Nixpkgs security tracker
6.5 MEDIUM
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): LOW
- User interaction (UI): NONE
- Scope (S): UNCHANGED
- Confidentiality impact (C): NONE
- Integrity impact (I): NONE
- Availability impact (A): HIGH
Podman: buildah: cri-o: symlink traversal vulnerability in the containers/storage library can cause denial of service (dos)
A vulnerability was found in Podman, Buildah, and CRI-O. A symlink traversal vulnerability in the containers/storage library can cause Podman, Buildah, and CRI-O to hang and result in a denial of service via OOM kill when running a malicious image using an automatically assigned user namespace (`--userns=auto` in Podman and Buildah). The containers/storage library will read /etc/passwd inside the container, but does not properly validate if that file is a symlink, which can be used to cause the library to read an arbitrary file on the host.
References
Affected products
- *
- *
- *
- <1.55.1
- *
- *
- *
Matching in nixpkgs
pkgs.cri-o
Open Container Initiative-based implementation of the Kubernetes Container Runtime Interface
pkgs.conmon
OCI container runtime monitor
pkgs.podman
Program for managing pods, containers and container images
pkgs.skopeo
Command line utility for various operations on container images and image repositories
pkgs.buildah
Tool which facilitates building OCI images
pkgs.conmon-rs
OCI container runtime monitor written in Rust
pkgs.podman-tui
Podman Terminal UI
pkgs.podman-compose
Implementation of docker-compose with podman backend
pkgs.podman-desktop
A graphical tool for developing on containers and Kubernetes
pkgs.cri-o-unwrapped
Open Container Initiative-based implementation of the Kubernetes Container Runtime Interface
pkgs.buildah-unwrapped
Tool which facilitates building OCI images
pkgs.nomad-driver-podman
Podman task driver for Nomad
pkgs.python311Packages.podman
Python bindings for Podman's RESTful API
pkgs.python312Packages.podman
Python bindings for Podman's RESTful API
Package maintainers
-
@saschagrunert Sascha Grunert <mail@saschagrunert.de>
-
@vdemeester Vincent Demeester <vincent@sbr.pm>
-
@cpcloud Phillip Cloud
-
@sikmir Nikolay Korotkiy <sikmir@disroot.org>
-
@booxter Ihar Hrachyshka <ihar.hrachyshka@gmail.com>
-
@panda2134 panda2134 <me+nixpkgs@panda2134.site>
-
@aaronjheng Aaron Jheng <wentworth@outlook.com>
-
@fabaff Fabian Affolter <mail@fabian-affolter.ch>
-
@developer-guy Batuhan Apaydın <developerguyn@gmail.com>
-
@nlewo Antoine Eiche <lewo@abesis.fr>