buildah-1.33.7-2.el9_4

エラータID: AXSA:2024-8286:05

Release date: 
Monday, June 17, 2024 - 15:43
Subject: 
buildah-1.33.7-2.el9_4
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
Moderate
Description: 

The buildah package provides a tool for facilitating building OCI container images. Among other things, buildah enables you to: Create a working container, either from scratch or using an image as a starting point; Create an image, either from a working container or using the instructions in a Dockerfile; Build both Docker and OCI images.

Security Fix(es):

* golang: net/[http:](http:) memory exhaustion in Request.ParseMultipartForm (CVE-2023-45290)
* jose-go: improper handling of highly compressed data (CVE-2024-28180)
* buildah: jose: resource exhaustion (CVE-2024-28176)

CVE-2023-45290
When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This permits a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion. With fix, the ParseMultipartForm function now correctly limits the maximum size of form lines.
CVE-2024-28176
jose is JavaScript module for JSON Object Signing and Encryption, providing support for JSON Web Tokens (JWT), JSON Web Signature (JWS), JSON Web Encryption (JWE), JSON Web Key (JWK), JSON Web Key Set (JWKS), and more. A vulnerability has been identified in the JSON Web Encryption (JWE) decryption interfaces, specifically related to the support for decompressing plaintext after its decryption. Under certain conditions it is possible to have the user's environment consume unreasonable amount of CPU time or memory during JWE Decryption operations. This issue has been patched in versions 2.0.7 and 4.15.5.
CVE-2024-28180
Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3.

Solution: 

Update packages.

CVEs: 
CVE-2023-45290
When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This permits a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion. With fix, the ParseMultipartForm function now correctly limits the maximum size of form lines.
CVE-2024-28176
jose is JavaScript module for JSON Object Signing and Encryption, providing support for JSON Web Tokens (JWT), JSON Web Signature (JWS), JSON Web Encryption (JWE), JSON Web Key (JWK), JSON Web Key Set (JWKS), and more. A vulnerability has been identified in the JSON Web Encryption (JWE) decryption interfaces, specifically related to the support for decompressing plaintext after its decryption. Under certain conditions it is possible to have the user's environment consume unreasonable amount of CPU time or memory during JWE Decryption operations. This issue has been patched in versions 2.0.7 and 4.15.5.
CVE-2024-28180
Package jose aims to provide an implementation of the Javascript Object Signing and Encryption set of standards. An attacker could send a JWE containing compressed data that used large amounts of memory and CPU when decompressed by Decrypt or DecryptMulti. Those functions now return an error if the decompressed data would exceed 250kB or 10x the compressed size (whichever is larger). This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3.
Additional Info: 

N/A

Download: 

SRPMS
  1. buildah-1.33.7-2.el9_4.src.rpm
    MD5: 373e18b7b1a3065734051a6249514a75
    SHA-256: 3a052d6d6458ed9a1d1a32795b2bbd3b9711da7a7b7f65004981c2b308490b66
    Size: 17.46 MB

Asianux Server 9 for x86_64
  1. buildah-1.33.7-2.el9_4.x86_64.rpm
    MD5: c2c30ac4fe3649cc2c6e49ff0477682c
    SHA-256: 105e0526ed5cb70ab9e3957dcf23af2b71c29d3b0cf8dc5606c1333d3077b89f
    Size: 9.42 MB
  2. buildah-tests-1.33.7-2.el9_4.x86_64.rpm
    MD5: f48c99941b9eae769518d9739817f2e9
    SHA-256: 3b1084b392d3815d2125640c7363d1695228a8713ea1130609870368d1cbb910
    Size: 30.29 MB