Nixpkgs Security Tracker

Login with GitHub

Suggestion detail

Untriaged

Permalink CVE-2024-9676

created 4 months, 3 weeks ago

Podman: buildah: cri-o: symlink traversal vulnerability in the containers/storage library can cause denial of service (dos)

A vulnerability was found in Podman, Buildah, and CRI-O. A symlink traversal vulnerability in the containers/storage library can cause Podman, Buildah, and CRI-O to hang and result in a denial of service via OOM kill when running a malicious image using an automatically assigned user namespace (`--userns=auto` in Podman and Buildah). The containers/storage library will read /etc/passwd inside the container, but does not properly validate if that file is a symlink, which can be used to cause the library to read an arbitrary file on the host.

Affected products

cri-o

*

conmon

podman

*

skopeo

buildah

*

containers/storage

<1.55.1

container-tools:rhel8

*

quay/quay-builder-rhel8

ocp-tools-4/jenkins-rhel8

container-tools:rhel8/conmon

container-tools:rhel8/podman

container-tools:rhel8/skopeo

container-tools:rhel8/buildah

openshift4/ose-docker-builder

*

jenkins-agent-base-rhel9-container

openshift4/ose-docker-builder-rhel9

*

ocp-tools-4/jenkins-agent-base-rhel8

Matching in nixpkgs

pkgs.cri-o

Open Container Initiative-based implementation of the Kubernetes Container Runtime Interface

nixos-unstable -
- nixpkgs-unstable 1.34.0

pkgs.conmon

OCI container runtime monitor

nixos-unstable -
- nixpkgs-unstable 2.1.13

pkgs.podman

Program for managing pods, containers and container images

nixos-unstable -
- nixpkgs-unstable 5.6.1

pkgs.skopeo

Command line utility for various operations on container images and image repositories

nixos-unstable -
- nixpkgs-unstable 1.20.0

pkgs.buildah

Tool which facilitates building OCI images

nixos-unstable -
- nixpkgs-unstable 1.41.4

pkgs.conmon-rs

OCI container runtime monitor written in Rust

nixos-unstable -
- nixpkgs-unstable 0.7.2

pkgs.podman-tui

Podman Terminal UI

nixos-unstable -
- nixpkgs-unstable 1.8.0

pkgs.podman-bootc

Streamlining podman+bootc interactions

nixos-unstable -
- nixpkgs-unstable 0.1.2

pkgs.podman-compose

Implementation of docker-compose with podman backend

nixos-unstable -
- nixpkgs-unstable 1.5.0

pkgs.podman-desktop

Graphical tool for developing on containers and Kubernetes

nixos-unstable -
- nixpkgs-unstable 1.21.0

pkgs.cri-o-unwrapped

Open Container Initiative-based implementation of the Kubernetes Container Runtime Interface

nixos-unstable -
- nixpkgs-unstable 1.34.0

pkgs.buildah-unwrapped

Tool which facilitates building OCI images

nixos-unstable -
- nixpkgs-unstable 1.41.4

pkgs.nomad-driver-podman

Podman task driver for Nomad

nixos-unstable -
- nixpkgs-unstable 0.6.3

pkgs.python312Packages.podman

Python bindings for Podman's RESTful API

nixos-unstable -
- nixpkgs-unstable 5.6.0

pkgs.python313Packages.podman

Python bindings for Podman's RESTful API

nixos-unstable -
- nixpkgs-unstable 5.6.0

Package maintainers

@vdemeester Vincent Demeester <vincent@sbr.pm>
@saschagrunert Sascha Grunert <mail@saschagrunert.de>
@cpcloud Phillip Cloud
@evan-goode Evan Goode <mail@evangoo.de>
@sikmir Nikolay Korotkiy <sikmir@disroot.org>
@booxter Ihar Hrachyshka <ihar.hrachyshka@gmail.com>
@aaronjheng Aaron Jheng <wentworth@outlook.com>
@fabaff Fabian Affolter <mail@fabian-affolter.ch>
@ryan4yin Ryan Yin <xiaoyin_c@qq.com>
@developer-guy Batuhan Apaydın <developerguyn@gmail.com>
@nlewo Antoine Eiche <lewo@abesis.fr>