GO-2022-1008

See a problem?
Please try reporting it to the source first.

Source

https://pkg.go.dev/vuln/GO-2022-1008

Import Source

https://vuln.go.dev/ID/GO-2022-1008.json

JSON Data

https://api.osv.dev/v1/vulns/GO-2022-1008

Aliases

Related

Published

2022-09-21T15:06:10Z

Modified

2024-09-11T06:12:24.362864Z

Summary

Unauthorized file access in github.com/containers/buildah

Details

SGID programs executed in a container can access files that have negative group permissions for the user's primary group.

Consider a file which is owned by user u1 and group g1, permits user and other read access, and does NOT permit group read access. This file is readable by u1 and all other users except for ones in group g1.

A program with the set-group-ID (SGID) bit set assumes the primary group of the program's group when it executes.

A user with the primary group g1 who executes an SGID program owned by group g2 should not be able to access the file described above. While the program executes with the primary group g2, the group g1 should remain in its supplementary groups, blocking access to the file.

Buildah does not correctly add g1 to the supplementary groups in this scenario, permitting unauthorized access.

References

Affected packages

Go / github.com/containers/buildah

Package

Name: github.com/containers/buildah; View open source insights on deps.dev
Purl: pkg:golang/github.com/containers/buildah

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.27.1

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/containers/buildah",
            "symbols": [
                "Builder.Run",
                "Builder.configureUIDGID"
            ]
        }
    ]
}