Security update for buildah

Announcement ID: SUSE-SU-2022:3766-1
Rating: important
References:
Cross-References:
CVSS scores:
  • CVE-2020-10696 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • CVE-2020-10696 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
  • CVE-2021-20206 ( SUSE ): 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
  • CVE-2021-20206 ( NVD ): 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
  • CVE-2022-2990 ( SUSE ): 4.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
  • CVE-2022-2990 ( NVD ): 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Affected Products:
  • Basesystem Module 15-SP3
  • Containers Module 15-SP3
  • openSUSE Leap 15.3
  • SUSE Linux Enterprise Desktop 15 SP3
  • SUSE Linux Enterprise High Performance Computing 15 SP3
  • SUSE Linux Enterprise Micro 5.1
  • SUSE Linux Enterprise Micro 5.2
  • SUSE Linux Enterprise Micro for Rancher 5.2
  • SUSE Linux Enterprise Real Time 15 SP3
  • SUSE Linux Enterprise Server 15 SP3
  • SUSE Linux Enterprise Server 15 SP3 Business Critical Linux 15-SP3
  • SUSE Linux Enterprise Server for SAP Applications 15 SP3
  • SUSE Manager Proxy 4.2
  • SUSE Manager Retail Branch Server 4.2
  • SUSE Manager Server 4.2

An update that solves three vulnerabilities can now be installed.

Description:

This update for buildah fixes the following issues:

  • CVE-2021-20206: Fixed an issue in libcni that could allow an attacker to execute arbitrary binaries on the host (bsc#1181961).
  • CVE-2020-10696: Fixed an issue that could lead to files being overwritten during the image building process (bsc#1167864).
  • CVE-2022-2990: Fixed possible information disclosure and modification / bsc#1202812

Buildah was updated to version 1.27.1:

  • run: add container gid to additional groups

  • Add fix for CVE-2022-2990 / bsc#1202812

Update to version 1.27.0:

