| id: GO-2022-1008 |
| modules: |
| - module: github.com/containers/buildah |
| versions: |
| - fixed: 1.27.1 |
| vulnerable_at: 1.27.0 |
| packages: |
| - package: github.com/containers/buildah |
| symbols: |
| - Builder.configureUIDGID |
| derived_symbols: |
| - Builder.Run |
| summary: Unauthorized file access in github.com/containers/buildah |
| description: |- |
| SGID programs executed in a container can access files that have negative group |
| permissions for the user's primary group. |
| |
| Consider a file which is owned by user u1 and group g1, permits user and other |
| read access, and does NOT permit group read access. This file is readable by u1 |
| and all other users except for ones in group g1. |
| |
| A program with the set-group-ID (SGID) bit set assumes the primary group of the |
| program's group when it executes. |
| |
| A user with the primary group g1 who executes an SGID program owned by group g2 |
| should not be able to access the file described above. While the program |
| executes with the primary group g2, the group g1 should remain in its |
| supplementary groups, blocking access to the file. |
| |
| Buildah does not correctly add g1 to the supplementary groups in this scenario, |
| permitting unauthorized access. |
| cves: |
| - CVE-2022-2990 |
| ghsas: |
| - GHSA-fjm8-m7m6-2fjp |
| related: |
| - CVE-2022-2989 |
| - CVE-2022-2995 |
| - CVE-2022-36109 |
| - CVE-2023-25173 |
| - GHSA-4wjj-jwc9-2x96 |
| - GHSA-hmfx-3pcx-653p |
| - GHSA-phjr-8j92-w5v7 |
| - GHSA-rc4r-wh2q-q6c4 |
| references: |
| - article: https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/ |
| - fix: https://github.com/containers/buildah/commit/4a8bf740e862f2438279c6feee2ea59ddf0cda0b |
| review_status: REVIEWED |