SUSE-SU-2022:3766-1: important: Security update for buildah

sle-updates at lists.suse.com sle-updates at lists.suse.com
Wed Oct 26 13:47:00 UTC 2022


   SUSE Security Update: Security update for buildah
______________________________________________________________________________

Announcement ID:    SUSE-SU-2022:3766-1
Rating:             important
References:         #1167864 #1181961 #1202812 
Cross-References:   CVE-2020-10696 CVE-2021-20206 CVE-2022-2990
                   
CVSS scores:
                    CVE-2020-10696 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
                    CVE-2020-10696 (SUSE): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
                    CVE-2021-20206 (NVD) : 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
                    CVE-2021-20206 (SUSE): 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
                    CVE-2022-2990 (NVD) : 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
                    CVE-2022-2990 (SUSE): 4.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Affected Products:
                    SUSE Linux Enterprise Desktop 15-SP3
                    SUSE Linux Enterprise High Performance Computing 15-SP3
                    SUSE Linux Enterprise Micro 5.1
                    SUSE Linux Enterprise Micro 5.2
                    SUSE Linux Enterprise Module for Basesystem 15-SP3
                    SUSE Linux Enterprise Module for Containers 15-SP3
                    SUSE Linux Enterprise Server 15-SP3
                    SUSE Linux Enterprise Server for SAP Applications 15-SP3
                    SUSE Linux Enterprise Storage 7.1
                    SUSE Manager Proxy 4.2
                    SUSE Manager Retail Branch Server 4.2
                    SUSE Manager Server 4.2
                    openSUSE Leap 15.3
                    openSUSE Leap Micro 5.2
______________________________________________________________________________

   An update that fixes three vulnerabilities is now available.

Description:

   This update for buildah fixes the following issues:

   - CVE-2021-20206: Fixed an issue in libcni that could allow an attacker to
     execute arbitrary binaries on the host (bsc#1181961).
   - CVE-2020-10696: Fixed an issue that could lead to files being
     overwritten during the image building process (bsc#1167864).
   - CVE-2022-2990: Fixed possible information disclosure and modification /
     bsc#1202812

   Buildah was updated to version 1.27.1:

   * run: add container gid to additional groups

   - Add fix for CVE-2022-2990 / bsc#1202812


   Update to version 1.27.0:

