{"affected":[{"ecosystem_specific":{"binaries":[{"libgpg-error-devel":"1.42-150300.9.3.1","libgpg-error0":"1.42-150300.9.3.1","libgpg-error0-32bit":"1.42-150300.9.3.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Module for Basesystem 15 SP3","name":"libgpg-error","purl":"pkg:rpm/suse/libgpg-error&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP3"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"1.42-150300.9.3.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"buildah":"1.27.1-150300.8.11.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Module for Containers 15 SP3","name":"buildah","purl":"pkg:rpm/suse/buildah&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2015%20SP3"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"1.27.1-150300.8.11.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"libgpg-error0":"1.42-150300.9.3.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Micro 5.1","name":"libgpg-error","purl":"pkg:rpm/suse/libgpg-error&distro=SUSE%20Linux%20Enterprise%20Micro%205.1"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"1.42-150300.9.3.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"libgpg-error0":"1.42-150300.9.3.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Micro 5.2","name":"libgpg-error","purl":"pkg:rpm/suse/libgpg-error&distro=SUSE%20Linux%20Enterprise%20Micro%205.2"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"1.42-150300.9.3.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"libgpg-error0":"1.42-150300.9.3.1"}]},"package":{"ecosystem":"openSUSE:Leap Micro 5.2","name":"libgpg-error","purl":"pkg:rpm/opensuse/libgpg-error&distro=openSUSE%20Leap%20Micro%205.2"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"1.42-150300.9.3.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"buildah":"1.27.1-150300.8.11.1","libgpg-error-devel":"1.42-150300.9.3.1","libgpg-error-devel-32bit":"1.42-150300.9.3.1","libgpg-error0":"1.42-150300.9.3.1","libgpg-error0-32bit":"1.42-150300.9.3.1"}]},"package":{"ecosystem":"openSUSE:Leap 15.3","name":"buildah","purl":"pkg:rpm/opensuse/buildah&distro=openSUSE%20Leap%2015.3"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"1.27.1-150300.8.11.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"buildah":"1.27.1-150300.8.11.1","libgpg-error-devel":"1.42-150300.9.3.1","libgpg-error-devel-32bit":"1.42-150300.9.3.1","libgpg-error0":"1.42-150300.9.3.1","libgpg-error0-32bit":"1.42-150300.9.3.1"}]},"package":{"ecosystem":"openSUSE:Leap 15.3","name":"libgpg-error","purl":"pkg:rpm/opensuse/libgpg-error&distro=openSUSE%20Leap%2015.3"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"1.42-150300.9.3.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for buildah fixes the following issues:\n\n- CVE-2021-20206: Fixed an issue in libcni that could allow an attacker to execute arbitrary binaries on the host (bsc#1181961).\n- CVE-2020-10696: Fixed an issue that could lead to files being overwritten during the image building process (bsc#1167864).\n- CVE-2022-2990: Fixed possible information disclosure and modification / bsc#1202812\n\nBuildah was updated to version 1.27.1:\n\n* run: add container gid to additional groups\n\n- Add fix for CVE-2022-2990 / bsc#1202812\n\n\nUpdate to version 1.27.0:\n\n* Don't try to call runLabelStdioPipes if spec.Linux is not set\n* build: support filtering cache by duration using --cache-ttl\n* build: support building from commit when using git repo as build context\n* build: clean up git repos correctly when using subdirs\n* integration tests: quote '?' in shell scripts\n* test: manifest inspect should have OCIv1 annotation\n* vendor: bump to c/common@87fab4b7019a\n* Failure to determine a file or directory should print an error\n* refactor: remove unused CommitOptions from generateBuildOutput\n* stage_executor: generate output for cases with no commit\n* stage_executor, commit: output only if last stage in build\n* Use errors.Is() instead of os.Is{Not,}Exist\n* Minor test tweak for podman-remote compatibility\n* Cirrus: Use the latest imgts container\n* imagebuildah: complain about the right Dockerfile\n* tests: don't try to wrap `nil` errors\n* cmd/buildah.commitCmd: don't shadow 'err'\n* cmd/buildah.pullCmd: complain about DecryptConfig/EncryptConfig\n* Fix a copy/paste error message\n* Fix a typo in an error message\n* build,cache: support pulling/pushing cache layers to/from remote sources\n* Update vendor of containers/(common, storage, image)\n* Rename chroot/run.go to chroot/run_linux.go\n* Don't bother telling codespell to skip files that don't exist\n* Set user namespace defaults correctly for the library\n* imagebuildah: optimize cache hits for COPY and ADD instructions\n* Cirrus: Update VM images w/ updated bats\n* docs, run: show SELinux label flag for cache and bind mounts\n* imagebuildah, build: remove undefined concurrent writes\n* bump github.com/opencontainers/runtime-tools\n* Add FreeBSD support for 'buildah info'\n* Vendor in latest containers/(storage, common, image)\n* Add