| modules: |
| - module: github.com/containers/buildah |
| versions: |
| - fixed: 1.27.1 |
| vulnerable_at: 1.27.0 |
| packages: |
| - package: github.com/containers/buildah |
| symbols: |
| - Builder.configureUIDGID |
| derived_symbols: |
| - Builder.Run |
| description: | |
| SGID programs executed in a container can access files that have negative |
| group permissions for the user's primary group. |
| |
| Consider a file which is owned by user u1 and group g1, permits user and |
| other read access, and does NOT permit group read access. This file is |
| readable by u1 and all other users except for ones in group g1. |
| |
| A program with the set-group-ID (SGID) bit set assumes the primary group |
| of the program's group when it executes. |
| |
| A user with the primary group g1 who executes an SGID program owned by |
| group g2 should not be able to access the file described above. While |
| the program executes with the primary group g2, the group g1 should |
| remain in its supplementary groups, blocking access to the file. |
| |
| Buildah does not correctly add g1 to the supplementary groups in this |
| scenario, permitting unauthorized access. |
| cves: |
| - CVE-2022-2990 |
| ghsas: |
| - GHSA-fjm8-m7m6-2fjp |
| references: |
| - article: https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/ |
| - fix: https://github.com/containers/buildah/commit/4a8bf740e862f2438279c6feee2ea59ddf0cda0b |