[pkg-go] libpod CVE-2023-0778 incorrectly tracked as affecting bullseye

Salvatore Bonaccorso carnil at debian.org
Fri Nov 3 20:47:04 GMT 2023 

Hi,

On Fri, Nov 03, 2023 at 10:03:32PM +0200, Faidon Liambotis wrote:
> Hi folks,
> 
> TL;DR, please mark CVE-2023-0778 as not affecting bullseye.

TL;DR does not count ;-) It always needs a reasoning.

> I was looking into CVE-2023-0778, a vulnerability in podman
> (src:libpod). The vulnerability's description is:
> > This issue may allow a malicious user to replace a normal file in a
> > volume with a symlink while exporting the volume, allowing for access
> > to arbitrary files on the host file system."
> 
> RedHat's bug, https://bugzilla.redhat.com/show_bug.cgi?id=2168256 says:
> > An attacker who has control on a container using a Volume can traverse
> > arbitrary files on the host filesystem (which essentially is an
> > escape) when an administrator tries to export this Volume, by
> > exploiting a TOCTTOU vulnerability to replace a normal file in the
> > Volume as a symlink.
> 
> security-tracker lists this as fixed in bookworm/trixie/sid, and links
> to the 6ca857f commit from upstream git, included in
> v4.3.1/v4.7.1/v4.7.2. This is correct.
> 
> security-tracker also lists bullseye (3.0.1+dfsg1-3+deb11u4) as
> vulnerable, given (presumably) that it does not include the
> aforementioned commit.

Not necessarily if it's not clear, rather err on the safe side and
mark soemthing as affected, rather than wrongly as not-affected. I
just wanted to mention that, final comment see below:

> I looked more into it, and it seems that bullseye is actually NOT
> affected. bullseye has podman v3.0.1, but "volume export" was introduced
> with v3.4.0, and specifically upstream commit edddfe8, v3.4.0-rc1~96^2.
> 
> >From a bullseye machine:
>    root at ae004bcf150b:~# cat /etc/debian_version
>    11.7
>    root at ae004bcf150b:~# dpkg-query -W podman
>    podman	3.0.1+dfsg1-3+deb11u4
>    root at ae004bcf150b:~# podman volume export
>    Error: unrecognized command `podman volume export`
>    Try 'podman volume --help' for more information.
>    root at ae004bcf150b:~# podman volume --help
>    Manage volumes
>    
>    Description:
>      Volumes are created in and can be shared between containers
>    
>    Usage:
>      podman volume [command]
>    
>    Available Commands:
>      create      Create a new volume
>      inspect     Display detailed information on one or more volumes
>      ls          List volumes
>      prune       Remove all unused volumes
>      rm          Remove one or more volumes
> 
> I also looked at the source. TarToFilesystem(), that the commit replaces,
> exists, but is not referenced from anywhere.
> cmd/podman/volumes/export.go does not exist.

That all makes sense and it looks correct. I had a look at the
edddfe8c4f7761b12dc64ea4aa0a83b755aa124f commit and your reasoning and
inspection makes it sufficiently clear that the entry can be updated.
I just have done so with
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e828136e0342397af3b1131bcce1d58203ede2d5
.

Thank you!

Regards,
Salvatore

More information about the Pkg-go-maintainers mailing list