33036 – buildah and podman new security issue CVE-2024-1753

Bug 33036 - buildah and podman new security issue CVE-2024-1753

Summary: buildah and podman new security issue CVE-2024-1753

Status:	NEW

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	Cauldron
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	Joseph Wang
QA Contact:	Sec team

URL:
Whiteboard:	MGA9TOO
Keywords:

Depends on:
Blocks:

Reported:	2024-03-29 14:52 CET by Nicolas Salguero
Modified:	2024-03-31 21:09 CEST (History)
CC List:	0 users

See Also:
Source RPM:	buildah-1.35.0-1.mga10.src.rpm, podman-4.8.3-1.mga10.src.rpm
CVE:	CVE-2024-1753
Status comment:	Fixed upstream in buildah 1.35.1 and podman 4.9.4

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2024-03-29 14:52:41 CET

That CVE was announced here:
https://github.com/containers/buildah/security/advisories/GHSA-pmf3-c36m-g5cf
https://github.com/containers/podman/security/advisories/GHSA-874v-pj72-92f3

That problem is fixed in buildah 1.35.1 and podman 4.9.4 (or 5.0.1).

Mageia 9 is also affected.

Nicolas Salguero 2024-03-29 14:53:18 CET

Whiteboard: (none) => MGA9TOO
Status comment: (none) => Fixed upstream in buildah 1.35.1 and podman 4.9.4
Source RPM: (none) => buildah-1.35.0-1.mga10.src.rpm, podman-4.8.3-1.mga10.src.rpm
CVE: (none) => CVE-2024-1753

Comment 1 Lewis Smith 2024-03-31 21:09:29 CEST

Both new version cures.
Assigning to Joseph who currently maintains these pkgs.

Assignee: bugsquad => joequant

Note You need to log in before you can comment on or make changes to this bug.