freebsd cross build targets\n* Make the jail package build on 32bit platforms\n* Cirrus: Ensure the build-push VM image is labeled\n* GHA: Fix dynamic script filename\n* Vendor in containers/(common, storage, image)\n* Run codespell\n* Remove import of github.com/pkg/errors\n* Avoid using cgo in pkg/jail\n* Rename footypes to fooTypes for naming consistency\n* Move cleanupTempVolumes and cleanupRunMounts to run_common.go\n* Make the various run mounts work for FreeBSD\n* Move get{Bind,Tmpfs,Secret,SSH}Mount to run_common.go\n* Move runSetupRunMounts to run_common.go\n* Move cleanableDestinationListFromMounts to run_common.go\n* Make setupMounts and runSetupBuiltinVolumes work on FreeBSD\n* Move setupMounts and runSetupBuiltinVolumes to run_common.go\n* Tidy up - runMakeStdioPipe can't be shared with linux\n* Move runAcceptTerminal to run_common.go\n* Move stdio copying utilities to run_common.go\n* Move runUsingRuntime and runCollectOutput to run_common.go\n* Move fileCloser, waitForSync and contains to run_common.go\n* Move checkAndOverrideIsolationOptions to run_common.go\n* Move DefaultNamespaceOptions to run_common.go\n* Move getNetworkInterface to run_common.go\n* Move configureEnvironment to run_common.go\n* Don't crash in configureUIDGID if Process.Capabilities is nil\n* Move configureUIDGID to run_common.go\n* Move runLookupPath to run_common.go\n* Move setupTerminal to run_common.go\n* Move etc file generation utilities to run_common.go\n* Add run support for FreeBSD\n* Add a simple FreeBSD jail library\n* Add FreeBSD support to pkg/chrootuser\n* Sync call signature for RunUsingChroot with chroot/run.go\n* test: verify feature to resolve basename with args\n* vendor: bump openshift/imagebuilder to master@4151e43\n* GHA: Remove required reserved-name use\n* buildah: set XDG_RUNTIME_DIR before setting default runroot\n* imagebuildah: honor build output even if build container is not commited\n* chroot: honor DefaultErrnoRet\n* [CI:DOCS] improve pull-policy documentation\n* tests: retrofit test since --file does not supports dir\n* Switch to golang native error wrapping\n* BuildDockerfiles: error out if path to containerfile is a directory\n* define.downloadToDirectory: fail early if bad HTTP response\n* GHA: Allow re-use of Cirrus-Cron fail-mail workflow\n* add: fail on bad http response instead of writing to container\n* [CI:DOCS] Update buildahimage comment\n* lint: inspectable is never nil\n* vendor: c/common to common@7e1563b\n* build: support OCI hooks for ephemeral build containers\n* [CI:BUILD] Install latest buildah instead of compiling\n* Add subid support with BuildRequires and BUILDTAG [NO NEW TESTS NEEDED]\n* Make sure cpp is installed in buildah images\n* demo: use unshare for rootless invocations\n* buildah.spec.rpkg: initial addition\n* build: fix test for subid 4\n* build, userns: add support for --userns=auto\n* Fix building upstream buildah image\n* Remove redundant buildahimages-are-sane validation\n* Docs: Update multi-arch buildah images readme\n* Cirrus: Migrate multiarch build off github actions\n* retrofit-tests: we skip unused stages so use stages\n* stage_executor: dont rely on stage while looking for additional-context\n* buildkit, multistage: skip computing unwanted stages\n* More test cleanup\n* copier: work around freebsd bug for 'mkdir /'\n* Replace $BUILDAH_BINARY with buildah() function\n* Fix up buildah images\n* Make util and copier build on FreeBSD\n* Vendor in latest github.com/sirupsen/logrus\n* Makefile: allow building without .git\n* run_unix: don't return an error from getNetworkInterface\n* run_unix: return a valid DefaultNamespaceOptions\n* Update vendor of containers/storage\n* chroot: use ActKillThread instead of ActKill\n* use resolvconf package from c/common/libnetwork\n* update c/common to latest main\n* copier: add `NoOverwriteNonDirDir` option\n* Sort buildoptions and move cli/build functions to internal\n* Fix TODO: de-spaghettify run mounts\n* Move options parsing out of build.go and into pkg/cli\n* [CI:DOCS] Tutorial 04 - Include Debian/Ubuntu deps\n* build, multiarch: support splitting build logs for --platform\n* [CI:BUILD] WIP Cleanup Image Dockerfiles\n* cli remove stutter\n* docker-parity: ignore sanity check if baseImage history is null\n* build, commit: allow disabling image history with --omit-history\n* Fix use generic/ambiguous DEBUG name\n* Cirrus: use Ubuntu 22.04 LTS\n* Fix codespell errors\n* Remove util.StringInSlice because it is defined in containers/common\n* buildah: add support for renaming a device in rootless setups\n* squash: never use build cache when computing last step of last stage\n* Update vendor of containers/(common, storage, image)\n* buildkit: supports additionalBuildContext in builds via --build-context\n* buildah source pull/push: show progress bar\n* run: allow resuing secret twice in different RUN steps\n* test helpers: default to being rootless-aware\n* Add --cpp-flag flag to buildah