container-tools:rhel8 security update

エラータID: AXSA:2024-9011:01

Release date: 
Friday, November 15, 2024 - 17:11
Subject: 
container-tools:rhel8 security update
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc.

Security Fix(es):

* Podman: Buildah: cri-o: FIPS Crypto-Policy Directory Mounting Issue in containers/common Go Library (CVE-2024-9341)
* Buildah: Podman: Improper Input Validation in bind-propagation Option of Dockerfile RUN --mount Instruction (CVE-2024-9407)
* buildah: Buildah allows arbitrary directory mount (CVE-2024-9675)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2024-9341
A flaw was found in Go. When FIPS mode is enabled on a system, container runtimes may incorrectly handle certain file paths due to improper validation in the containers/common Go library. This flaw allows an attacker to exploit symbolic links and trick the system into mounting sensitive host directories inside a container. This issue also allows attackers to access critical host files, bypassing the intended isolation between containers and the host system.
CVE-2024-9407
A vulnerability exists in the bind-propagation option of the Dockerfile RUN --mount instruction. The system does not properly validate the input passed to this option, allowing users to pass arbitrary parameters to the mount instruction. This issue can be exploited to mount sensitive directories from the host into a container during the build process and, in some cases, modify the contents of those mounted files. Even if SELinux is used, this vulnerability can bypass its protection by allowing the source directory to be relabeled to give the container access to host files.
CVE-2024-9675
A vulnerability was found in Buildah. Cache mounts do not properly validate that user-specified paths for the cache are within our cache directory, allowing a `RUN` instruction in a Container file to mount an arbitrary directory from the host (read/write) into the container as long as those files can be accessed by the user running Buildah.

Modularity name: "container-tools"
Stream name: "rhel8"

Solution: 

Update packages.

CVEs: 
CVE-2024-9341
A flaw was found in Go. When FIPS mode is enabled on a system, container runtimes may incorrectly handle certain file paths due to improper validation in the containers/common Go library. This flaw allows an attacker to exploit symbolic links and trick the system into mounting sensitive host directories inside a container. This issue also allows attackers to access critical host files, bypassing the intended isolation between containers and the host system.
CVE-2024-9407
A vulnerability exists in the bind-propagation option of the Dockerfile RUN --mount instruction. The system does not properly validate the input passed to this option, allowing users to pass arbitrary parameters to the mount instruction. This issue can be exploited to mount sensitive directories from the host into a container during the build process and, in some cases, modify the contents of those mounted files. Even if SELinux is used, this vulnerability can bypass its protection by allowing the source directory to be relabeled to give the container access to host files.
CVE-2024-9675
A vulnerability was found in Buildah. Cache mounts do not properly validate that user-specified paths for the cache are within our cache directory, allowing a `RUN` instruction in a Container file to mount an arbitrary directory from the host (read/write) into the container as long as those files can be accessed by the user running Buildah.
Additional Info: 

N/A

Download: 