   * Don't try to call runLabelStdioPipes if spec.Linux is not set
   * build: support filtering cache by duration using --cache-ttl
   * build: support building from commit when using git repo as build context
   * build: clean up git repos correctly when using subdirs
   * integration tests: quote "?" in shell scripts
   * test: manifest inspect should have OCIv1 annotation
   * vendor: bump to c/common at 87fab4b7019a
   * Failure to determine a file or directory should print an error
   * refactor: remove unused CommitOptions from generateBuildOutput
   * stage_executor: generate output for cases with no commit
   * stage_executor, commit: output only if last stage in build
   * Use errors.Is() instead of os.Is{Not,}Exist
   * Minor test tweak for podman-remote compatibility
   * Cirrus: Use the latest imgts container
   * imagebuildah: complain about the right Dockerfile
   * tests: don't try to wrap `nil` errors
   * cmd/buildah.commitCmd: don't shadow "err"
   * cmd/buildah.pullCmd: complain about DecryptConfig/EncryptConfig
   * Fix a copy/paste error message
   * Fix a typo in an error message
   * build,cache: support pulling/pushing cache layers to/from remote sources
   * Update vendor of containers/(common, storage, image)
   * Rename chroot/run.go to chroot/run_linux.go
   * Don't bother telling codespell to skip files that don't exist
   * Set user namespace defaults correctly for the library
   * imagebuildah: optimize cache hits for COPY and ADD instructions
   * Cirrus: Update VM images w/ updated bats
   * docs, run: show SELinux label flag for cache and bind mounts
   * imagebuildah, build: remove undefined concurrent writes
   * bump github.com/opencontainers/runtime-tools
   * Add FreeBSD support for 'buildah info'
   * Vendor in latest containers/(storage, common, image)
   * Add freebsd cross build targets
   * Make the jail package build on 32bit platforms
   * Cirrus: Ensure the build-push VM image is labeled
   * GHA: Fix dynamic script filename
   * Vendor in containers/(common, storage, image)
   * Run codespell
   * Remove import of github.com/pkg/errors
   * Avoid using cgo in pkg/jail
   * Rename footypes to fooTypes for naming consistency
   * Move cleanupTempVolumes and cleanupRunMounts to run_common.go
   * Make the various run mounts work for FreeBSD
   * Move get{Bind,Tmpfs,Secret,SSH}Mount to run_common.go
   * Move runSetupRunMounts to run_common.go
   * Move cleanableDestinationListFromMounts to run_common.go
   * Make setupMounts and runSetupBuiltinVolumes work on FreeBSD
   * Move setupMounts and runSetupBuiltinVolumes to run_common.go
   * Tidy up - runMakeStdioPipe can't be shared with linux
   * Move runAcceptTerminal to run_common.go
   * Move stdio copying utilities to run_common.go
   * Move runUsingRuntime and runCollectOutput to run_common.go
   * Move fileCloser, waitForSync and contains to run_common.go
   * Move checkAndOverrideIsolationOptions to run_common.go
   * Move DefaultNamespaceOptions to run_common.go
   * Move getNetworkInterface to run_common.go
   * Move configureEnvironment to run_common.go
   * Don't crash in configureUIDGID if Process.Capabilities is nil
   * Move configureUIDGID to run_common.go
   * Move runLookupPath to run_common.go
   * Move setupTerminal to run_common.go
   * Move etc file generation utilities to run_common.go
   * Add run support for FreeBSD
   * Add a simple FreeBSD jail library
   * Add FreeBSD support to pkg/chrootuser
   * Sync call signature for RunUsingChroot with chroot/run.go
   * test: verify feature to resolve basename with args
   * vendor: bump openshift/imagebuilder to master at 4151e43
   * GHA: Remove required reserved-name use
   * buildah: set XDG_RUNTIME_DIR before setting default runroot
   * imagebuildah: honor build output even if build container is not commited
   * chroot: honor DefaultErrnoRet
   * [CI:DOCS] improve pull-policy documentation
   * tests: retrofit test since --file does not supports dir
   * Switch to golang native error wrapping
   * BuildDockerfiles: error out if path to containerfile is a directory
   * define.downloadToDirectory: fail early if bad HTTP response
   * GHA: Allow re-use of Cirrus-Cron fail-mail workflow
   * add: fail on bad http response instead of writing to container
   * [CI:DOCS] Update buildahimage comment
   * lint: inspectable is never nil
   * vendor: c/common to common at 7e1563b
   * build: support OCI hooks for ephemeral build containers
   * [CI:BUILD] Install latest buildah instead of compiling
   * Add subid support with BuildRequires and BUILDTAG [NO NEW TESTS NEEDED]
   * Make sure cpp is installed in buildah images
   * demo: use unshare for rootless invocations
   * buildah.spec.rpkg: initial addition
   * build: fix test for subid 4
   * build, userns: add support for --userns=auto
   * Fix building upstream buildah image
   * Remove redundant buildahimages-are-sane validation
   * Docs: Update multi-arch buildah images readme
   * Cirrus: Migrate multiarch build off github actions
   * retrofit-tests: we skip unused stages so use stages
   * stage_executor: dont rely on stage while looking for additional-context
   * buildkit, multistage: skip computing unwanted stages
   * More test cleanup
   * copier: work around freebsd bug for "mkdir /"
   * Replace $BUILDAH_BINARY with buildah() function
   * Fix up buildah images
   * Make util and copier build on FreeBSD
   * Vendor in latest github.com/sirupsen/logrus
   * Makefile: allow building without .git
   * run_unix: don't return an error from getNetworkInterface
   * run_unix: return a valid DefaultNamespaceOptions
   * Update vendor of containers/storage
   * chroot: use ActKillThread instead of ActKill
   * use resolvconf package from c/common/libnetwork
   * update c/common to latest main
   * copier: add `NoOverwriteNonDirDir` option
   * Sort buildoptions and move cli/build functions to internal
   * Fix TODO: de-spaghettify run mounts
   * Move options parsing out of build.go and into pkg/cli
   * [CI:DOCS] Tutorial 04 - Include Debian/Ubuntu deps
   * build, multiarch: support splitting build logs for --platform
   * [CI:BUILD] WIP Cleanup Image Dockerfiles
   * cli remove stutter
   * docker-parity: ignore sanity check if baseImage history is null
   * build, commit: allow disabling image history with --omit-history
   * Fix use generic/ambiguous DEBUG name
   * Cirrus: use Ubuntu 22.04 LTS
   * Fix codespell errors
   * Remove util.StringInSlice because it is defined in containers/common
   * buildah: add support for renaming a device in rootless setups
   * squash: never use build cache when computing last step of last stage
   * Update vendor of containers/(common, storage, image)
   * buildkit: supports additionalBuildContext in builds via --build-context
   * buildah source pull/push: show progress bar
   * run: allow resuing secret twice in different RUN steps
   * test helpers: default to being rootless-aware
   * Add --cpp-flag flag to buildah build
   * build: accept branch and subdirectory when context is git repo
   * Vendor in latest containers/common
   * vendor: update c/storage and c/image
   * Fix gentoo install docs
   * copier: move NSS load to new process
   * Add test for prevention of reusing encrypted layers
   * Make `buildah build --label foo` create an empty "foo" label again


