SUSE-SU-2022:3766-1

Source
https://www.suse.com/support/update/announcement/2022/suse-su-20223766-1/
Import Source
https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2022:3766-1.json
JSON Data
https://api.osv.dev/v1/vulns/SUSE-SU-2022:3766-1
Related
Published
2022-10-26T09:38:08Z
Modified
2022-10-26T09:38:08Z
Summary
Security update for buildah
Details

This update for buildah fixes the following issues:

  • CVE-2021-20206: Fixed an issue in libcni that could allow an attacker to execute arbitrary binaries on the host (bsc#1181961).
  • CVE-2020-10696: Fixed an issue that could lead to files being overwritten during the image building process (bsc#1167864).
  • CVE-2022-2990: Fixed possible information disclosure and modification / bsc#1202812

Buildah was updated to version 1.27.1:

  • run: add container gid to additional groups

  • Add fix for CVE-2022-2990 / bsc#1202812

Update to version 1.27.0:

  • Don't try to call runLabelStdioPipes if spec.Linux is not set
  • build: support filtering cache by duration using --cache-ttl
  • build: support building from commit when using git repo as build context
  • build: clean up git repos correctly when using subdirs
  • integration tests: quote '?' in shell scripts
  • test: manifest inspect should have OCIv1 annotation
  • vendor: bump to c/common@87fab4b7019a
  • Failure to determine a file or directory should print an error
  • refactor: remove unused CommitOptions from generateBuildOutput
  • stage_executor: generate output for cases with no commit
  • stage_executor, commit: output only if last stage in build
  • Use errors.Is() instead of os.Is{Not,}Exist
  • Minor test tweak for podman-remote compatibility
  • Cirrus: Use the latest imgts container
  • imagebuildah: complain about the right Dockerfile
  • tests: don't try to wrap nil errors
  • cmd/buildah.commitCmd: don't shadow 'err'
  • cmd/buildah.pullCmd: complain about DecryptConfig/EncryptConfig
  • Fix a copy/paste error message
  • Fix a typo in an error message
  • build,cache: support pulling/pushing cache layers to/from remote sources
  • Update vendor of containers/(common, storage, image)
  • Rename chroot/run.go to chroot/run_linux.go
  • Don't bother telling codespell to skip files that don't exist
  • Set user namespace defaults correctly for the library
  • imagebuildah: optimize cache hits for COPY and ADD instructions
  • Cirrus: Update VM images w/ updated bats
  • docs, run: show SELinux label flag for cache and bind mounts
  • imagebuildah, build: remove undefined concurrent writes
  • bump github.com/opencontainers/runtime-tools
  • Add FreeBSD support for 'buildah info'
  • Vendor in latest containers/(storage, common, image)
  • Add freebsd cross build targets
  • Make the jail package build on 32bit platforms
  • Cirrus: Ensure the build-push VM image is labeled
  • GHA: Fix dynamic script filename
  • Vendor in containers/(common, storage, image)
  • Run codespell
  • Remove import of github.com/pkg/errors
  • Avoid using cgo in pkg/jail
  • Rename footypes to fooTypes for naming consistency
  • Move cleanupTempVolumes and cleanupRunMounts to run_common.go
  • Make the various run mounts work for FreeBSD
  • Move get{Bind,Tmpfs,Secret,SSH}Mount to run_common.go
  • Move runSetupRunMounts to run_common.go
  • Move cleanableDestinationListFromMounts to run_common.go
  • Make setupMounts and runSetupBuiltinVolumes work on FreeBSD
  • Move setupMounts and runSetupBuiltinVolumes to run_common.go
  • Tidy up - runMakeStdioPipe can't be shared with linux
  • Move runAcceptTerminal to run_common.go
  • Move stdio copying utilities to run_common.go
  • Move runUsingRuntime and runCollectOutput to run_common.go
  • Move fileCloser, waitForSync and contains to run_common.go
  • Move checkAndOverrideIsolationOptions to run_common.go
  • Move DefaultNamespaceOptions to run_common.go
  • Move getNetworkInterface to run_common.go
  • Move configureEnvironment to run_common.go
  • Don't crash in configureUIDGID if Process.Capabilities is nil
  • Move configureUIDGID to run_common.go