SRPMS
  1. aardvark-dns-1.10.1-2.module+el8+1821+57fa74ff.src.rpm
    MD5: 9fc358f8e754ad740f08ed95d876a051
    SHA-256: 4f18f82816e46746fc00f48a9dce28f1450947f8625fea3a4670d07e349d0093
    Size: 6.14 MB
  2. buildah-1.33.10-1.module+el8+1821+57fa74ff.src.rpm
    MD5: 8fffe06ac368ae9d68f8669802372cd9
    SHA-256: 4c42f04ff392731684cff5fbbdf3c3bdb0f670b6c47ca476402653c0ca8465bb
    Size: 17.48 MB
  3. cockpit-podman-84.1-1.module+el8+1821+57fa74ff.src.rpm
    MD5: 3d1cbab7043d2d0d49620516f863b88b
    SHA-256: b07210983e9ac7212877edc63f575afff33043dc1879f7b2e5cc8590ea6c35d6
    Size: 1.27 MB
  4. conmon-2.1.10-1.module+el8+1821+57fa74ff.src.rpm
    MD5: a0c9bb4e805a52faa1e9138cde6830d7
    SHA-256: 49096742f067a2fbe52518b9f20f58adc912354021413295d6de4ff96638966b
    Size: 133.59 kB
  5. containernetworking-plugins-1.4.0-5.module+el8+1821+57fa74ff.src.rpm
    MD5: 2bc30b0681a94171fc8b4489702a9a4e
    SHA-256: fbd39807064afb0a2b65bef90ce43ca6f85b7aae53677d7bf93fe6c07831695c
    Size: 3.62 MB
  6. containers-common-1-82.module+el8+1821+57fa74ff.src.rpm
    MD5: 2052036c009102c0043984bce84dd33d
    SHA-256: 0e0e21bbfec64b6e7f92e2600cd81cc9e145bf83e3ba0b5edac82511f08ba10c
    Size: 145.63 kB
  7. container-selinux-2.229.0-2.module+el8+1821+57fa74ff.src.rpm
    MD5: 585c6fb119a3b71c2dcdfc75bd0d5ea3
    SHA-256: 3602f09bb21615ec7337cc804bce04243a37941271489790b087ebf98afde055
    Size: 65.58 kB
  8. criu-3.18-5.module+el8+1821+57fa74ff.src.rpm
    MD5: 2c70f9febf19767827a6c98c1bfdc30b
    SHA-256: 456d3103d6196e791fcd03f582df4c120b69887ce64361ec8211862909200290
    Size: 1.32 MB
  9. crun-1.14.3-2.module+el8+1821+57fa74ff.src.rpm
    MD5: 44c4fe7f5b3a5ff67748c7adc4472e27
    SHA-256: 5c565aae3cad883a150c5c113e0b88e11589b7b302050ce659f4815641299e6a
    Size: 1.68 MB
  10. fuse-overlayfs-1.13-1.module+el8+1821+57fa74ff.src.rpm
    MD5: 8cdfbbbdb9dc552abff1e0716ca2cef0
    SHA-256: 23e3a2178ff20917abfb0a646cdce51b384ae5288cc4e3ea4776edb5b5d18a43
    Size: 112.28 kB
  11. libslirp-4.4.0-2.module+el8+1821+57fa74ff.src.rpm
    MD5: 5bacf676daccc3ccd3abefa88d96f01e
    SHA-256: f74410537697c870cd11d72d8da126d4cf7ade03195ee11a0436f41c237c907a
    Size: 114.97 kB
  12. netavark-1.10.3-1.module+el8+1821+57fa74ff.src.rpm
    MD5: 613c6471f5784a2748f64bd0fe232344
    SHA-256: d59c9d0915304196b6081b955c7dc19d41b65b8e0aae02874f67906a91c401a6
    Size: 15.51 MB
  13. oci-seccomp-bpf-hook-1.2.10-1.module+el8+1821+57fa74ff.src.rpm
    MD5: 8f2983255309889623f49b0c113f1438
    SHA-256: 5318918ed2db736d0888bb87c0342df17badf9f15cc562708c094fe3f6f8629b
    Size: 1.43 MB
  14. podman-4.9.4-15.module+el8+1821+57fa74ff.src.rpm
    MD5: 3a0cca20857dbaa46de1ea52f927d1dd
    SHA-256: 459ead1aecd9eb6bd25a435affaf2a46a2dff7795b023f20d9b1747e49ad29b6
    Size: 32.58 MB
  15. python-podman-4.9.0-2.module+el8+1821+57fa74ff.src.rpm
    MD5: 9d77f4933bc4b08fb51f1052047045ae
    SHA-256: 97abad1a6d6e8594e98cc2c7631d3be7791e45f7731f71e42113f48700b46ce1
    Size: 188.06 kB
  16. runc-1.1.12-5.module+el8+1821+57fa74ff.src.rpm
    MD5: 7dca76ab44f4d782ef931d4f1bc919d4
    SHA-256: ab9258607daef87b1103f9cf5d69569d0d59379f9ca0b0c161015840a4059b97
    Size: 2.38 MB
  17. skopeo-1.14.5-3.module+el8+1821+57fa74ff.src.rpm
    MD5: 1e507b1a3aee0569d31dcc110df5041a
    SHA-256: d1514fdd6c1d442a2bd95349c64a7c1b96f009c72468800ea5dcc94bf1138c55
    Size: 10.00 MB
  18. slirp4netns-1.2.3-1.module+el8+1821+57fa74ff.src.rpm
    MD5: a832d7042ad0474c3ae7a3877ce8a8a1
    SHA-256: 44257784693f8e9d8e498f115d33b95b94c0bc761410005f80fa0b24c8a4e82c
    Size: 76.05 kB
  19. toolbox-0.0.99.5-2.module+el8+1821+57fa74ff.src.rpm
    MD5: 68d8df752b2623784dbc15cd51824aeb
    SHA-256: e1418dfd5cd91100a452869382a76e5069937504c3543f16fb9c29a8cff85b83
    Size: 1.10 MB
  20. udica-0.2.6-21.module+el8+1821+57fa74ff.src.rpm
    MD5: e1bd091c01cc6234ad6f45f0a402115c
    SHA-256: 262a0778bf783317bd17e4984be9b2af2980a1a26f449eaca1e848bc23426b14
    Size: 134.32 kB