  • Don't try to call runLabelStdioPipes if spec.Linux is not set
  • build: support filtering cache by duration using --cache-ttl
  • build: support building from commit when using git repo as build context
  • build: clean up git repos correctly when using subdirs
  • integration tests: quote "?" in shell scripts
  • test: manifest inspect should have OCIv1 annotation
  • vendor: bump to c/common@87fab4b7019a
  • Failure to determine a file or directory should print an error
  • refactor: remove unused CommitOptions from generateBuildOutput
  • stage_executor: generate output for cases with no commit
  • stage_executor, commit: output only if last stage in build
  • Use errors.Is() instead of os.Is{Not,}Exist
  • Minor test tweak for podman-remote compatibility
  • Cirrus: Use the latest imgts container
  • imagebuildah: complain about the right Dockerfile
  • tests: don't try to wrap nil errors
  • cmd/buildah.commitCmd: don't shadow "err"
  • cmd/buildah.pullCmd: complain about DecryptConfig/EncryptConfig
  • Fix a copy/paste error message
  • Fix a typo in an error message
  • build,cache: support pulling/pushing cache layers to/from remote sources
  • Update vendor of containers/(common, storage, image)
  • Rename chroot/run.go to chroot/run_linux.go
  • Don't bother telling codespell to skip files that don't exist
  • Set user namespace defaults correctly for the library
  • imagebuildah: optimize cache hits for COPY and ADD instructions
  • Cirrus: Update VM images w/ updated bats
  • docs, run: show SELinux label flag for cache and bind mounts
  • imagebuildah, build: remove undefined concurrent writes
  • bump github.com/opencontainers/runtime-tools
  • Add FreeBSD support for 'buildah info'
  • Vendor in latest containers/(storage, common, image)
  • Add freebsd cross build targets
  • Make the jail package build on 32bit platforms
  • Cirrus: Ensure the build-push VM image is labeled
  • GHA: Fix dynamic script filename
  • Vendor in containers/(common, storage, image)
  • Run codespell
  • Remove import of github.com/pkg/errors
  • Avoid using cgo in pkg/jail
  • Rename footypes to fooTypes for naming consistency
  • Move cleanupTempVolumes and cleanupRunMounts to run_common.go
  • Make the various run mounts work for FreeBSD
  • Move get{Bind,Tmpfs,Secret,SSH}Mount to run_common.go
  • Move runSetupRunMounts to run_common.go
  • Move cleanableDestinationListFromMounts to run_common.go
  • Make setupMounts and runSetupBuiltinVolumes work on FreeBSD
  • Move setupMounts and runSetupBuiltinVolumes to run_common.go
  • Tidy up - runMakeStdioPipe can't be shared with linux
  • Move runAcceptTerminal to run_common.go
  • Move stdio copying utilities to run_common.go
  • Move runUsingRuntime and runCollectOutput to run_common.go
  • Move fileCloser, waitForSync and contains to run_common.go
  • Move checkAndOverrideIsolationOptions to run_common.go
  • Move DefaultNamespaceOptions to run_common.go
  • Move getNetworkInterface to run_common.go
  • Move configureEnvironment to run_common.go
  • Don't crash in configureUIDGID if Process.Capabilities is nil
  • Move configureUIDGID to run_common.go
  • Move runLookupPath to run_common.go
  • Move setupTerminal to run_common.go
  • Move etc file generation utilities to run_common.go
  • Add run support for FreeBSD
  • Add a simple FreeBSD jail library
  • Add FreeBSD support to pkg/chrootuser
  • Sync call signature for RunUsingChroot with chroot/run.go
  • test: verify feature to resolve basename with args
  • vendor: bump openshift/imagebuilder to master@4151e43
  • GHA: Remove required reserved-name use
  • buildah: set XDG_RUNTIME_DIR before setting default runroot
  • imagebuildah: honor build output even if build container is not commited
  • chroot: honor DefaultErrnoRet
  • [CI:DOCS] improve pull-policy documentation
  • tests: retrofit test since --file does not supports dir
  • Switch to golang native error wrapping
  • BuildDockerfiles: error out if path to containerfile is a directory
  • define.downloadToDirectory: fail early if bad HTTP response
  • GHA: Allow re-use of Cirrus-Cron fail-mail workflow
  • add: fail on bad http response instead of writing to container
  • [CI:DOCS] Update buildahimage comment
  • lint: inspectable is never nil
  • vendor: c/common to common@7e1563b
  • build: support OCI hooks for ephemeral build containers
  • [CI:BUILD] Install latest buildah instead of compiling
  • Add subid support with BuildRequires and BUILDTAG [NO NEW TESTS NEEDED]
  • Make sure cpp is installed in buildah images
  • demo: use unshare for rootless invocations
  • buildah.spec.rpkg: initial addition
  • build: fix test for subid 4
  • build, userns: add support for --userns=auto
  • Fix building upstream buildah image
  • Remove redundant buildahimages-are-sane validation
  • Docs: Update multi-arch buildah images readme
  • Cirrus: Migrate multiarch build off github actions
  • retrofit-tests: we skip unused stages so use stages
  • stage_executor: dont rely on stage while looking for additional-context
  • buildkit, multistage: skip computing unwanted stages
  • More test cleanup
  • copier: work around freebsd bug for "mkdir /"
  • Replace $BUILDAH_BINARY with buildah() function
  • Fix up buildah images
  • Make util and copier build on FreeBSD
  • Vendor in latest github.com/sirupsen/logrus
  • Makefile: allow building without .git
  • run_unix: don't return an error from getNetworkInterface
  • run_unix: return a valid DefaultNamespaceOptions
  • Update vendor of containers/storage
  • chroot: use ActKillThread instead of ActKill
  • use resolvconf package from c/common/libnetwork
  • update c/common to latest main
  • copier: add NoOverwriteNonDirDir option
  • Sort buildoptions and move cli/build functions to internal
  • Fix TODO: de-spaghettify run mounts
  • Move options parsing out of build.go and into pkg/cli
  • [CI:DOCS] Tutorial 04 - Include Debian/Ubuntu deps
  • build, multiarch: support splitting build logs for --platform
  • [CI:BUILD] WIP Cleanup Image Dockerfiles
  • cli remove stutter
  • docker-parity: ignore sanity check if baseImage history is null
  • build, commit: allow disabling image history with --omit-history
  • Fix use generic/ambiguous DEBUG name
  • Cirrus: use Ubuntu 22.04 LTS
  • Fix codespell errors
  • Remove util.StringInSlice because it is defined in containers/common
  • buildah: add support for renaming a device in rootless setups
  • squash: never use build cache when computing last step of last stage
  • Update vendor of containers/(common, storage, image)
  • buildkit: supports additionalBuildContext in builds via --build-context
  • buildah source pull/push: show progress bar
  • run: allow resuing secret twice in different RUN steps
  • test helpers: default to being rootless-aware
  • Add --cpp-flag flag to buildah build
  • build: accept branch and subdirectory when context is git repo
  • Vendor in latest containers/common
  • vendor: update c/storage and c/image
  • Fix gentoo install docs
  • copier: move NSS load to new process
  • Add test for prevention of reusing encrypted layers
  • Make buildah build --label foo create an empty "foo" label again