   Update to version 1.26.4:

   * build, multiarch: support splitting build logs for --platform
   * copier: add `NoOverwriteNonDirDir` option
   * docker-parity: ignore sanity check if baseImage history is null
   * build, commit: allow disabling image history with --omit-history
   * buildkit: supports additionalBuildContext in builds via --build-context
   * Add --cpp-flag flag to buildah build

   Update to version 1.26.3:

   * define.downloadToDirectory: fail early if bad HTTP response
   * add: fail on bad http response instead of writing to container
   * squash: never use build cache when computing last step of last stage
   * run: allow resuing secret twice in different RUN steps
   * integration tests: update expected error messages
   * integration tests: quote "?" in shell scripts
   * Use errors.Is() to check for storage errors
   * lint: inspectable is never nil
   * chroot: use ActKillThread instead of ActKill
   * chroot: honor DefaultErrnoRet
   * Set user namespace defaults correctly for the library
   * contrib/rpm/buildah.spec: fix `rpm` parser warnings

   Drop requires on apparmor pattern, should be moved elsewhere for systems
   which want AppArmor instead of SELinux.

   - Update BuildRequires to libassuan-devel >= 2.5.2, pkgconfig file is
     required to build.

   Update to version 1.26.2:

   * buildah: add support for renaming a device in rootless setups

   Update to version 1.26.1:

   * Make `buildah build --label foo` create an empty "foo" label again
   * imagebuildah,build: move deepcopy of args before we spawn goroutine
   * Vendor in containers/storage v1.40.2
   * buildah.BuilderOptions.DefaultEnv is ignored, so mark it as deprecated
   * help output: get more consistent about option usage text
   * Handle OS version and features flags
   * buildah build: --annotation and --label should remove values
   * buildah build: add a --env
   * buildah: deep copy options.Args before performing concurrent build/stage
   * test: inline platform and builtinargs behaviour
   * vendor: bump imagebuilder to master/009dbc6
   * build: automatically set correct TARGETPLATFORM where expected
   * Vendor in containers/(common, storage, image)
   * imagebuildah, executor: process arg variables while populating baseMap
   * buildkit: add support for custom build output with --output
   * Cirrus: Update CI VMs to F36
   * fix staticcheck linter warning for deprecated function
   * Fix docs build on FreeBSD
   * copier.unwrapError(): update for Go 1.16
   * copier.PutOptions: add StripSetuidBit/StripSetgidBit/StripStickyBit
   * copier.Put(): write to read-only directories
   * Ed's periodic test cleanup
   * using consistent lowercase 'invalid' word in returned err msg
   * use etchosts package from c/common
   * run: set actual hostname in /etc/hostname to match docker parity
   * Update vendor of containers/(common,storage,image)
   * manifest-create: allow creating manifest list from local image
   * Update vendor of storage,common,image
   * Initialize network backend before first pull
   * oci spec: change special mount points for namespaces
   * tests/helpers.bash: assert handle corner cases correctly
   * buildah: actually use containers.conf settings
   * integration tests: learn to start a dummy registry
   * Fix error check to work on Podman
   * buildah build should accept at most one arg
   * tests: reduce concurrency for flaky bud-multiple-platform-no-run
   * vendor in latest containers/common,image,storage
   * manifest-add: allow override arch,variant while adding image
   * Remove a stray `\` from .containerenv
   * Vendor in latest opencontainers/selinux v1.10.1
   * build, commit: allow removing default identity labels
   * Create shorter names for containers based on image IDs
   * test: skip rootless on cgroupv2 in root env
   * fix hang when oci runtime fails
   * Set permissions for GitHub actions
   * copier test: use correct UID/GID in test archives
   * run: set parent-death signals and forward SIGHUP/SIGINT/SIGTERM