Asianux Server 8 for x86_64
  1. aardvark-dns-1.10.1-2.module+el8+1821+57fa74ff.x86_64.rpm
    MD5: 97aff74fffdc45ea55e966df4da72c71
    SHA-256: 4f2c2fb6cde6fb658d8c8e930bf871a21a52258e948cea37500de3fdef25a4f5
    Size: 974.19 kB
  2. buildah-1.33.10-1.module+el8+1821+57fa74ff.x86_64.rpm
    MD5: 9755d855e8d35235e165a971df63a3f1
    SHA-256: eb473a861b06fea911cab1f0f77459d3add7fea1aacea7c8c4ebd3dd1196377d
    Size: 9.66 MB
  3. buildah-debugsource-1.33.10-1.module+el8+1821+57fa74ff.x86_64.rpm
    MD5: 977708942b397915d8210f2f35623657
    SHA-256: 2290e38b172891d655b891a9f0fb33855efcf49731d53ee4bc5542b1dd2cc5f6
    Size: 6.12 MB
  4. buildah-tests-1.33.10-1.module+el8+1821+57fa74ff.x86_64.rpm
    MD5: f1712d3010eb6a6e88606d1e0ec34d2d
    SHA-256: 4f6896440f8f721df4d2bafb87c9a50cb5ac0634ca579418a3accb5fc33a3d38
    Size: 30.62 MB
  5. cockpit-podman-84.1-1.module+el8+1821+57fa74ff.noarch.rpm
    MD5: f86b28a501eb4d606c74266b5b630ad2
    SHA-256: 53953e68775e7d79806373a148a5c2f20d3ffe37a5ef978673be2b718c34be26
    Size: 682.92 kB
  6. conmon-2.1.10-1.module+el8+1821+57fa74ff.x86_64.rpm
    MD5: b17d3b81f5d01d49bc7db09cfc607c59
    SHA-256: a812fc43ff8295f5f352ef80b18e1a70870b0c5adbc437615a1fadad94ff6a15
    Size: 56.83 kB
  7. conmon-debugsource-2.1.10-1.module+el8+1821+57fa74ff.x86_64.rpm
    MD5: 59fa91903d3cdc4f6970b05b77f2200d
    SHA-256: e0ba63239c42582b3ca78023038486ab3357c5eaae9287910984090e50d228f7
    Size: 50.46 kB
  8. containernetworking-plugins-1.4.0-5.module+el8+1821+57fa74ff.x86_64.rpm
    MD5: 411e8977068525ab35013fc6523429c0
    SHA-256: 3a01273a13b0f72c1853be66e8ffd9223fa0255abca4542745234ba2cba74fcc
    Size: 22.03 MB
  9. containernetworking-plugins-debugsource-1.4.0-5.module+el8+1821+57fa74ff.x86_64.rpm
    MD5: 4927bd638e4b304f37ab3a66cc351acc
    SHA-256: 11094e86c838cf937d4e7342df9eb022d1062961e95969985b7ceab8d900081e
    Size: 429.96 kB
  10. containers-common-1-82.module+el8+1821+57fa74ff.x86_64.rpm
    MD5: c5223c350303847cfdb02022388b082c
    SHA-256: 837622b47e7fbca01994a9a6e68c29487e59080149a05623d5906230544730cc
    Size: 142.03 kB
  11. container-selinux-2.229.0-2.module+el8+1821+57fa74ff.noarch.rpm
    MD5: 5717e491de8ae534f4c65bdff22b24a8
    SHA-256: 4167ea7ec20a2743a279be5c657bcaad0b836e957e3b0ef3c309015801925f40
    Size: 69.43 kB
  12. crit-3.18-5.module+el8+1821+57fa74ff.x86_64.rpm
