Nixpkgs Security Tracker

Login with GitHub

Suggestions search

Untriaged
Filter by:
With package: buildah-unwrapped

Found 7 matching suggestions

View:
Compact
Detailed
Permalink CVE-2024-11218
8.6 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 6 months, 1 week ago
Podman: buildah: container breakout by using --jobs=2 and a race condition when building a malicious containerfile

A vulnerability was found in `podman build` and `buildah.` This issue occurs in a container breakout by using --jobs=2 and a race condition when building a malicious Containerfile. SELinux might mitigate it, but even with SELinux on, it still allows the enumeration of files and directories on the host.

References

Affected products

rhcos
  • *
podman
  • *
buildah
  • <1.33.12
  • <1.38.1
  • <1.35.5
  • *
  • <1.37.6
container-tools:rhel8
  • *
container-tools:rhel8/podman
container-tools:rhel8/buildah

Matching in nixpkgs

pkgs.podman

Program for managing pods, containers and container images

  • nixos-unstable -

pkgs.buildah

Tool which facilitates building OCI images

  • nixos-unstable -

pkgs.podman-bootc

Streamlining podman+bootc interactions

  • nixos-unstable -

pkgs.podman-compose

Implementation of docker-compose with podman backend

  • nixos-unstable -

pkgs.podman-desktop

Graphical tool for developing on containers and Kubernetes

  • nixos-unstable -

Package maintainers

Permalink CVE-2024-9676
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
created 6 months, 1 week ago
Podman: buildah: cri-o: symlink traversal vulnerability in the containers/storage library can cause denial of service (dos)

A vulnerability was found in Podman, Buildah, and CRI-O. A symlink traversal vulnerability in the containers/storage library can cause Podman, Buildah, and CRI-O to hang and result in a denial of service via OOM kill when running a malicious image using an automatically assigned user namespace (`--userns=auto` in Podman and Buildah). The containers/storage library will read /etc/passwd inside the container, but does not properly validate if that file is a symlink, which can be used to cause the library to read an arbitrary file on the host.

References

Affected products

cri-o
  • *
conmon
podman
  • *
skopeo
buildah
  • *
containers/storage
  • <1.55.1
container-tools:rhel8
  • *
quay/quay-builder-rhel8
ocp-tools-4/jenkins-rhel8
container-tools:rhel8/conmon
container-tools:rhel8/podman
container-tools:rhel8/skopeo
container-tools:rhel8/buildah
openshift4/ose-docker-builder
  • *
jenkins-agent-base-rhel9-container
openshift4/ose-docker-builder-rhel9
  • *
ocp-tools-4/jenkins-agent-base-rhel8

Matching in nixpkgs

pkgs.cri-o

Open Container Initiative-based implementation of the Kubernetes Container Runtime Interface

  • nixos-unstable -

pkgs.conmon

OCI container runtime monitor

  • nixos-unstable -

pkgs.podman

Program for managing pods, containers and container images

  • nixos-unstable -

pkgs.skopeo

Command line utility for various operations on container images and image repositories

  • nixos-unstable -

pkgs.buildah

Tool which facilitates building OCI images

  • nixos-unstable -

pkgs.conmon-rs

OCI container runtime monitor written in Rust

  • nixos-unstable -

pkgs.podman-bootc

Streamlining podman+bootc interactions

  • nixos-unstable -

pkgs.podman-compose

Implementation of docker-compose with podman backend

  • nixos-unstable -

pkgs.podman-desktop

Graphical tool for developing on containers and Kubernetes

  • nixos-unstable -

pkgs.cri-o-unwrapped

Open Container Initiative-based implementation of the Kubernetes Container Runtime Interface

  • nixos-unstable -

Package maintainers

Permalink CVE-2024-9675
4.4 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 6 months, 1 week ago
Buildah: buildah allows arbitrary directory mount

A vulnerability was found in Buildah. Cache mounts do not properly validate that user-specified paths for the cache are within our cache directory, allowing a `RUN` instruction in a Container file to mount an arbitrary directory from the host (read/write) into the container as long as those files can be accessed by the user running Buildah.