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Leap Micro 5.2:

      zypper in -t patch openSUSE-Leap-Micro-5.2-2022-3766=1

   - openSUSE Leap 15.3:

      zypper in -t patch openSUSE-SLE-15.3-2022-3766=1

   - SUSE Linux Enterprise Module for Containers 15-SP3:

      zypper in -t patch SUSE-SLE-Module-Containers-15-SP3-2022-3766=1

   - SUSE Linux Enterprise Module for Basesystem 15-SP3:

      zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2022-3766=1

   - SUSE Linux Enterprise Micro 5.2:

      zypper in -t patch SUSE-SUSE-MicroOS-5.2-2022-3766=1

   - SUSE Linux Enterprise Micro 5.1:

      zypper in -t patch SUSE-SUSE-MicroOS-5.1-2022-3766=1



Package List:

   - openSUSE Leap Micro 5.2 (aarch64 x86_64):

      libgpg-error-debugsource-1.42-150300.9.3.1
      libgpg-error0-1.42-150300.9.3.1
      libgpg-error0-debuginfo-1.42-150300.9.3.1

   - openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):

      buildah-1.27.1-150300.8.11.1
      libgpg-error-debugsource-1.42-150300.9.3.1
      libgpg-error-devel-1.42-150300.9.3.1
      libgpg-error-devel-debuginfo-1.42-150300.9.3.1
      libgpg-error0-1.42-150300.9.3.1
      libgpg-error0-debuginfo-1.42-150300.9.3.1

   - openSUSE Leap 15.3 (x86_64):

      libgpg-error-devel-32bit-1.42-150300.9.3.1
      libgpg-error-devel-32bit-debuginfo-1.42-150300.9.3.1
      libgpg-error0-32bit-1.42-150300.9.3.1
      libgpg-error0-32bit-debuginfo-1.42-150300.9.3.1

   - SUSE Linux Enterprise Module for Containers 15-SP3 (aarch64 ppc64le s390x x86_64):

      buildah-1.27.1-150300.8.11.1

   - SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64):

      libgpg-error-debugsource-1.42-150300.9.3.1
      libgpg-error-devel-1.42-150300.9.3.1
      libgpg-error-devel-debuginfo-1.42-150300.9.3.1
      libgpg-error0-1.42-150300.9.3.1
      libgpg-error0-debuginfo-1.42-150300.9.3.1

   - SUSE Linux Enterprise Module for Basesystem 15-SP3 (x86_64):

      libgpg-error0-32bit-1.42-150300.9.3.1
      libgpg-error0-32bit-debuginfo-1.42-150300.9.3.1

   - SUSE Linux Enterprise Micro 5.2 (aarch64 s390x x86_64):

      libgpg-error-debugsource-1.42-150300.9.3.1
      libgpg-error0-1.42-150300.9.3.1
      libgpg-error0-debuginfo-1.42-150300.9.3.1

   - SUSE Linux Enterprise Micro 5.1 (aarch64 s390x x86_64):

      libgpg-error-debugsource-1.42-150300.9.3.1
      libgpg-error0-1.42-150300.9.3.1
      libgpg-error0-debuginfo-1.42-150300.9.3.1


References:

   https://www.suse.com/security/cve/CVE-2020-10696.html
   https://www.suse.com/security/cve/CVE-2021-20206.html
   https://www.suse.com/security/cve/CVE-2022-2990.html
   https://bugzilla.suse.com/1167864
   https://bugzilla.suse.com/1181961
   https://bugzilla.suse.com/1202812



More information about the sle-updates mailing list