    MD5: 7ce5e8b901055d3d3c6c17edf4ee6087
    SHA-256: 1fd9a7553cd6b9477010da47a7811ad089a5896e383efe121627375adcd919a5
    Size: 22.10 kB
  13. criu-3.18-5.module+el8+1821+57fa74ff.x86_64.rpm
    MD5: 848ddbda4a71632089315679a64d44a6
    SHA-256: ee0a900b15f0279f195380bcab695d811d439d565e3dfa4574e08b28dd49fc8f
    Size: 563.12 kB
  14. criu-debugsource-3.18-5.module+el8+1821+57fa74ff.x86_64.rpm
    MD5: a201025ee83c7fd10a395660c04c54ab
    SHA-256: 2f2ed5546d8b9353c8b6083434578423d6ed908ca6a4513964452d3446627e81
    Size: 729.77 kB
  15. criu-devel-3.18-5.module+el8+1821+57fa74ff.x86_64.rpm
    MD5: 171ccec5e79b671c50bfcb9a7791a9be
    SHA-256: 81846e9c14f6a0c0754177f027006c218e546fc2346e5137243061e7c3ebda1c
    Size: 28.23 kB
  16. criu-libs-3.18-5.module+el8+1821+57fa74ff.x86_64.rpm
    MD5: 9b139e1bc65896be8fa7d683ff0578a3
    SHA-256: 73fcdfdd9c55d5f9a2e883dd4f3606313f4ae533918da7915c3a3a68bd013bab
    Size: 38.15 kB
  17. crun-1.14.3-2.module+el8+1821+57fa74ff.x86_64.rpm
    MD5: 8113c19e5b66bd90df3a79978296162b
    SHA-256: 370f2bf676c7c4373a3209d38f26cd2dcfb731a07be37929752291e761a8ca40
    Size: 256.52 kB
  18. crun-debugsource-1.14.3-2.module+el8+1821+57fa74ff.x86_64.rpm
    MD5: 3b61d4a52d8e625370bc09da9fce7536
    SHA-256: 44e9e79f116c145b7e7a90de36b7c685364534794ec94257a57f98599f8bdcfb
    Size: 204.14 kB
  19. fuse-overlayfs-1.13-1.module+el8+1821+57fa74ff.x86_64.rpm
    MD5: 4e69e0f06dfafbc5e0403c615344e698
    SHA-256: 7703436bdb12e837e2cab93085d9306c00a53bf71f4bbfe650870ef19cc4dba1
    Size: 68.73 kB
  20. fuse-overlayfs-debugsource-1.13-1.module+el8+1821+57fa74ff.x86_64.rpm
    MD5: 7a5ca0068275a8e3ca86bcfd614d4867
    SHA-256: 4bcfc0467280be65a169f53b67962c1cdfe1770afd6a517b73bec16ca353bcc6
    Size: 55.61 kB
  21. libslirp-4.4.0-2.module+el8+1821+57fa74ff.x86_64.rpm
    MD5: 7562aed5bc1edc0a3a5822af6f77f914
    SHA-256: 19eb631cc7043d050cd70801983801a31650844877adfe45d90ec265212fdb93
    Size: 69.28 kB
  22. libslirp-debugsource-4.4.0-2.module+el8+1821+57fa74ff.x86_64.rpm
    MD5: a99d6080cc0a8d340b6db9fb1e536380
    SHA-256: f69b453b05a1a1d582d8dda3c383c831f43e7086f888a59d0074fbaae0ca8485
    Size: 114.54 kB
  23. libslirp-devel-4.4.0-2.module+el8+1821+57fa74ff.x86_64.rpm
    MD5: 7a2c5e8496bfb9e1e6982244e126dfc5
    SHA-256: 8558563906327ee020c1bc101826d8d6a7d2efb7959eac6674824c8009eea5a6