References

Affected products

cri-o
conmon
podman
  • *
skopeo
buildah
  • *
  • <1.38.0
buildah-container
container-tools:rhel8
  • *
quay/quay-builder-rhel8
ocp-tools-4/jenkins-rhel8
container-tools:rhel8/conmon
container-tools:rhel8/podman
container-tools:rhel8/skopeo
container-tools:rhel8/buildah
openshift4/ose-docker-builder
  • *
openshift4/ose-docker-builder-rhel9
  • *
ocp-tools-4/jenkins-agent-base-rhel8
openshift-enterprise-builder-container
  • *

Matching in nixpkgs

pkgs.cri-o

Open Container Initiative-based implementation of the Kubernetes Container Runtime Interface

  • nixos-unstable -

pkgs.conmon

OCI container runtime monitor

  • nixos-unstable -

pkgs.podman

Program for managing pods, containers and container images

  • nixos-unstable -

pkgs.skopeo

Command line utility for various operations on container images and image repositories

  • nixos-unstable -

pkgs.buildah

Tool which facilitates building OCI images

  • nixos-unstable -

pkgs.conmon-rs

OCI container runtime monitor written in Rust

  • nixos-unstable -

pkgs.podman-bootc

Streamlining podman+bootc interactions

  • nixos-unstable -

pkgs.podman-compose

Implementation of docker-compose with podman backend

  • nixos-unstable -

pkgs.podman-desktop

Graphical tool for developing on containers and Kubernetes

  • nixos-unstable -

pkgs.cri-o-unwrapped

Open Container Initiative-based implementation of the Kubernetes Container Runtime Interface

  • nixos-unstable -

Package maintainers

Permalink CVE-2024-9407
4.7 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): HIGH
  • Privileges required (PR): HIGH
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 6 months, 1 week ago
Buildah: podman: improper input validation in bind-propagation option of dockerfile run --mount instruction

A vulnerability exists in the bind-propagation option of the Dockerfile RUN --mount instruction. The system does not properly validate the input passed to this option, allowing users to pass arbitrary parameters to the mount instruction. This issue can be exploited to mount sensitive directories from the host into a container during the build process and, in some cases, modify the contents of those mounted files. Even if SELinux is used, this vulnerability can bypass its protection by allowing the source directory to be relabeled to give the container access to host files.

References

Affected products

rhcos
  • *
podman
  • <1.5.0
  • <5.2.4
  • *
buildah
  • <1.9.1
  • <1.37.4
  • *
container-tools:rhel8
  • *
container-tools:rhel8/podman
container-tools:rhel8/buildah
openshift4/ose-docker-builder
openshift4/ose-docker-builder-rhel9

Matching in nixpkgs

pkgs.podman

Program for managing pods, containers and container images

  • nixos-unstable -

pkgs.buildah

Tool which facilitates building OCI images

  • nixos-unstable -

pkgs.podman-bootc

Streamlining podman+bootc interactions

  • nixos-unstable -

pkgs.podman-compose

Implementation of docker-compose with podman backend

  • nixos-unstable -

pkgs.podman-desktop

Graphical tool for developing on containers and Kubernetes

  • nixos-unstable -

Package maintainers

Permalink CVE-2024-9341
5.4 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): LOW
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 6 months, 1 week ago
Podman: buildah: cri-o: fips crypto-policy directory mounting issue in containers/common go library

A flaw was found in Go. When FIPS mode is enabled on a system, container runtimes may incorrectly handle certain file paths due to improper validation in the containers/common Go library. This flaw allows an attacker to exploit symbolic links and trick the system into mounting sensitive host directories inside a container. This issue also allows attackers to access critical host files, bypassing the intended isolation between containers and the host system.

