CVE-2024-1753: Affected podman and buildah versions #5420

danishprakash · 2024-03-20T07:56:14Z

danishprakash
Mar 20, 2024

The buildah advisory states that versions 1.35.0 and earlier are affected. For podman, it says that versions Podman 4.9.3, 5.0, and lower are the ones affected. I tried to look into the issue and it seems to be introduced along with #3590 wherein we introduced from as part of --mount. Allowing us to mount the image filesystem changeset from local storage. This feature was first introduced in buildah 1.24.0. The reproducer also doesn't work in versions below 1.24.0 but works (as in, I can see the exploit dir) >= 1.24.0.

If this is correct, then can we say that the affected buildah versions are 1.24.0-1.35.0? Subsequently for podman, 4.0.0-5.0.0? assuming buildah 1.24.0 was vendored with containers/podman#13029.

Answered by nalind

Apr 3, 2024

Yes, that matches the conclusion that @TomSweeneyRedHat and I reached when determining which branches needed to be patched.

View full answer

nalind · 2024-04-03T19:36:53Z

nalind
Apr 3, 2024
Maintainer

Yes, that matches the conclusion that @TomSweeneyRedHat and I reached when determining which branches needed to be patched.

1 reply

TomSweeneyRedHat Apr 5, 2024
Maintainer

Concured!

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2024-1753: Affected podman and buildah versions #5420

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 1 comment 1 reply

{{title}}

{{title}}

Select a reply

CVE-2024-1753: Affected podman and buildah versions #5420

danishprakash Mar 20, 2024

Replies: 1 comment · 1 reply

nalind Apr 3, 2024 Maintainer

TomSweeneyRedHat Apr 5, 2024 Maintainer

danishprakash
Mar 20, 2024

Replies: 1 comment 1 reply

nalind
Apr 3, 2024
Maintainer

TomSweeneyRedHat Apr 5, 2024
Maintainer