    Size: 11.41 kB
  24. netavark-1.10.3-1.module+el8+1821+57fa74ff.x86_64.rpm
    MD5: e73ce853c7b5f9d3af72e151e0881220
    SHA-256: 970c3643eb7b61351d1e90e20426576b6f31498ee78f741f341dee414d74a215
    Size: 4.11 MB
  25. oci-seccomp-bpf-hook-1.2.10-1.module+el8+1821+57fa74ff.x86_64.rpm
    MD5: a001147e66320b403e191ebcb8b2089a
    SHA-256: 40bd4f1448e9337311a43ecc32380044105f31c630f988774f22fc6fdf7694e1
    Size: 1.13 MB
  26. oci-seccomp-bpf-hook-debugsource-1.2.10-1.module+el8+1821+57fa74ff.x86_64.rpm
    MD5: 1b7ea0b6f52077243fd57f9606eafa88
    SHA-256: 3833e18e970a20f7a6d04aa756ab0c5c8869958807e5f4e233bdcbc44d959426
    Size: 247.94 kB
  27. podman-4.9.4-15.module+el8+1821+57fa74ff.x86_64.rpm
    MD5: b2db998a2231f8cbbf392c717dc8a7b6
    SHA-256: 6e3ff2defee45fd5f67ae6e636d5c1276dc149e127abf36abb71433891f7a35e
    Size: 16.08 MB
  28. podman-catatonit-4.9.4-15.module+el8+1821+57fa74ff.x86_64.rpm
    MD5: 530ef9126f01ddcdd59bc4e1c079b7ef
    SHA-256: fed413702965da868a6336deb29a61ab765f6e3d74e3854b6e3f9d8a0c9004e8
    Size: 373.64 kB
  29. podman-debugsource-4.9.4-15.module+el8+1821+57fa74ff.x86_64.rpm
    MD5: b4ba1a2244b8814b52a692e41a3851c6
    SHA-256: 071483164e8fbfb0f0d9c23470ca054db53af1ff74c8dc24c6f18062a831e75a
    Size: 9.33 MB
  30. podman-docker-4.9.4-15.module+el8+1821+57fa74ff.noarch.rpm
    MD5: fad85cccc227f356a9a4a2ec73ae3299
    SHA-256: 725bc5a9bd276a0bfdf10df84179ca63b7217c1c9cdf61861eb8f7bc11ddf75c
    Size: 114.37 kB
  31. podman-gvproxy-4.9.4-15.module+el8+1821+57fa74ff.x86_64.rpm
    MD5: 6813992a4e53a344b8c86e2363efeb74
    SHA-256: b00da2fa51c665dbd00dc5344a6b5a04bd7d21ee07b365f11cc70ce3c4d77642
    Size: 3.86 MB
  32. podman-plugins-4.9.4-15.module+el8+1821+57fa74ff.x86_64.rpm
    MD5: b30958dfab91725445fdead22734ebc5
    SHA-256: 508f9acbdc2d2f2392be8462197d95008c61adc3b0718cdbb1d7b935fbad22b3
    Size: 1.33 MB
  33. podman-remote-4.9.4-15.module+el8+1821+57fa74ff.x86_64.rpm
    MD5: 16c6bd4d08e354726d23bb2be325b0bb
    SHA-256: 24ab608537820dfe5ecd52893df9cf72300072abdd243a3ca24c0fa2200f367d
    Size: 10.48 MB
  34. podman-tests-4.9.4-15.module+el8+1821+57fa74ff.x86_64.rpm
    MD5: 7297d024b111601fc2cb8ef4d23e794a
    SHA-256: 183f46e783b506598d89b1fcb152fd453d782c3f6e41d6f49eafbdd574176d08
    Size: 266.17 kB
  35. python3-criu-3.18-5.module+el8+1821+57fa74ff.x86_64.rpm
