buildah-1.33.9-1.el9_4

エラータID: AXSA:2024-8904:08

Release date: 
Thursday, October 17, 2024 - 11:55
Subject: 
buildah-1.33.9-1.el9_4
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
High
Description: 

The buildah package provides a tool for facilitating building OCI container images. Among other things, buildah enables you to: Create a working container, either from scratch or using an image as a starting point; Create an image, either from a working container or using the instructions in a Dockerfile; Build both Docker and OCI images.

Security Fix(es):

* go/parser: golang: Calling any of the Parse functions containing deeply nested literals can cause a panic/stack exhaustion (CVE-2024-34155)
* encoding/gob: golang: Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion (CVE-2024-34156)
* go/build/constraint: golang: Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion (CVE-2024-34158)
* Podman: Buildah: cri-o: FIPS Crypto-Policy Directory Mounting Issue in containers/common Go Library (CVE-2024-9341)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2024-34155
Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.
CVE-2024-34156
Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.
CVE-2024-34158
Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.
CVE-2024-9341
A flaw was found in Go. When FIPS mode is enabled on a system, container runtimes may incorrectly handle certain file paths due to improper validation in the containers/common Go library. This flaw allows an attacker to exploit symbolic links and trick the system into mounting sensitive host directories inside a container. This issue also allows attackers to access critical host files, bypassing the intended isolation between containers and the host system.

Solution: 

Update packages.

CVEs: 
CVE-2024-34155
Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.
CVE-2024-34156
Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.
CVE-2024-34158
Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.
CVE-2024-9341
A flaw was found in Go. When FIPS mode is enabled on a system, container runtimes may incorrectly handle certain file paths due to improper validation in the containers/common Go library. This flaw allows an attacker to exploit symbolic links and trick the system into mounting sensitive host directories inside a container. This issue also allows attackers to access critical host files, bypassing the intended isolation between containers and the host system.
Additional Info: 

N/A

Download: 

SRPMS
  1. buildah-1.33.9-1.el9_4.src.rpm
    MD5: 9180b74afcf755089de426866bf0d8d5
    SHA-256: 20cc465e0dcd01bd1d8a38474690391ea0f0d76b2905c9902be56271760e4971
    Size: 17.47 MB

Asianux Server 9 for x86_64
  1. buildah-1.33.9-1.el9_4.x86_64.rpm
    MD5: e5fc96e031f8d35259756db615845ab0
    SHA-256: 3abd23368b8e21018fc4a025ba728b34c507babf70e2b10bae46cc7db42f63c3
    Size: 9.41 MB
  2. buildah-tests-1.33.9-1.el9_4.x86_64.rpm
    MD5: 8070faaf421d9db2e4868a1976010a3f
    SHA-256: 3e616739ea93f08ae672a96d05ebe38ff416838158ed99d667662c4ed9003f08
    Size: 30.29 MB