[pkg-go] Bug#1083188: podman: CVE-2024-3056
Moritz Mühlenhoff
jmm at inutil.org
Wed Oct 2 21:32:46 BST 2024
Package: podman
X-Debbugs-CC: team at security.debian.org
Severity: normal
Tags: security
Hi,
The following vulnerability was published for podman.
CVE-2024-3056[0]:
| A flaw was found in Podman. This issue may allow an attacker to
| create a specially crafted container that, when configured to share
| the same IPC with at least one other container, can create a large
| number of IPC resources in /dev/shm. The malicious container will
| continue to exhaust resources until it is out-of-memory (OOM)
| killed. While the malicious container's cgroup will be removed, the
| IPC resources it created are not. Those resources are tied to the
| IPC namespace that will not be removed until all containers using it
| are stopped, and one non-malicious container is holding the
| namespace open. The malicious container is restarted, either
| automatically or by attacker control, repeating the process and
| increasing the amount of memory consumed. With a container
| configured to restart always, such as `podman run --restart=always`,
| this can result in a memory-based denial of service of the system.
https://bugzilla.redhat.com/show_bug.cgi?id=2270717
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-3056
https://www.cve.org/CVERecord?id=CVE-2024-3056
Please adjust the affected versions in the BTS as needed.
More information about the Pkg-go-maintainers
mailing list