Fluid Attacks Database

Description

A vulnerability was found in podman build and buildah. This issue occurs in a container breakout by using --jobs=2 and a race condition when building a malicious Containerfile. SELinux might mitigate it, but even with SELinux on, it still allows the enumeration of files and directories on the host.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 13	golang-github-containers-buildah	>=0 <1.38.1+ds1-1	1.38.1+ds1-1
debian 11	golang-github-containers-buildah	=1.19.6+dfsg1-1 \|\| =1.20.0+ds1-1 \|\| =1.20.1+ds1-1 \|\| =1.20.1+ds1-2 \|\| =1.21.0+ds1-2 \|\| =1.21.3+ds1-1 \|\| =1.22.3+ds1-1 \|\| =1.22.3+ds1-2 \|\| =1.23.1+ds1-1 \|\| =1.23.1+ds1-2 \|\| =1.23.1+ds1-3 \|\| =1.24.1+ds1-1 \|\| =1.26.1+ds1-1 \|\| =1.27.0+ds1-2 \|\| =1.27.0+ds1-3 \|\| =1.27.0+ds1-4 \|\| =1.27.0+ds1-5 \|\| =1.27.0+ds1-6 \|\| =1.28.0+ds1-1 \|\| =1.28.0+ds1-2 \|\| =1.28.0+ds1-3 \|\| =1.28.2+ds1-1 \|\| =1.28.2+ds1-2 \|\| =1.28.2+ds1-3 \|\| =1.29.0+ds1-1 \|\| =1.30.0+ds1-1 \|\| =1.30.0+ds1-2 \|\| =1.30.0+ds1-3 \|\| =1.31.2+ds1-1 \|\| =1.31.2+ds1-2 \|\| =1.31.2+ds1-3 \|\| =1.32.0+ds1-1 \|\| =1.32.0+ds1-2 \|\| =1.32.2+ds1-1 \|\| =1.33.1+ds1-1 \|\| =1.33.1+ds1-2 \|\| =1.33.3+ds1-1 \|\| =1.33.3+ds1-2 \|\| =1.33.5+ds1-3 \|\| =1.33.5+ds1-4 \|\| =1.33.7+ds1-1 \|\| =1.34.0+ds1-1 \|\| =1.34.0+ds1-2 \|\| =1.35.3+ds1-1 \|\| =1.35.3+ds1-2 \|\| =1.35.3+ds1-3 \|\| =1.37.0+ds1-1 \|\| =1.37.1+ds1-1 \|\| =1.37.1+ds1-2 \|\| =1.37.2+ds1-1 \|\| =1.37.2+ds1-2 \|\| =1.37.2+ds1-3 \|\| =1.37.3+ds1-1 \|\| =1.37.3+ds1-2 \|\| =1.37.3+ds1-3 \|\| =1.37.4+ds1-1 \|\| =1.37.5+ds1-1 \|\| =1.38.0+ds1-1 \|\| =1.38.0+ds1-2 \|\| =1.38.1+ds1-1 \|\| =1.39.0+ds1-1 \|\| =1.39.3+ds1-1 \|\| =1.41.4+ds1-1 \|\| =1.41.4+ds1-2 \|\| =1.41.4+ds1-3 \|\| =1.41.5+ds1-1 \|\| =1.41.5+ds1-2 \|\| =1.41.5+ds1-3 \|\| =1.41.5+ds1-4 \|\| =1.42.1+ds1-1 \|\| =1.42.1+ds1-2 \|\| =1.43.0+ds1-1 \|\| =1.43.0+ds1-2 \|\| =1.43.1+ds1-1	-
go	github.com/containers/buildah	>=1.38.0 <1.38.1 \|\| >=1.37.0 <1.37.6 \|\| >=1.35.0 <1.35.5 \|\| >=0 <1.33.12	1.38.1, 1.37.6, 1.35.5, 1.33.12
debian 12	golang-github-containers-buildah	=1.28.2+ds1-3 \|\| =1.28.2+ds1-3+deb12u1 \|\| =1.29.0+ds1-1 \|\| =1.30.0+ds1-1 \|\| =1.30.0+ds1-2 \|\| =1.30.0+ds1-3 \|\| =1.31.2+ds1-1 \|\| =1.31.2+ds1-2 \|\| =1.31.2+ds1-3 \|\| =1.32.0+ds1-1 \|\| =1.32.0+ds1-2 \|\| =1.32.2+ds1-1 \|\| =1.33.1+ds1-1 \|\| =1.33.1+ds1-2 \|\| =1.33.3+ds1-1 \|\| =1.33.3+ds1-2 \|\| =1.33.5+ds1-3 \|\| =1.33.5+ds1-4 \|\| =1.33.7+ds1-1 \|\| =1.34.0+ds1-1 \|\| =1.34.0+ds1-2 \|\| =1.35.3+ds1-1 \|\| =1.35.3+ds1-2 \|\| =1.35.3+ds1-3 \|\| =1.37.0+ds1-1 \|\| =1.37.1+ds1-1 \|\| =1.37.1+ds1-2 \|\| =1.37.2+ds1-1 \|\| =1.37.2+ds1-2 \|\| =1.37.2+ds1-3 \|\| =1.37.3+ds1-1 \|\| =1.37.3+ds1-2 \|\| =1.37.3+ds1-3 \|\| =1.37.4+ds1-1 \|\| =1.37.5+ds1-1 \|\| =1.38.0+ds1-1 \|\| =1.38.0+ds1-2 \|\| =1.38.1+ds1-1 \|\| =1.39.0+ds1-1 \|\| =1.39.3+ds1-1 \|\| =1.41.4+ds1-1 \|\| =1.41.4+ds1-2 \|\| =1.41.4+ds1-3 \|\| =1.41.5+ds1-1 \|\| =1.41.5+ds1-2 \|\| =1.41.5+ds1-3 \|\| =1.41.5+ds1-4 \|\| =1.42.1+ds1-1 \|\| =1.42.1+ds1-2 \|\| =1.43.0+ds1-1 \|\| =1.43.0+ds1-2 \|\| =1.43.1+ds1-1	-
debian 14	golang-github-containers-buildah	>=0 <1.38.1+ds1-1	1.38.1+ds1-1
rpm rhel9	buildah	<2:1.37.6-1.el9_5	2:1.37.6-1.el9_5
rpm rhel9.2	buildah	<1:1.29.5-1.el9_2	1:1.29.5-1.el9_2
rpm rhel9.4	buildah	<2:1.33.12-2.el9_4	2:1.33.12-2.el9_4
rpm rhel10	podman	-	-
rpm rhel9	podman	<4:5.2.2-13.el9_5	4:5.2.2-13.el9_5

1-10 of 12

References

1. https://github.com/containers/buildah/security/advisories/GHSA-5vpc-35f4-r8w62. https://github.com/containers/buildah/pull/59183. https://bugzilla.redhat.com/show_bug.cgi?id=23262314. https://issues.redhat.com/browse/RHEL-676165. https://issues.redhat.com/browse/RHEL-67618