[GO-2022-1008] Unauthorized file access in github.com/containers/buildah

Severity High

Affected Packages 1

Fixed Packages 1

CVEs 1

SGID programs executed in a container can access files that have negative group
permissions for the user's primary group.

Consider a file which is owned by user u1 and group g1, permits user and other
read access, and does NOT permit group read access. This file is readable by u1
and all other users except for ones in group g1.

A program with the set-group-ID (SGID) bit set assumes the primary group of the
program's group when it executes.

A user with the primary group g1 who executes an SGID program owned by group g2
should not be able to access the file described above. While the program
executes with the primary group g2, the group g1 should remain in its
supplementary groups, blocking access to the file.

Buildah does not correctly add g1 to the supplementary groups in this scenario,
permitting unauthorized access.

Package	Affected Version
pkg:golang/github.com/containers/buildah	>= 1.27.0, < 1.27.1

Package	Fixed Version
pkg:golang/github.com/containers/buildah	= 1.27.1

ID

GO-2022-1008

Severity

high

Severity from

CVE-2022-2990

URL

https://pkg.go.dev/vuln/GO-2022-1008

Published

2022-09-20T22:29:19
(2 years ago)

Modified

2024-05-14T19:19:00
(4 months ago)

Other Advisories

Source	# ID	Name	URL
Security Advisory			https://github.com/advisories/GHSA-fjm8-m7m6-2fjp

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch	Patch / Fix
Fixed	pkg:golang/github.com/containers/buildah	github.com/containers	buildah	= 1.27.1
Affected	pkg:golang/github.com/containers/buildah	github.com/containers	buildah	>= 1.27.0 < 1.27.1

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date