[pkg-go] libpod CVE-2023-0778 incorrectly tracked as affecting bullseye

Faidon Liambotis paravoid at debian.org
Fri Nov 3 20:03:32 GMT 2023 

Hi folks,

TL;DR, please mark CVE-2023-0778 as not affecting bullseye.

I was looking into CVE-2023-0778, a vulnerability in podman
(src:libpod). The vulnerability's description is:
> This issue may allow a malicious user to replace a normal file in a
> volume with a symlink while exporting the volume, allowing for access
> to arbitrary files on the host file system."

RedHat's bug, https://bugzilla.redhat.com/show_bug.cgi?id=2168256 says:
> An attacker who has control on a container using a Volume can traverse
> arbitrary files on the host filesystem (which essentially is an
> escape) when an administrator tries to export this Volume, by
> exploiting a TOCTTOU vulnerability to replace a normal file in the
> Volume as a symlink.

security-tracker lists this as fixed in bookworm/trixie/sid, and links
to the 6ca857f commit from upstream git, included in
v4.3.1/v4.7.1/v4.7.2. This is correct.

security-tracker also lists bullseye (3.0.1+dfsg1-3+deb11u4) as
vulnerable, given (presumably) that it does not include the
aforementioned commit.

I looked more into it, and it seems that bullseye is actually NOT
affected. bullseye has podman v3.0.1, but "volume export" was introduced
with v3.4.0, and specifically upstream commit edddfe8, v3.4.0-rc1~96^2.

>From a bullseye machine:
   root at ae004bcf150b:~# cat /etc/debian_version
   11.7
   root at ae004bcf150b:~# dpkg-query -W podman
   podman	3.0.1+dfsg1-3+deb11u4
   root at ae004bcf150b:~# podman volume export
   Error: unrecognized command `podman volume export`
   Try 'podman volume --help' for more information.
   root at ae004bcf150b:~# podman volume --help
   Manage volumes
   
   Description:
     Volumes are created in and can be shared between containers
   
   Usage:
     podman volume [command]
   
   Available Commands:
     create      Create a new volume
     inspect     Display detailed information on one or more volumes
     ls          List volumes
     prune       Remove all unused volumes
     rm          Remove one or more volumes

I also looked at the source. TarToFilesystem(), that the commit replaces,
exists, but is not referenced from anywhere.
cmd/podman/volumes/export.go does not exist.

HTH!
Faidon

More information about the Pkg-go-maintainers mailing list