build\n* build: accept branch and subdirectory when context is git repo\n* Vendor in latest containers/common\n* vendor: update c/storage and c/image\n* Fix gentoo install docs\n* copier: move NSS load to new process\n* Add test for prevention of reusing encrypted layers\n* Make `buildah build --label foo` create an empty 'foo' label again\n\n\nUpdate to version 1.26.4:\n\n* build, multiarch: support splitting build logs for --platform\n* copier: add `NoOverwriteNonDirDir` option\n* docker-parity: ignore sanity check if baseImage history is null\n* build, commit: allow disabling image history with --omit-history\n* buildkit: supports additionalBuildContext in builds via --build-context\n* Add --cpp-flag flag to buildah build\n\nUpdate to version 1.26.3:\n\n* define.downloadToDirectory: fail early if bad HTTP response\n* add: fail on bad http response instead of writing to container\n* squash: never use build cache when computing last step of last stage\n* run: allow resuing secret twice in different RUN steps\n* integration tests: update expected error messages\n* integration tests: quote '?' in shell scripts\n* Use errors.Is() to check for storage errors\n* lint: inspectable is never nil\n* chroot: use ActKillThread instead of ActKill\n* chroot: honor DefaultErrnoRet\n* Set user namespace defaults correctly for the library\n* contrib/rpm/buildah.spec: fix `rpm` parser warnings\n\nDrop requires on apparmor pattern, should be moved elsewhere\nfor systems which want AppArmor instead of SELinux.\n\n- Update BuildRequires to libassuan-devel >= 2.5.2, pkgconfig file\n  is required to build.\n\nUpdate to version 1.26.2:\n\n* buildah: add support for renaming a device in rootless setups\n\nUpdate to version 1.26.1:\n\n* Make `buildah build --label foo` create an empty 'foo' label again\n* imagebuildah,build: move deepcopy of args before we spawn goroutine\n* Vendor in containers/storage v1.40.2\n* buildah.BuilderOptions.DefaultEnv is ignored, so mark it as deprecated\n* help output: get more consistent about option usage text\n* Handle OS version and features flags\n* buildah build: --annotation and --label should remove values\n* buildah build: add a --env\n* buildah: deep copy options.Args before performing concurrent build/stage\n* test: inline platform and builtinargs behaviour\n* vendor: bump imagebuilder to master/009dbc6\n* build: automatically set correct TARGETPLATFORM where expected\n* Vendor in containers/(common, storage, image)\n* imagebuildah, executor: process arg variables while populating baseMap\n* buildkit: add support for custom build output with --output\n* Cirrus: Update CI VMs to F36\n* fix staticcheck linter warning for deprecated function\n* Fix docs build on FreeBSD\n* copier.unwrapError(): update for Go 1.16\n* copier.PutOptions: add StripSetuidBit/StripSetgidBit/StripStickyBit\n* copier.Put(): write to read-only directories\n* Ed's periodic test cleanup\n* using consistent lowercase 'invalid' word in returned err msg\n* use etchosts package from c/common\n* run: set actual hostname in /etc/hostname to match docker parity\n* Update vendor of containers/(common,storage,image)\n* manifest-create: allow creating manifest list from local image\n* Update vendor of storage,common,image\n* Initialize network backend before first pull\n* oci spec: change special mount points for namespaces\n* tests/helpers.bash: assert handle corner cases correctly\n* buildah: actually use containers.conf settings\n* integration tests: learn to start a dummy registry\n* Fix error check to work on Podman\n* buildah build should accept at most one arg\n* tests: reduce concurrency for flaky bud-multiple-platform-no-run\n* vendor in latest containers/common,image,storage\n* manifest-add: allow override arch,variant while adding image\n* Remove a stray `\\` from .containerenv\n* Vendor in latest opencontainers/selinux v1.10.1\n* build, commit: allow removing default identity labels\n* Create shorter names for containers based on image IDs\n* test: skip rootless on cgroupv2 in root env\n* fix hang when oci runtime fails\n* Set permissions for GitHub actions\n* copier test: use correct UID/GID in test archives\n* run: set parent-death signals and forward SIGHUP/SIGINT/SIGTERM\n\n","id":"SUSE-SU-2022:3766-1","modified":"2022-10-26T09:38:08Z","published":"2022-10-26T09:38:08Z","references":[{"type":"ADVISORY","url":"https://www.suse.com/support/update/announcement/2022/suse-su-20223766-1/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1167864"},{"type":"REPORT","url":"https://bugzilla.suse.com/1181961"},{"type":"REPORT","url":"https://bugzilla.suse.com/1202812"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2020-10696"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2021-20206"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2022-2990"}],"related":["CVE-2020-10696","CVE-2021-20206","CVE-2022-2990"],"summary":"Security update for buildah","upstream":["CVE-2020-10696","CVE-2021-20206","CVE-2022-2990"]}