podman-4.9.4-16.el9_4

エラータID: AXSA:2024-8979:10

Release date: 
Tuesday, November 12, 2024 - 10:39
Subject: 
podman-4.9.4-16.el9_4
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
High
Description: 

The podman tool manages pods, container images, and containers. It is part of the libpod library, which is for applications that use container pods. Container pods is a concept in Kubernetes.

Security Fix(es):

* Buildah: Podman: Improper Input Validation in bind-propagation Option of Dockerfile RUN --mount Instruction (CVE-2024-9407)
* buildah: Buildah allows arbitrary directory mount (CVE-2024-9675)
* Podman: Buildah: CRI-O: symlink traversal vulnerability in the containers/storage library can cause Denial of Service (DoS) (CVE-2024-9676)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2024-9407
A vulnerability exists in the bind-propagation option of the Dockerfile RUN --mount instruction. The system does not properly validate the input passed to this option, allowing users to pass arbitrary parameters to the mount instruction. This issue can be exploited to mount sensitive directories from the host into a container during the build process and, in some cases, modify the contents of those mounted files. Even if SELinux is used, this vulnerability can bypass its protection by allowing the source directory to be relabeled to give the container access to host files.
CVE-2024-9675
A vulnerability was found in Buildah. Cache mounts do not properly validate that user-specified paths for the cache are within our cache directory, allowing a `RUN` instruction in a Container file to mount an arbitrary directory from the host (read/write) into the container as long as those files can be accessed by the user running Buildah.
CVE-2024-9676
A vulnerability was found in Podman, Buildah, and CRI-O. A symlink traversal vulnerability in the containers/storage library can cause Podman, Buildah, and CRI-O to hang and result in a denial of service via OOM kill when running a malicious image using an automatically assigned user namespace (`--userns=auto` in Podman and Buildah). The containers/storage library will read /etc/passwd inside the container, but does not properly validate if that file is a symlink, which can be used to cause the library to read an arbitrary file on the host.

Solution: 

Update packages.

CVEs: 
CVE-2024-9407
A vulnerability exists in the bind-propagation option of the Dockerfile RUN --mount instruction. The system does not properly validate the input passed to this option, allowing users to pass arbitrary parameters to the mount instruction. This issue can be exploited to mount sensitive directories from the host into a container during the build process and, in some cases, modify the contents of those mounted files. Even if SELinux is used, this vulnerability can bypass its protection by allowing the source directory to be relabeled to give the container access to host files.
CVE-2024-9675
A vulnerability was found in Buildah. Cache mounts do not properly validate that user-specified paths for the cache are within our cache directory, allowing a `RUN` instruction in a Container file to mount an arbitrary directory from the host (read/write) into the container as long as those files can be accessed by the user running Buildah.
CVE-2024-9676
A vulnerability was found in Podman, Buildah, and CRI-O. A symlink traversal vulnerability in the containers/storage library can cause Podman, Buildah, and CRI-O to hang and result in a denial of service via OOM kill when running a malicious image using an automatically assigned user namespace (`--userns=auto` in Podman and Buildah). The containers/storage library will read /etc/passwd inside the container, but does not properly validate if that file is a symlink, which can be used to cause the library to read an arbitrary file on the host.
Additional Info: 

N/A

Download: 

SRPMS
  1. podman-4.9.4-16.el9_4.src.rpm
    MD5: 311ee6790485c1e5e1913f46592c16f5
    SHA-256: 2520893d5db3577ca3be8fb483a58cbaa2f2d9fea4a6458bf61a253a89ac35f1
    Size: 22.76 MB

Asianux Server 9 for x86_64
  1. podman-4.9.4-16.el9_4.x86_64.rpm
    MD5: 57f89903c0ab3f649b456e9f9831d298
    SHA-256: 2d1574b4a30b665308875c090159e0cacb62865ce5f15944f61074acf5c6be33
    Size: 15.56 MB
  2. podman-docker-4.9.4-16.el9_4.noarch.rpm
    MD5: e13a05eaec173f083147296b7321e672
    SHA-256: 6a6b10781c563b46fb806c5e4daf9156aebd6e3c605d3a915995bfec8571a7e8
    Size: 106.39 kB
  3. podman-plugins-4.9.4-16.el9_4.x86_64.rpm
    MD5: 548db912bbaafafe1be543153c5b6d78
    SHA-256: 6fc014623329d409ece22c808183f5fbe021e3b488510da97f6357819126ff0d
    Size: 1.28 MB
  4. podman-remote-4.9.4-16.el9_4.x86_64.rpm
    MD5: cf22de916a23df629d2bd88a883a6dbe
    SHA-256: d21d589231577bcc288b90d2afaeca97fde1f9baa56aef2a7259198e3c978c44
    Size: 10.25 MB
  5. podman-tests-4.9.4-16.el9_4.x86_64.rpm
    MD5: 9534c1cbab03a6fd0306874d06c749ed
    SHA-256: e7e54d4ec26725e2a97efb8a1ba90ab5a36b73dbff296f4acb19cb08317887f0
    Size: 211.12 kB