
<html>

    <head>

      <base href="https://bugzilla.rosalinux.ru/">

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Platform</th>

          <td>2021.1

          </td>

        </tr>


        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_CONFIRMED "

   title="CONFIRMED - buildah 1.22.3 cve-s found"

   href="https://bugzilla.rosalinux.ru/show_bug.cgi?id=13221">13221</a>

          </td>

        </tr>


        <tr>

          <th>Summary</th>

          <td>buildah 1.22.3 cve-s found

          </td>

        </tr>


        <tr>

          <th>Classification</th>

          <td>ROSA-based products

          </td>

        </tr>


        <tr>

          <th>Product</th>

          <td>Certified ROSA distros

          </td>

        </tr>


        <tr>

          <th>Version</th>

          <td>Chrome

          </td>

        </tr>


        <tr>

          <th>Hardware</th>

          <td>All

          </td>

        </tr>


        <tr>

          <th>OS</th>

          <td>Linux

          </td>

        </tr>


        <tr>

          <th>Status</th>

          <td>CONFIRMED

          </td>

        </tr>


        <tr>

          <th>Severity</th>

          <td>normal

          </td>

        </tr>


        <tr>

          <th>Priority</th>

          <td>Normal

          </td>

        </tr>


        <tr>

          <th>Component</th>

          <td>System (kernel, glibc, systemd, bash, PAM...)

          </td>

        </tr>


        <tr>

          <th>Assignee</th>

          <td>bugs&#64;lists.rosalinux.ru

          </td>

        </tr>


        <tr>

          <th>Reporter</th>

          <td>y.tumanov&#64;rosalinux.ru

          </td>

        </tr>


        <tr>

          <th>QA Contact</th>

          <td>bugs&#64;lists.rosalinux.ru

          </td>

        </tr>


        <tr>

          <th>Target Milestone</th>

          <td>---

          </td>

        </tr>


        <tr>

          <th>Group</th>

          <td>ROSA-plus-NTCIT

          </td>

        </tr></table>

      <p>

        <div>

        <pre>CVE-2022-27651  A flaw was found in buildah where containers were incorrectly

started with non-empty default permissions. A bug was found in Moby (Docker

Engine) where containers were incorrectly started with non-empty inheritable

Linux process capabilities, enabling an attacker with access to programs with

inheritable file capabilities to elevate those capabilities to the permitted

set when execve(2) runs. This has the potential to impact confidentiality and

integrity.      <a href="https://nvd.nist.gov/vuln/detail/CVE-2022-27651">https://nvd.nist.gov/vuln/detail/CVE-2022-27651</a> MEDIUM


CVE-2022-2990   An incorrect handling of the supplementary groups in the

Buildah container engine might lead to the sensitive information disclosure or

possible data modification if an attacker has direct access to the affected

container where supplementary groups are used to set access permissions and is

able to execute a binary code in that container.    

<a href="https://nvd.nist.gov/vuln/detail/CVE-2022-2990">https://nvd.nist.gov/vuln/detail/CVE-2022-2990</a>  HIGH</pre>

        </div>

      </p>


      <hr>

      <span>You are receiving this mail because:</span>


      <ul>

          <li>You are the QA Contact for the bug.</li>

          <li>You are the assignee for the bug.</li>

      </ul>

    </body>

</html>