Fedora 41 update for buildah, containers-common, podman
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2024-9341 CVE-2024-9675 CVE-2024-9676 |
| CWE-ID | CWE-20 CWE-22 CWE-61 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Fedora Operating systems & Components / Operating system podman Operating systems & Components / Operating system package or component containers-common Operating systems & Components / Operating system package or component buildah Operating systems & Components / Operating system package or component |
| Vendor | Fedoraproject |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Input validation error
EUVDB-ID: #VU98141
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-9341
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote user to gain access to sensitive information.
The vulnerability exists due to insufficient validation of user-supplied input. When FIPS mode is enabled on a system, container runtimes may incorrectly handle certain file paths due to improper validation in the containers/common Go library. This flaw allows an attacker to exploit symbolic links and trick the system into mounting sensitive host directories inside a container.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsFedora: 41
podman: before 5.2.5-1.fc41
containers-common: before 0.60.4-4.fc41
buildah: before 1.37.5-1.fc41
CPE2.3- cpe:2.3:o:fedoraproject:fedora:41:*:*:*:*:*:*:*
- cpe:2.3:a:fedoraproject:podman:*:*:*:*:*:fedora:*:*
- cpe:2.3:a:fedoraproject:containers-common:*:*:*:*:*:fedora:*:*
- cpe:2.3:a:fedoraproject:buildah:*:*:*:*:*:fedora:*:*
https://bodhi.fedoraproject.org/updates/FEDORA-2024-5a61a2fa45
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Path traversal
EUVDB-ID: #VU98828
Risk: Low
CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-9675
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to input validation error when processing directory traversal sequences in cache mounts. A local user can execute a 'RUN' instruction in a Container file to mount an arbitrary directory from the host into the container as long as those files can be accessed by the user running Buildah.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsFedora: 41
podman: before 5.2.5-1.fc41
containers-common: before 0.60.4-4.fc41
buildah: before 1.37.5-1.fc41
CPE2.3- cpe:2.3:o:fedoraproject:fedora:41:*:*:*:*:*:*:*
- cpe:2.3:a:fedoraproject:podman:*:*:*:*:*:fedora:*:*
- cpe:2.3:a:fedoraproject:containers-common:*:*:*:*:*:fedora:*:*
- cpe:2.3:a:fedoraproject:buildah:*:*:*:*:*:fedora:*:*
https://bodhi.fedoraproject.org/updates/FEDORA-2024-5a61a2fa45
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) UNIX symbolic link following
EUVDB-ID: #VU98817
Risk: Low
CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-9676
CWE-ID:
CWE-61 - UNIX Symbolic Link (Symlink) Following
Exploit availability: No
DescriptionThe vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to a symlink following issue when running a malicious image using an automatically assigned user namespace (`--userns=auto` in Podman and Buildah). A local user can create a symbolic link to an arbitrary file on the system, force the library to read it and perform a denial of service (DoS) attack.
Install updates from vendor's repository.
Vulnerable software versionsFedora: 41
podman: before 5.2.5-1.fc41
containers-common: before 0.60.4-4.fc41
buildah: before 1.37.5-1.fc41
CPE2.3- cpe:2.3:o:fedoraproject:fedora:41:*:*:*:*:*:*:*
- cpe:2.3:a:fedoraproject:podman:*:*:*:*:*:fedora:*:*
- cpe:2.3:a:fedoraproject:containers-common:*:*:*:*:*:fedora:*:*
- cpe:2.3:a:fedoraproject:buildah:*:*:*:*:*:fedora:*:*
https://bodhi.fedoraproject.org/updates/FEDORA-2024-5a61a2fa45
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
