CVE-2024-9675

NameCVE-2024-9675
DescriptionA vulnerability was found in Buildah. Cache mounts do not properly validate that user-specified paths for the cache are within our cache directory, allowing a `RUN` instruction in a Container file to mount an arbitrary directory from the host (read/write) into the container as long as those files can be accessed by the user running Buildah.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1084980

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
golang-github-containers-buildah (PTS)bullseye1.19.6+dfsg1-1vulnerable
bookworm1.28.2+ds1-3vulnerable
sid, trixie1.38.0+ds1-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
golang-github-containers-buildahsource(unstable)1.37.4+ds1-11084980

Notes

[bookworm] - golang-github-containers-buildah <no-dsa> (Minor issue)
[bullseye] - golang-github-containers-buildah <postponed> (Minor issue)
https://bugzilla.redhat.com/show_bug.cgi?id=2317458
https://github.com/containers/buildah/pull/5780
Search for package or bug name: Reporting problems