References

Affected products

cri-o
  • *
rhcos
  • *
podman
  • *
buildah
  • *
container-tools:rhel8
  • *
container-tools:rhel8/podman
github.com/containers/common
  • <0.60.4
container-tools:rhel8/buildah
openshift4/ose-docker-builder
openshift4/ose-docker-builder-rhel9

Matching in nixpkgs

pkgs.cri-o

Open Container Initiative-based implementation of the Kubernetes Container Runtime Interface

  • nixos-unstable -

pkgs.podman

Program for managing pods, containers and container images

  • nixos-unstable -

pkgs.buildah

Tool which facilitates building OCI images

  • nixos-unstable -

pkgs.podman-bootc

Streamlining podman+bootc interactions

  • nixos-unstable -

pkgs.podman-compose

Implementation of docker-compose with podman backend

  • nixos-unstable -

pkgs.podman-desktop

Graphical tool for developing on containers and Kubernetes

  • nixos-unstable -

pkgs.cri-o-unwrapped

Open Container Initiative-based implementation of the Kubernetes Container Runtime Interface

  • nixos-unstable -

Package maintainers

Permalink CVE-2024-3727
8.3 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 6 months, 1 week ago
Containers/image: digest type does not guarantee valid type

A flaw was found in the github.com/containers/image library. This flaw allows attackers to trigger unexpected authenticated registry accesses on behalf of a victim user, causing resource exhaustion, local path traversal, and other attacks.

