blob: d1d14738775a64bc7742fe338a55e11e56ece6ca [file] [log] [blame]
id: GO-2022-1008
modules:
- module: github.com/containers/buildah
versions:
- fixed: 1.27.1
vulnerable_at: 1.27.0
packages:
- package: github.com/containers/buildah
symbols:
- Builder.configureUIDGID
derived_symbols:
- Builder.Run
summary: Unauthorized file access in github.com/containers/buildah
description: |-
SGID programs executed in a container can access files that have negative group
permissions for the user's primary group.
Consider a file which is owned by user u1 and group g1, permits user and other
read access, and does NOT permit group read access. This file is readable by u1
and all other users except for ones in group g1.
A program with the set-group-ID (SGID) bit set assumes the primary group of the
program's group when it executes.
A user with the primary group g1 who executes an SGID program owned by group g2
should not be able to access the file described above. While the program
executes with the primary group g2, the group g1 should remain in its
supplementary groups, blocking access to the file.
Buildah does not correctly add g1 to the supplementary groups in this scenario,
permitting unauthorized access.
cves:
- CVE-2022-2990
ghsas:
- GHSA-fjm8-m7m6-2fjp
related:
- CVE-2022-2989
- CVE-2022-2995
- CVE-2022-36109
- CVE-2023-25173
- GHSA-4wjj-jwc9-2x96
- GHSA-hmfx-3pcx-653p
- GHSA-phjr-8j92-w5v7
- GHSA-rc4r-wh2q-q6c4
references:
- article: https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/
- fix: https://github.com/containers/buildah/commit/4a8bf740e862f2438279c6feee2ea59ddf0cda0b
review_status: REVIEWED