Security update for buildah SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2022:3655-1 Final 1 1 2022-10-19T10:34:23Z current 2022-10-19T10:34:23Z 2022-10-19T10:34:23Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for buildah This update for buildah fixes the following issues: Buildah was updated to version 1.27.1: - CVE-2021-20206: Fixed an issue in libcni that could allow an attacker to execute arbitrary binaries on the host (bsc#1181961). - CVE-2020-10696: Fixed an issue that could lead to files being overwritten during the image building process (bsc#1167864). - CVE-2022-2990: Fixed a possible information disclosure and modification (bsc#1202812). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2022-3655,SUSE-SLE-Module-Containers-15-SP4-2022-3655,openSUSE-SLE-15.4-2022-3655 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2022/suse-su-20223655-1/ Link for SUSE-SU-2022:3655-1 https://lists.suse.com/pipermail/sle-security-updates/2022-October/012578.html E-Mail link for SUSE-SU-2022:3655-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1167864 SUSE Bug 1167864 https://bugzilla.suse.com/1181961 SUSE Bug 1181961 https://bugzilla.suse.com/1202812 SUSE Bug 1202812 https://www.suse.com/security/cve/CVE-2020-10696/ SUSE CVE CVE-2020-10696 page https://www.suse.com/security/cve/CVE-2021-20206/ SUSE CVE CVE-2021-20206 page https://www.suse.com/security/cve/CVE-2022-2990/ SUSE CVE CVE-2022-2990 page SUSE Linux Enterprise Module for Containers 15 SP4 openSUSE Leap 15.4 buildah-1.27.1-150400.3.8.1 buildah-1.27.1-150400.3.8.1 as a component of SUSE Linux Enterprise Module for Containers 15 SP4 buildah-1.27.1-150400.3.8.1 as a component of openSUSE Leap 15.4 A path traversal flaw was found in Buildah in versions before 1.14.5. This flaw allows an attacker to trick a user into building a malicious container image hosted on an HTTP(s) server and then write files to the user's system anywhere that the user has permissions. CVE-2020-10696 SUSE Linux Enterprise Module for Containers 15 SP4:buildah-1.27.1-150400.3.8.1 openSUSE Leap 15.4:buildah-1.27.1-150400.3.8.1 important 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-20223655-1/ https://www.suse.com/security/cve/CVE-2020-10696.html CVE-2020-10696 https://bugzilla.suse.com/1167864 SUSE Bug 1167864 An improper limitation of path name flaw was found in containernetworking/cni in versions before 0.8.1. When specifying the plugin to load in the 'type' field in the network configuration, it is possible to use special elements such as "../" separators to reference binaries elsewhere on the system. This flaw allows an attacker to execute other existing binaries other than the cni plugins/types, such as 'reboot'. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. CVE-2021-20206 SUSE Linux Enterprise Module for Containers 15 SP4:buildah-1.27.1-150400.3.8.1 openSUSE Leap 15.4:buildah-1.27.1-150400.3.8.1 important 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-20223655-1/ https://www.suse.com/security/cve/CVE-2021-20206.html CVE-2021-20206 https://bugzilla.suse.com/1181961 SUSE Bug 1181961 An incorrect handling of the supplementary groups in the Buildah container engine might lead to the sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container. CVE-2022-2990 SUSE Linux Enterprise Module for Containers 15 SP4:buildah-1.27.1-150400.3.8.1 openSUSE Leap 15.4:buildah-1.27.1-150400.3.8.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-20223655-1/ https://www.suse.com/security/cve/CVE-2022-2990.html CVE-2022-2990 https://bugzilla.suse.com/1202812 SUSE Bug 1202812