  • Move runLookupPath to run_common.go
  • Move setupTerminal to run_common.go
  • Move etc file generation utilities to run_common.go
  • Add run support for FreeBSD
  • Add a simple FreeBSD jail library
  • Add FreeBSD support to pkg/chrootuser
  • Sync call signature for RunUsingChroot with chroot/run.go
  • test: verify feature to resolve basename with args
  • vendor: bump openshift/imagebuilder to master@4151e43
  • GHA: Remove required reserved-name use
  • buildah: set XDGRUNTIMEDIR before setting default runroot
  • imagebuildah: honor build output even if build container is not commited
  • chroot: honor DefaultErrnoRet
  • [CI:DOCS] improve pull-policy documentation
  • tests: retrofit test since --file does not supports dir
  • Switch to golang native error wrapping
  • BuildDockerfiles: error out if path to containerfile is a directory
  • define.downloadToDirectory: fail early if bad HTTP response
  • GHA: Allow re-use of Cirrus-Cron fail-mail workflow
  • add: fail on bad http response instead of writing to container
  • [CI:DOCS] Update buildahimage comment
  • lint: inspectable is never nil
  • vendor: c/common to common@7e1563b
  • build: support OCI hooks for ephemeral build containers
  • [CI:BUILD] Install latest buildah instead of compiling
  • Add subid support with BuildRequires and BUILDTAG [NO NEW TESTS NEEDED]
  • Make sure cpp is installed in buildah images
  • demo: use unshare for rootless invocations
  • buildah.spec.rpkg: initial addition
  • build: fix test for subid 4
  • build, userns: add support for --userns=auto
  • Fix building upstream buildah image
  • Remove redundant buildahimages-are-sane validation
  • Docs: Update multi-arch buildah images readme
  • Cirrus: Migrate multiarch build off github actions
  • retrofit-tests: we skip unused stages so use stages
  • stage_executor: dont rely on stage while looking for additional-context
  • buildkit, multistage: skip computing unwanted stages
  • More test cleanup
  • copier: work around freebsd bug for 'mkdir /'
  • Replace $BUILDAH_BINARY with buildah() function
  • Fix up buildah images
  • Make util and copier build on FreeBSD
  • Vendor in latest github.com/sirupsen/logrus
  • Makefile: allow building without .git
  • run_unix: don't return an error from getNetworkInterface
  • run_unix: return a valid DefaultNamespaceOptions
  • Update vendor of containers/storage
  • chroot: use ActKillThread instead of ActKill
  • use resolvconf package from c/common/libnetwork
  • update c/common to latest main
  • copier: add NoOverwriteNonDirDir option
  • Sort buildoptions and move cli/build functions to internal
  • Fix TODO: de-spaghettify run mounts
  • Move options parsing out of build.go and into pkg/cli
  • [CI:DOCS] Tutorial 04 - Include Debian/Ubuntu deps
  • build, multiarch: support splitting build logs for --platform
  • [CI:BUILD] WIP Cleanup Image Dockerfiles
  • cli remove stutter
  • docker-parity: ignore sanity check if baseImage history is null
  • build, commit: allow disabling image history with --omit-history
  • Fix use generic/ambiguous DEBUG name
  • Cirrus: use Ubuntu 22.04 LTS
  • Fix codespell errors
  • Remove util.StringInSlice because it is defined in containers/common
  • buildah: add support for renaming a device in rootless setups
  • squash: never use build cache when computing last step of last stage
  • Update vendor of containers/(common, storage, image)
  • buildkit: supports additionalBuildContext in builds via --build-context
  • buildah source pull/push: show progress bar
  • run: allow resuing secret twice in different RUN steps
  • test helpers: default to being rootless-aware
  • Add --cpp-flag flag to buildah build
  • build: accept branch and subdirectory when context is git repo
  • Vendor in latest containers/common
  • vendor: update c/storage and c/image
  • Fix gentoo install docs
  • copier: move NSS load to new process
  • Add test for prevention of reusing encrypted layers
  • Make buildah build --label foo create an empty 'foo' label again

