Nixpkgs Security Tracker

Login with GitHub

Suggestion detail

Untriaged
(browse all)
Permalink CVE-2024-9675
created 4 months, 3 weeks ago
Buildah: buildah allows arbitrary directory mount

A vulnerability was found in Buildah. Cache mounts do not properly validate that user-specified paths for the cache are within our cache directory, allowing a `RUN` instruction in a Container file to mount an arbitrary directory from the host (read/write) into the container as long as those files can be accessed by the user running Buildah.

Affected products

cri-o
conmon
podman
  • *
skopeo
buildah
  • *
  • <1.38.0
buildah-container
container-tools:rhel8
  • *
quay/quay-builder-rhel8
ocp-tools-4/jenkins-rhel8
container-tools:rhel8/conmon
container-tools:rhel8/podman
container-tools:rhel8/skopeo
container-tools:rhel8/buildah
openshift4/ose-docker-builder
  • *
openshift4/ose-docker-builder-rhel9
  • *
ocp-tools-4/jenkins-agent-base-rhel8
openshift-enterprise-builder-container
  • *

Matching in nixpkgs

pkgs.cri-o

Open Container Initiative-based implementation of the Kubernetes Container Runtime Interface

  • nixos-unstable -

pkgs.conmon

OCI container runtime monitor

  • nixos-unstable -

pkgs.podman

Program for managing pods, containers and container images

  • nixos-unstable -

pkgs.skopeo

Command line utility for various operations on container images and image repositories

  • nixos-unstable -

pkgs.buildah

Tool which facilitates building OCI images

  • nixos-unstable -

pkgs.conmon-rs

OCI container runtime monitor written in Rust

  • nixos-unstable -

pkgs.podman-bootc

Streamlining podman+bootc interactions

  • nixos-unstable -

pkgs.podman-compose

Implementation of docker-compose with podman backend

  • nixos-unstable -

pkgs.podman-desktop

Graphical tool for developing on containers and Kubernetes

  • nixos-unstable -

pkgs.cri-o-unwrapped

Open Container Initiative-based implementation of the Kubernetes Container Runtime Interface

  • nixos-unstable -

Package maintainers