    MD5: 80966be48f31e13c3536500beb433429
    SHA-256: a0cf2c7d1e2afeb70c843030fa6f9bbab22bec84beb0c1feb6a851843636fe41
    Size: 177.25 kB
  36. python3-podman-4.9.0-2.module+el8+1821+57fa74ff.noarch.rpm
    MD5: aee4a1c979759001cb61d15dedb4f40a
    SHA-256: 0913779bdab7cbbfdf6f7a83549199f86b6872c0b7e27a99fc0ee559ed68233c
    Size: 155.28 kB
  37. runc-1.1.12-5.module+el8+1821+57fa74ff.x86_64.rpm
    MD5: e9d522e01e901276b1873bafa2faa90b
    SHA-256: 8a8dd4ee8eb7e24d62279be6ef9f2c32cb8788daf38a8d5f8118411319a84c57
    Size: 3.11 MB
  38. runc-debugsource-1.1.12-5.module+el8+1821+57fa74ff.x86_64.rpm
    MD5: 10ce0524d00f2343e61044dad70ab244
    SHA-256: d2c18e2069e982947c4e0234e6659eb3328fa498d6fa62bf71dbcf3391f14b66
    Size: 893.97 kB
  39. skopeo-1.14.5-3.module+el8+1821+57fa74ff.x86_64.rpm
    MD5: a378310abd66bf4720446125586f2d10
    SHA-256: 5b45e780440e348ad535747dc70f8aa0ad9b3c991b413fcf24e67dc8ac31bba2
    Size: 8.82 MB
  40. skopeo-tests-1.14.5-3.module+el8+1821+57fa74ff.x86_64.rpm
    MD5: f26c10b4dcc02578385b4eef2e8fdb58
    SHA-256: b25230a5c5ec9606cfc2b2f05d33869fd2016849bfe649171531097af9b2ac96
    Size: 785.40 kB
  41. slirp4netns-1.2.3-1.module+el8+1821+57fa74ff.x86_64.rpm
    MD5: 1dc5dbbdafdbc31b5dde4e4f08ef07ee
    SHA-256: 4ddefa767388247dfac20f4483d1144214f6aba3ea41aff647a9f050df449d02
    Size: 54.92 kB
  42. slirp4netns-debugsource-1.2.3-1.module+el8+1821+57fa74ff.x86_64.rpm
    MD5: 3eb22cac39c039927e26256646b91231
    SHA-256: b3c27c1669a60a96576265ae4ce069ee0401f8ca176c4699566e9ae3af6a9fb3
    Size: 43.73 kB
  43. toolbox-0.0.99.5-2.module+el8+1821+57fa74ff.x86_64.rpm
    MD5: 81bceba6078ac27c114ef3d2f84da536
    SHA-256: 2c7a6e7e4d6f6662d415c4904345786fab1215dde793a395411832c8354af30b
    Size: 2.52 MB
  44. toolbox-debugsource-0.0.99.5-2.module+el8+1821+57fa74ff.x86_64.rpm
    MD5: 23fd1730a8ed702f700412be903e03f2
    SHA-256: 7095e330df342cedd126bcd31ea4c592736ca13ebf6c7a499eca3fb92b49a59e
    Size: 571.82 kB
  45. toolbox-tests-0.0.99.5-2.module+el8+1821+57fa74ff.x86_64.rpm
    MD5: e33cf45bf293a53381fe46f8c93e9ea3
    SHA-256: e92a91073cdb18e1b7694f1cb53241cacdcf81b068b5f27146149ab6930be4d2
    Size: 43.69 kB
  46. udica-0.2.6-21.module+el8+1821+57fa74ff.noarch.rpm
    MD5: dc6a9fe3eea105f61c31f666b440fc21
    SHA-256: de06e5ed4c9d668378dd5a45e42312f8e1d05cce8d1a53ed279f7eff46cb7503
    Size: 48.26 kB