Update to version 1.26.4:

  • build, multiarch: support splitting build logs for --platform
  • copier: add NoOverwriteNonDirDir option
  • docker-parity: ignore sanity check if baseImage history is null
  • build, commit: allow disabling image history with --omit-history
  • buildkit: supports additionalBuildContext in builds via --build-context
  • Add --cpp-flag flag to buildah build

Update to version 1.26.3:

  • define.downloadToDirectory: fail early if bad HTTP response
  • add: fail on bad http response instead of writing to container
  • squash: never use build cache when computing last step of last stage
  • run: allow resuing secret twice in different RUN steps
  • integration tests: update expected error messages
  • integration tests: quote '?' in shell scripts
  • Use errors.Is() to check for storage errors
  • lint: inspectable is never nil
  • chroot: use ActKillThread instead of ActKill
  • chroot: honor DefaultErrnoRet
  • Set user namespace defaults correctly for the library
  • contrib/rpm/buildah.spec: fix rpm parser warnings

Drop requires on apparmor pattern, should be moved elsewhere for systems which want AppArmor instead of SELinux.

  • Update BuildRequires to libassuan-devel >= 2.5.2, pkgconfig file is required to build.

Update to version 1.26.2:

  • buildah: add support for renaming a device in rootless setups

Update to version 1.26.1:

  • Make buildah build --label foo create an empty 'foo' label again
  • imagebuildah,build: move deepcopy of args before we spawn goroutine
  • Vendor in containers/storage v1.40.2
  • buildah.BuilderOptions.DefaultEnv is ignored, so mark it as deprecated
  • help output: get more consistent about option usage text
  • Handle OS version and features flags
  • buildah build: --annotation and --label should remove values
  • buildah build: add a --env
  • buildah: deep copy options.Args before performing concurrent build/stage
  • test: inline platform and builtinargs behaviour
  • vendor: bump imagebuilder to master/009dbc6
  • build: automatically set correct TARGETPLATFORM where expected
  • Vendor in containers/(common, storage, image)
  • imagebuildah, executor: process arg variables while populating baseMap
  • buildkit: add support for custom build output with --output
  • Cirrus: Update CI VMs to F36
  • fix staticcheck linter warning for deprecated function
  • Fix docs build on FreeBSD
  • copier.unwrapError(): update for Go 1.16
  • copier.PutOptions: add StripSetuidBit/StripSetgidBit/StripStickyBit
  • copier.Put(): write to read-only directories
  • Ed's periodic test cleanup
  • using consistent lowercase 'invalid' word in returned err msg
  • use etchosts package from c/common
  • run: set actual hostname in /etc/hostname to match docker parity
  • Update vendor of containers/(common,storage,image)
  • manifest-create: allow creating manifest list from local image
  • Update vendor of storage,common,image
  • Initialize network backend before first pull
  • oci spec: change special mount points for namespaces
  • tests/helpers.bash: assert handle corner cases correctly
  • buildah: actually use containers.conf settings
  • integration tests: learn to start a dummy registry
  • Fix error check to work on Podman
  • buildah build should accept at most one arg
  • tests: reduce concurrency for flaky bud-multiple-platform-no-run
  • vendor in latest containers/common,image,storage
  • manifest-add: allow override arch,variant while adding image
  • Remove a stray \ from .containerenv
  • Vendor in latest opencontainers/selinux v1.10.1
  • build, commit: allow removing default identity labels
  • Create shorter names for containers based on image IDs
  • test: skip rootless on cgroupv2 in root env
  • fix hang when oci runtime fails
  • Set permissions for GitHub actions
  • copier test: use correct UID/GID in test archives
  • run: set parent-death signals and forward SIGHUP/SIGINT/SIGTERM
References

Affected packages

SUSE:Linux Enterprise Module for Basesystem 15 SP3 / libgpg-error

Package

Name
libgpg-error
Purl
pkg:rpm/suse/libgpg-error&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP3

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.42-150300.9.3.1

Ecosystem specific

{
    "binaries": [
        {
            "libgpg-error-devel": "1.42-150300.9.3.1",
            "libgpg-error0": "1.42-150300.9.3.1",
            "libgpg-error0-32bit": "1.42-150300.9.3.1"
        }
    ]
}

SUSE:Linux Enterprise Module for Containers 15 SP3 / buildah

Package

Name
buildah
Purl
pkg:rpm/suse/buildah&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP3

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.27.1-150300.8.11.1

Ecosystem specific

{
    "binaries": [
        {
            "buildah": "1.27.1-150300.8.11.1"
        }
    ]
}

SUSE:Linux Enterprise Micro 5.1 / libgpg-error

Package

Name
libgpg-error
Purl
pkg:rpm/suse/libgpg-error&distro=SUSE%20Linux%20Enterprise%20Micro%205.1

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.42-150300.9.3.1

Ecosystem specific

{
    "binaries": [
        {
            "libgpg-error0": "1.42-150300.9.3.1"
        }
    ]
}

SUSE:Linux Enterprise Micro 5.2 / libgpg-error

Package

Name
libgpg-error
Purl
pkg:rpm/suse/libgpg-error&distro=SUSE%20Linux%20Enterprise%20Micro%205.2

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.42-150300.9.3.1

Ecosystem specific

{
    "binaries": [
        {
            "libgpg-error0": "1.42-150300.9.3.1"
        }
    ]
}

openSUSE:Leap Micro 5.2 / libgpg-error

Package

Name
libgpg-error
Purl
pkg:rpm/opensuse/libgpg-error&distro=openSUSE%20Leap%20Micro%205.2

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.42-150300.9.3.1

Ecosystem specific

{
    "binaries": [
        {
            "libgpg-error0": "1.42-150300.9.3.1"
        }
    ]
}

openSUSE:Leap 15.3 / buildah

Package

Name
buildah
Purl
pkg:rpm/opensuse/buildah&distro=openSUSE%20Leap%2015.3

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.27.1-150300.8.11.1

Ecosystem specific

{
    "binaries": [
        {
            "libgpg-error-devel": "1.42-150300.9.3.1",
            "libgpg-error-devel-32bit": "1.42-150300.9.3.1",
            "buildah": "1.27.1-150300.8.11.1",
            "libgpg-error0-32bit": "1.42-150300.9.3.1",
            "libgpg-error0": "1.42-150300.9.3.1"
        }
    ]
}

openSUSE:Leap 15.3 / libgpg-error

Package

Name
libgpg-error
Purl
pkg:rpm/opensuse/libgpg-error&distro=openSUSE%20Leap%2015.3

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.42-150300.9.3.1

Ecosystem specific

{
    "binaries": [
        {
            "libgpg-error-devel": "1.42-150300.9.3.1",
            "libgpg-error-devel-32bit": "1.42-150300.9.3.1",
            "buildah": "1.27.1-150300.8.11.1",
            "libgpg-error0-32bit": "1.42-150300.9.3.1",
            "libgpg-error0": "1.42-150300.9.3.1"
        }
    ]
}