[Bugs] [Bug 13221] New: buildah 1.22.3 cve-s found

[bugzilla]

https://bugzilla.rosalinux.ru/show_bug.cgi?id=13221

          Platform: 2021.1
            Bug ID: 13221
           Summary: buildah 1.22.3 cve-s found
    Classification: ROSA-based products
           Product: Certified ROSA distros
           Version: Chrome
          Hardware: All
                OS: Linux
            Status: CONFIRMED
          Severity: normal
          Priority: Normal
         Component: System (kernel, glibc, systemd, bash, PAM...)
          Assignee: bugs на lists.rosalinux.ru
          Reporter: y.tumanov на rosalinux.ru
        QA Contact: bugs на lists.rosalinux.ru
  Target Milestone: ---
             Group: ROSA-plus-NTCIT

CVE-2022-27651  A flaw was found in buildah where containers were incorrectly
started with non-empty default permissions. A bug was found in Moby (Docker
Engine) where containers were incorrectly started with non-empty inheritable
Linux process capabilities, enabling an attacker with access to programs with
inheritable file capabilities to elevate those capabilities to the permitted
set when execve(2) runs. This has the potential to impact confidentiality and
integrity.      https://nvd.nist.gov/vuln/detail/CVE-2022-27651 MEDIUM

CVE-2022-2990   An incorrect handling of the supplementary groups in the
Buildah container engine might lead to the sensitive information disclosure or
possible data modification if an attacker has direct access to the affected
container where supplementary groups are used to set access permissions and is
able to execute a binary code in that container.    
https://nvd.nist.gov/vuln/detail/CVE-2022-2990  HIGH

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
----------- следущая часть -----------
Вложение в формате HTML было извлечено…
URL: <http://lists.rosalinux.ru/pipermail/bugs/attachments/20230416/445c83d0/attachment.html>