GO-2022-0417

See a problem?

Source

https://pkg.go.dev/vuln/GO-2022-0417

Import Source

https://vuln.go.dev/ID/GO-2022-0417.json

JSON Data

https://api.osv.dev/v1/vulns/GO-2022-0417

Aliases

Published

2022-07-01T20:08:10Z

Modified

2024-05-20T16:03:47Z

Summary

Incorrect default permissions in github.com/containers/buildah

Details

Containers are created with non-empty inheritable Linux process capabilities, permitting programs with inheritable file capabilities to elevate those capabilities to the permitted set during execve(2).

This bug does not affect the container security sandbox, as the inheritable set never contains more capabilities than are included in the container's bounding set.

References

Affected packages

Go / github.com/containers/buildah

Package

Name: github.com/containers/buildah; View open source insights on deps.dev
Purl: pkg:golang/github.com/containers/buildah

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.25.0

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/containers/buildah",
            "symbols": [
                "Builder.Run",
                "setupCapAdd",
                "setupCapDrop"
            ]
        },
        {
            "path": "github.com/containers/buildah/chroot",
            "symbols": [
                "setCapabilities"
            ]
        }
    ]
}