CVE-2024-9341

A flaw was found in Go. When FIPS mode is enabled on a system, container runtimes may incorrectly handle certain file paths due to improper validation in the containers/common Go library. This flaw allows an attacker to exploit symbolic links and trick the system into mounting sensitive host directories inside a container. This issue also allows attackers to access critical host files, bypassing the intended isolation between containers and the host system.

References

Affected packages

Debian:11 / golang-github-containers-common

Package

Name: golang-github-containers-common
Purl: pkg:deb/debian/golang-github-containers-common?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.33.4+ds1-1

0.33.4+ds1-1+deb11u1

0.33.4+ds1-1+deb11u2

0.34.2+ds1-1

0.35.4+ds1-1

0.36.0+ds1-1

0.38.5+ds2-1

0.38.9+ds1-1

0.38.12+ds1-1

0.38.12+ds1-2

0.38.16+ds1-1

0.42.1+ds1-1

0.42.1+ds1-2

0.44.0+ds1-1

0.44.3+ds1-1

0.44.3+ds1-2

0.44.4+ds1-1

0.44.5+ds1-1

0.46.0+ds1-1

0.47.2+ds1-1

0.48.0+ds1-1

0.48.0+ds1-2

0.49.1+ds1-1

0.50.1+ds1-1

0.50.1+ds1-2

0.50.1+ds1-3

0.50.1+ds1-4

0.51.0+ds1-1

0.52.0+ds1-1

0.52.0+ds1-2

0.55.4+ds1-1

0.55.4+ds1-2

0.55.4+ds1-3

0.56.0+ds1-1

0.56.0+ds1-2

0.56.0+ds1-3

0.56.0+ds1-4

0.57.0+ds1-1

0.57.0+ds1-2

0.57.2+ds1-1

0.57.2+ds1-2

0.57.4+ds1-1

0.57.4+ds1-2

0.57.4+ds1-3

0.57.4+ds1-4

0.58.0+ds1-1

0.58.2+ds1-2

0.58.2+ds1-3

0.60.0+ds1-1

0.60.1+ds1-1

0.60.1+ds1-3

0.60.2+ds1-1

0.60.2+ds1-2

0.60.3+ds1-3

0.60.4+ds1-1

0.61.0+ds1-1

0.61.0+ds1-2

0.61.1+ds1-1

0.62.0+ds1-1

0.62.2+ds1-1

0.62.2+ds1-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / golang-github-containers-common

Package

Name: golang-github-containers-common
Purl: pkg:deb/debian/golang-github-containers-common?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.50.1+ds1-4

0.51.0+ds1-1

0.52.0+ds1-1

0.52.0+ds1-2

0.55.4+ds1-1

0.55.4+ds1-2

0.55.4+ds1-3

0.56.0+ds1-1

0.56.0+ds1-2

0.56.0+ds1-3

0.56.0+ds1-4

0.57.0+ds1-1

0.57.0+ds1-2

0.57.2+ds1-1

0.57.2+ds1-2

0.57.4+ds1-1

0.57.4+ds1-2

0.57.4+ds1-3

0.57.4+ds1-4

0.58.0+ds1-1

0.58.2+ds1-2

0.58.2+ds1-3

0.60.0+ds1-1

0.60.1+ds1-1

0.60.1+ds1-3

0.60.2+ds1-1

0.60.2+ds1-2

0.60.3+ds1-3

0.60.4+ds1-1

0.61.0+ds1-1

0.61.0+ds1-2

0.61.1+ds1-1

0.62.0+ds1-1

0.62.2+ds1-1

0.62.2+ds1-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / golang-github-containers-common

Package

Name: golang-github-containers-common
Purl: pkg:deb/debian/golang-github-containers-common?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.60.4+ds1-1

Affected versions

0.*

0.50.1+ds1-4

0.51.0+ds1-1

0.52.0+ds1-1

0.52.0+ds1-2

0.55.4+ds1-1

0.55.4+ds1-2

0.55.4+ds1-3

0.56.0+ds1-1

0.56.0+ds1-2

0.56.0+ds1-3

0.56.0+ds1-4

0.57.0+ds1-1

0.57.0+ds1-2

0.57.2+ds1-1

0.57.2+ds1-2

0.57.4+ds1-1

0.57.4+ds1-2

0.57.4+ds1-3

0.57.4+ds1-4

0.58.0+ds1-1

0.58.2+ds1-2

0.58.2+ds1-3

0.60.0+ds1-1

0.60.1+ds1-1

0.60.1+ds1-3

0.60.2+ds1-1

0.60.2+ds1-2

0.60.3+ds1-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}