Update to version 1.26.4:

  • build, multiarch: support splitting build logs for --platform
  • copier: add NoOverwriteNonDirDir option
  • docker-parity: ignore sanity check if baseImage history is null
  • build, commit: allow disabling image history with --omit-history
  • buildkit: supports additionalBuildContext in builds via --build-context
  • Add --cpp-flag flag to buildah build

Update to version 1.26.3:

  • define.downloadToDirectory: fail early if bad HTTP response
  • add: fail on bad http response instead of writing to container
  • squash: never use build cache when computing last step of last stage
  • run: allow resuing secret twice in different RUN steps
  • integration tests: update expected error messages
  • integration tests: quote "?" in shell scripts
  • Use errors.Is() to check for storage errors
  • lint: inspectable is never nil
  • chroot: use ActKillThread instead of ActKill
  • chroot: honor DefaultErrnoRet
  • Set user namespace defaults correctly for the library
  • contrib/rpm/buildah.spec: fix rpm parser warnings

Drop requires on apparmor pattern, should be moved elsewhere for systems which want AppArmor instead of SELinux.

  • Update BuildRequires to libassuan-devel >= 2.5.2, pkgconfig file is required to build.

Update to version 1.26.2:

  • buildah: add support for renaming a device in rootless setups

Update to version 1.26.1:

  • Make buildah build --label foo create an empty "foo" label again
  • imagebuildah,build: move deepcopy of args before we spawn goroutine
  • Vendor in containers/storage v1.40.2
  • buildah.BuilderOptions.DefaultEnv is ignored, so mark it as deprecated
  • help output: get more consistent about option usage text
  • Handle OS version and features flags
  • buildah build: --annotation and --label should remove values
  • buildah build: add a --env
  • buildah: deep copy options.Args before performing concurrent build/stage
  • test: inline platform and builtinargs behaviour
  • vendor: bump imagebuilder to master/009dbc6
  • build: automatically set correct TARGETPLATFORM where expected
  • Vendor in containers/(common, storage, image)
  • imagebuildah, executor: process arg variables while populating baseMap
  • buildkit: add support for custom build output with --output
  • Cirrus: Update CI VMs to F36
  • fix staticcheck linter warning for deprecated function
  • Fix docs build on FreeBSD
  • copier.unwrapError(): update for Go 1.16
  • copier.PutOptions: add StripSetuidBit/StripSetgidBit/StripStickyBit
  • copier.Put(): write to read-only directories
  • Ed's periodic test cleanup
  • using consistent lowercase 'invalid' word in returned err msg
  • use etchosts package from c/common
  • run: set actual hostname in /etc/hostname to match docker parity
  • Update vendor of containers/(common,storage,image)
  • manifest-create: allow creating manifest list from local image
  • Update vendor of storage,common,image
  • Initialize network backend before first pull
  • oci spec: change special mount points for namespaces
  • tests/helpers.bash: assert handle corner cases correctly
  • buildah: actually use containers.conf settings
  • integration tests: learn to start a dummy registry
  • Fix error check to work on Podman
  • buildah build should accept at most one arg
  • tests: reduce concurrency for flaky bud-multiple-platform-no-run
  • vendor in latest containers/common,image,storage
  • manifest-add: allow override arch,variant while adding image
  • Remove a stray \ from .containerenv
  • Vendor in latest opencontainers/selinux v1.10.1
  • build, commit: allow removing default identity labels
  • Create shorter names for containers based on image IDs
  • test: skip rootless on cgroupv2 in root env
  • fix hang when oci runtime fails
  • Set permissions for GitHub actions
  • copier test: use correct UID/GID in test archives
  • run: set parent-death signals and forward SIGHUP/SIGINT/SIGTERM