References

Affected products

cri-o
  • *
image
  • <5.29.3
  • <5.30.1
rhcos
  • *
conmon
podman
  • *
skopeo
  • *
buildah
  • *
atomic-openshift
osbuild-composer
containers-common
openshift-clients
openshift4/ose-cli
devspaces/udi-rhel8
openshift4/ose-tests
  • *
container-tools:rhel8
  • *
openshift4/ose-console
  • *
openshift4/ose-deployer
quay/quay-builder-rhel8
openshift4/ose-cli-rhel9
openshift4/ose-installer
openshift4/ose-sdn-rhel9
  • *
ocp-tools-4/jenkins-rhel8
source-to-image-container
container-tools:4.0/conmon
container-tools:4.0/podman
container-tools:4.0/skopeo
openshift4/ose-tools-rhel8
  • *
container-tools:4.0/buildah
container-tools:rhel8/conmon
container-tools:rhel8/podman
container-tools:rhel8/skopeo
openshift-serverless-clients
openshift4/ose-cli-artifacts
container-tools:rhel8/buildah
oadp/oadp-velero-plugin-rhel8
oadp/oadp-velero-plugin-rhel9
  • *
openshift4/ose-deployer-rhel9
openshift4/ose-docker-builder
  • *
multicluster-engine/hive-rhel8
multicluster-engine/hive-rhel9
openshift4/network-tools-rhel8
  • *
openshift4/ose-hypershift-rhel9
  • *
openshift4/ose-olm-rukpak-rhel8
openshift4/ose-operator-registry
rhacm2/submariner-rhel8-operator
rhacm2/submariner-rhel9-operator
openshift4/oc-mirror-plugin-rhel8
openshift4/oc-mirror-plugin-rhel9
  • *
openshift4/ose-installer-artifacts
osp-director-provisioner-container
virt-cdi-apiserver-rhel9-container
openshift4/assisted-installer-rhel8
openshift4/ose-ovn-kubernetes-rhel9
  • *
ocp-tools-4/jenkins-agent-base-rhel8
container-tools:4.0/containers-common
source-to-image/source-to-image-rhel8
openshift-serverless-1/client-kn-rhel8
openshift4/ose-insights-rhel9-operator
  • *
openshift4/ose-machine-config-operator
openshift4/ose-operator-registry-rhel9
  • *
container-tools:rhel8/containers-common
multicluster-engine/agent-service-rhel8
openshift4/ose-installer-altinfra-rhel8
openshift4/ose-installer-altinfra-rhel9
openshift4/ose-baremetal-installer-rhel7
openshift4/ose-baremetal-installer-rhel8
openshift4/ose-baremetal-installer-rhel9
openshift4/ose-installer-artifacts-rhel9
openshift4/ose-openshift-apiserver-rhel7
openshift4/ose-openshift-apiserver-rhel8
openshift4/ose-openshift-apiserver-rhel9
  • *
openshift4/assisted-installer-agent-rhel8
openshift4/ose-machine-api-rhel9-operator
  • *
openshift4/ose-operator-lifecycle-manager
  • *
advanced-cluster-security/rhacs-main-rhel8
  • *
ose-openshift-controller-manager-container
rhai-tech-preview/assisted-installer-rhel8
rhmtc/openshift-migration-controller-rhel8
  • *
ose-installer-terraform-providers-container
advanced-cluster-security/rhacs-roxctl-rhel8
  • *
multicluster-engine/assisted-installer-rhel8
openshift4/assisted-installer-reporter-rhel8
openshift4/ose-apiserver-network-proxy-rhel9
  • *
openshift4/ose-machine-config-rhel9-operator
  • *
openshift4/ose-olm-operator-controller-rhel8
openshift4/ose-olm-operator-controller-rhel9
  • *
advanced-cluster-security/rhacs-scanner-rhel8
  • *
openshift4/ose-cluster-ingress-rhel9-operator
  • *
openshift4/ose-cluster-network-rhel9-operator
  • *
rhacm2-tech-preview/submariner-rhel8-operator
advanced-cluster-security/rhacs-rhel8-operator
  • *
openshift4/ose-openshift-proxy-pull-test-rhel8
openshift4/ose-ovn-kubernetes-microshift-rhel9
  • *
advanced-cluster-security/rhacs-collector-rhel8
  • *
advanced-cluster-security/rhacs-operator-bundle
  • *
container-native-virtualization/virt-cdi-cloner
openshift4/ose-agent-installer-api-server-rhel8
  • *
openshift4/ose-agent-installer-api-server-rhel9
  • *
openshift4/ose-agent-installer-node-agent-rhel8
openshift4/ose-agent-installer-node-agent-rhel9
  • *
openshift4/ose-operator-lifecycle-manager-rhel9
  • *
advanced-cluster-security/rhacs-central-db-rhel8
  • *
advanced-cluster-security/rhacs-scanner-db-rhel8
  • *
advanced-cluster-security/rhacs-scanner-v4-rhel8
  • *
openshift4/ose-alibaba-machine-controllers-rhel9
  • *
openshift4/ose-cluster-autoscaler-rhel9-operator
  • *
openshift4/ose-multus-admission-controller-rhel9
  • *
openshift4/ose-multus-whereabouts-ipam-cni-rhel8
  • *
openshift4/ose-nutanix-machine-controllers-rhel9
  • *
openshift4/ose-powervs-machine-controllers-rhel9
  • *
rhai-tech-preview/assisted-installer-agent-rhel8
container-native-virtualization/virt-cdi-importer
container-native-virtualization/virt-cdi-operator
openshift-sandboxed-containers/osc-rhel8-operator
openshift-sandboxed-containers/osc-rhel9-operator
openshift4/ose-agent-installer-csr-approver-rhel8
openshift4/ose-agent-installer-csr-approver-rhel9
openshift4/ose-agent-installer-orchestrator-rhel8
  • *
openshift4/ose-agent-installer-orchestrator-rhel9
  • *
openshift4/ose-cluster-node-tuning-rhel9-operator
  • *
openshift4/ose-openshift-controller-manager-rhel7
openshift4/ose-openshift-controller-manager-rhel8
openshift4/ose-openshift-controller-manager-rhel9
  • *
advanced-cluster-security/rhacs-scanner-slim-rhel8
  • *
container-native-virtualization/virt-cdi-apiserver
multicluster-engine/assisted-installer-agent-rhel8
multicluster-engine/assisted-installer-agent-rhel9
advanced-cluster-security/rhacs-scanner-v4-db-rhel8
  • *
container-native-virtualization/virt-cdi-controller
rhai-tech-preview/assisted-installer-reporter-rhel8
advanced-cluster-security/rhacs-collector-slim-rhel8
  • *
container-native-virtualization/virt-cdi-uploadproxy
openshift-sandboxed-containers/osc-must-gather-rhel8
openshift-sandboxed-containers/osc-must-gather-rhel9
advanced-cluster-security/rhacs-scanner-db-slim-rhel8
  • *
container-native-virtualization/virt-cdi-cloner-rhel9
container-native-virtualization/virt-cdi-uploadserver
multicluster-engine/assisted-installer-reporter-rhel8
openshift4/ose-powervs-cloud-controller-manager-rhel9
  • *
multicluster-engine-assisted-installer-agent-container
container-native-virtualization/virt-cdi-importer-rhel9
container-native-virtualization/virt-cdi-operator-rhel9
container-native-virtualization/virt-cdi-apiserver-rhel9
container-native-virtualization/virt-cdi-controller-rhel9
  • *
container-native-virtualization/virt-cdi-uploadproxy-rhel9
container-native-virtualization/virt-cdi-uploadserver-rhel9
openshift-sandboxed-containers-tech-preview/osc-rhel8-operator
openshift4/ose-cluster-control-plane-machine-set-rhel9-operator
  • *
openshift-sandboxed-containers-tech-preview/osc-must-gather-rhel8

