GO-2022-0417

Source
https://pkg.go.dev/vuln/GO-2022-0417
Import Source
https://vuln.go.dev/ID/GO-2022-0417.json
JSON Data
https://api.osv.dev/v1/vulns/GO-2022-0417
Aliases
Published
2022-07-01T20:08:10Z
Modified
2024-05-20T16:03:47Z
Summary
Incorrect default permissions in github.com/containers/buildah
Details

Containers are created with non-empty inheritable Linux process capabilities, permitting programs with inheritable file capabilities to elevate those capabilities to the permitted set during execve(2).

This bug does not affect the container security sandbox, as the inheritable set never contains more capabilities than are included in the container's bounding set.

References

Affected packages

Go / github.com/containers/buildah

Package

Name
github.com/containers/buildah
View open source insights on deps.dev
Purl
pkg:golang/github.com/containers/buildah

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.25.0

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/containers/buildah",
            "symbols": [
                "Builder.Run",
                "setupCapAdd",
                "setupCapDrop"
            ]
        },
        {
            "path": "github.com/containers/buildah/chroot",
            "symbols": [
                "setCapabilities"
            ]
        }
    ]
}