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • openSUSE Leap 15.3
    zypper in -t patch SUSE-2022-3766=1
  • Basesystem Module 15-SP3
    zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2022-3766=1
  • Containers Module 15-SP3
    zypper in -t patch SUSE-SLE-Module-Containers-15-SP3-2022-3766=1
  • SUSE Linux Enterprise Micro 5.1
    zypper in -t patch SUSE-SUSE-MicroOS-5.1-2022-3766=1
  • SUSE Linux Enterprise Micro 5.2
    zypper in -t patch SUSE-SUSE-MicroOS-5.2-2022-3766=1
  • SUSE Linux Enterprise Micro for Rancher 5.2
    zypper in -t patch SUSE-SUSE-MicroOS-5.2-2022-3766=1

Package List:

  • openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64 i586)
    • libgpg-error0-1.42-150300.9.3.1
    • libgpg-error-devel-1.42-150300.9.3.1
    • libgpg-error-devel-debuginfo-1.42-150300.9.3.1
    • libgpg-error0-debuginfo-1.42-150300.9.3.1
    • libgpg-error-debugsource-1.42-150300.9.3.1
  • openSUSE Leap 15.3 (x86_64)
    • libgpg-error0-32bit-1.42-150300.9.3.1
    • libgpg-error-devel-32bit-1.42-150300.9.3.1
    • libgpg-error0-32bit-debuginfo-1.42-150300.9.3.1
    • libgpg-error-devel-32bit-debuginfo-1.42-150300.9.3.1
  • openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64)
    • buildah-1.27.1-150300.8.11.1
  • openSUSE Leap 15.3 (aarch64_ilp32)
    • libgpg-error0-64bit-debuginfo-1.42-150300.9.3.1
    • libgpg-error0-64bit-1.42-150300.9.3.1
    • libgpg-error-devel-64bit-1.42-150300.9.3.1
    • libgpg-error-devel-64bit-debuginfo-1.42-150300.9.3.1
  • Basesystem Module 15-SP3 (aarch64 ppc64le s390x x86_64)
    • libgpg-error0-1.42-150300.9.3.1
    • libgpg-error-devel-1.42-150300.9.3.1
    • libgpg-error-devel-debuginfo-1.42-150300.9.3.1
    • libgpg-error0-debuginfo-1.42-150300.9.3.1
    • libgpg-error-debugsource-1.42-150300.9.3.1
  • Basesystem Module 15-SP3 (x86_64)
    • libgpg-error0-32bit-1.42-150300.9.3.1
    • libgpg-error0-32bit-debuginfo-1.42-150300.9.3.1
  • Containers Module 15-SP3 (aarch64 ppc64le s390x x86_64)
    • buildah-1.27.1-150300.8.11.1
  • SUSE Linux Enterprise Micro 5.1 (aarch64 s390x x86_64)
    • libgpg-error0-debuginfo-1.42-150300.9.3.1
    • libgpg-error-debugsource-1.42-150300.9.3.1
    • libgpg-error0-1.42-150300.9.3.1
  • SUSE Linux Enterprise Micro 5.2 (aarch64 s390x x86_64)
    • libgpg-error0-debuginfo-1.42-150300.9.3.1
    • libgpg-error-debugsource-1.42-150300.9.3.1
    • libgpg-error0-1.42-150300.9.3.1
  • SUSE Linux Enterprise Micro for Rancher 5.2 (aarch64 s390x x86_64)
    • libgpg-error0-debuginfo-1.42-150300.9.3.1
    • libgpg-error-debugsource-1.42-150300.9.3.1
    • libgpg-error0-1.42-150300.9.3.1

References: