah >= 1.25.1
CVE 2022-41734 - fixed skopeo >= 1.11.2

As well as these two....

CVE 2022-1227 - fixed  podman >= 4.0.0
CVE 2022-27649 - fixed podman >= 4.0.3
Joseph Wang 2023-06-27 02:17:43 CEST

Assignee: joequant => qa-bugs

David Walser 2023-06-27 04:23:45 CEST

CC: (none) => joequant

Comment 51 David Walser 2023-06-27 14:15:13 CEST
containers-common-1.12.0-2.mga8
skopeo-1.12.0-2.mga8
conmon-2.1.5-1.mga8
buildah-1.30.0-1.mga8
buildah-tests-1.30.0-1.mga8
podman-remote-4.5.1-1.mga8
podman-4.5.1-1.mga8
podman-fish-completion-4.5.1-1.mga8
podman-docker-4.5.1-1.mga8
podman-zsh-completion-4.5.1-1.mga8
podman-plugins-4.5.1-1.mga8

from SRPMS:
skopeo-1.12.0-2.mga8.src.rpm
conmon-2.1.5-1.mga8.src.rpm
buildah-1.30.0-1.mga8.src.rpm
podman-4.5.1-1.mga8.src.rpm
David GEIGER 2023-06-29 20:50:35 CEST

Blocks: (none) => 31099

Comment 52 David Walser 2023-06-29 23:00:49 CEST
The conmon update also fixes CVE-2022-1708 (fixed in 2.1.2) as David just noted with the attached bug 31099.
Comment 53 Len Lawrence 2023-07-01 18:37:16 CEST
Mageia8, x86_64
Having a go at this but it looks like a lot of ground to cover so might take a week or two.  Shall issue interim reports if possible.
Installed all the packages.  Only thing to note is that docker had to be removed in favour of podman-docker.
Shall run updates later after checking the CVEs.

CC: (none) => tarazed25

Comment 54 Len Lawrence 2023-07-01 19:07:56 CEST
The issues reported in the CVEs could be reproduced by an expert user perhaps.

The updates all installed without fuss.
Comment 55 Len Lawrence 2023-07-02 19:17:35 CEST
Before updating investigated the applications and ran various simple commands, which worked for the most part but had trouble with buildah because of limited knowledge.
The test directory contains a Dockerfile but I cannot remember where that came from:

$ cat Dockerfile
# syntax=docker/dockerfile:1
   
FROM node:18-alpine
WORKDIR /home/lcl/podman/tarazed
COPY . .
RUN yarn install --production
CMD ["node", "src/index.js"]
EXPOSE 3000

After the tests a local file tree had been created at ~/.local/share/containers with 41453 files.  Purged these later, which proved to be a mistake because all my container history was lost.

https://www.mankier.com/1/skopeo-inspect

$ skopeo inspect docker://docker.io/fedora
{
    "Name": "docker.io/library/fedora",
    "Digest": "sha256:a1347432284b0361f472ebc7c00874cf084e93bc2d9c78fe19f9840da9514789",
[...]
"FBR=f38"
    ]
}

That looks reasonable.

$ skopeo inspect --no-tags docker://docker.io/library/python
{
    "Name": "docker.io/library/python",
    "Digest": "sha256:fe68f3194a1a6df058901085495abca83d8841415101366c3a4c66f06f39760a",
    "RepoTags": [],
[...]
"PATH=/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"LANG=C.UTF-8",
        "GPG_KEY=A035C8C19219BA821ECEA86B64E628F8D684696D",
        "PYTHON_VERSION=3.11.4",
        "PYTHON_PIP_VERSION=23.1.2",
        "PYTHON_SETUPTOOLS_VERSION=65.5.1",
        "PYTHON_GET_PIP_URL=https://github.com/pypa/get-pip/raw/0d8570dc44796f4369b652222cf176b3db6ac70e/public/get-pip.py",
        "PYTHON_GET_PIP_SHA256=96461deced5c2a487ddc65207ec5a9cffeca0d34e7af7ea1afc470ff0d746207"
    ]
}

Another long report which looks reasonable.

$ skopeo inspect --config docker://registry.fedoraproject.org/fedora --format "{{ .Architecture }}"
amd64

$ skopeo inspect --format '{{ .Env }}' docker://registry.access.redhat.com/ubi8
[PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin container=oci]

There is not much else that can be done with these applications without learning how to actually build containers.
https://podman.io/get-started

$ podman images
REPOSITORY  TAG         IMAGE ID    CREATED     SIZE
docker.io/library/mageia  latest      5d2f474d2628  2 years ago  322 MB
$ podman search docker.io/library/mageia
$ podman run -dt -p 8080:80/tcp docker.io/library/mageia
dafc297335fbc8dae9c0ac1d09452bf4934b21086a043135c7a1feb45cb0ed19
$ podman ps
CONTAINER ID  IMAGE                            COMMAND     CREATED        STATUS            PORTS                 NAMES
dafc297335fb  docker.io/library/mageia:latest  /bin/bash   7 minutes ago  Up 7 minutes ago  0.0.0.0:8080->80/tcp  ecstatic_curran
$ podman kill dafc297335fb
dafc297335fb
$ podman ps -a
CONTAINER ID  IMAGE                            COMMAND     CREATED        STATUS                       PORTS                 NAMES
dafc297335fb  docker.io/library/mageia:latest  /bin/bash   4 hours ago    Exited (137) 11 minutes ago  0.0.0.0:8080->80/tcp  ecstatic_curran
2a1a0c9c72da  docker.io/library/mageia:latest  /bin/bash   6 minutes ago  Up 6 minutes ago             0.0.0.0:8080->80/tcp  thirsty_hoover

podman uses buildah as a backend.
Tried to create a container using buildah, with guidance at https://buildah.io/blogs/2017/11/02/getting-started-with-buildah.html but did not get very far:

$ newcontainer=$(buildah from scratch)
$ scratchmnt=$(buildah mount $newcontainer)
$ buildah containers
CONTAINER ID  BUILDER  IMAGE ID     IMAGE NAME                       CONTAINER NAME
319ec863cb8d     *     5d2f474d2628 docker.io/library/mageia:latest  mageia-working-container
1b548aad0abf     *                  scratch                          working-container
$ buildah images
REPOSITORY                 TAG      IMAGE ID       CREATED       SIZE
docker.io/library/mageia   latest   5d2f474d2628   2 years ago   322 MB
$ buildah run $newcontainer bash
2023-07-02T15:03:05.000643098Z: executable file `bash` not found in $PATH: No such file or directory
....

Attempts to get any further failed for reasons not understood, possibly involving file permissions as well as user ignorance but all in all the suite looks in good shape.

Whiteboard: (none) => MGA8-64-OK

Comment 56 Thomas Andrews 2023-07-02 23:58:43 CEST
This whole discussion is completely over my head, and I don't mind admitting it.

For lack of any other reason, I'm going to validate it based on Len's test and comments, and because it is supposed to fix many security issues. If that is insufficient, please remove the validation.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2023-07-06 22:12:19 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 57 Mageia Robot 2023-07-07 07:56:10 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0213.html

Resolution: (none) => FIXED
Status: REOPENED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.