Matching in nixpkgs

pkgs.cri-o

Open Container Initiative-based implementation of the Kubernetes Container Runtime Interface

  • nixos-unstable -

pkgs.conmon

OCI container runtime monitor

  • nixos-unstable -

pkgs.podman

Program for managing pods, containers and container images

  • nixos-unstable -

pkgs.skopeo

Command line utility for various operations on container images and image repositories

  • nixos-unstable -

pkgs.buildah

Tool which facilitates building OCI images

  • nixos-unstable -

pkgs.conmon-rs

OCI container runtime monitor written in Rust

  • nixos-unstable -

pkgs.podman-bootc

Streamlining podman+bootc interactions

  • nixos-unstable -

pkgs.podman-compose

Implementation of docker-compose with podman backend

  • nixos-unstable -

pkgs.podman-desktop

Graphical tool for developing on containers and Kubernetes

  • nixos-unstable -

pkgs.cri-o-unwrapped

Open Container Initiative-based implementation of the Kubernetes Container Runtime Interface

  • nixos-unstable -

Package maintainers

Permalink CVE-2024-1753
8.6 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 6 months, 1 week ago
Buildah: full container escape at build time

A flaw was found in Buildah (and subsequently Podman Build) which allows containers to mount arbitrary locations on the host filesystem into build containers. A malicious Containerfile can use a dummy image with a symbolic link to the root filesystem as a mount source and cause the mount operation to mount the host root filesystem inside the RUN step. The commands inside the RUN step will then have read-write access to the host filesystem, allowing for full container escape at build time.

References

Affected products

podman
  • *
buildah
  • ==4.15.0
  • *
container-tools:4.0
  • *
container-tools:rhel8
  • *
container-tools:4.0/podman
container-tools:4.0/buildah
container-tools:rhel8/podman
container-tools:rhel8/buildah

Matching in nixpkgs

pkgs.podman

Program for managing pods, containers and container images

  • nixos-unstable -

pkgs.buildah

Tool which facilitates building OCI images

  • nixos-unstable -

pkgs.podman-bootc

Streamlining podman+bootc interactions

  • nixos-unstable -

pkgs.podman-compose

Implementation of docker-compose with podman backend

  • nixos-unstable -

pkgs.podman-desktop

Graphical tool for developing on containers and Kubernetes

  • nixos-unstable -

Package maintainers