High severityNVD Advisory· Published Sep 13, 2022· Updated Aug 3, 2024
CVE-2022-2990
CVE-2022-2990
Description
An incorrect handling of the supplementary groups in the Buildah container engine might lead to the sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/containers/buildahGo | < 1.27.1 | 1.27.1 |
Affected products
1- Range: no fixed version known
Patches
14a8bf740e862run: add container gid to additional groups
4 files changed · +34 −0
run_common.go+1 −0 modified@@ -262,6 +262,7 @@ func (b *Builder) configureUIDGID(g *generate.Generator, mountPoint string, opti } g.SetProcessUID(user.UID) g.SetProcessGID(user.GID) + g.AddProcessAdditionalGid(user.GID) for _, gid := range user.AdditionalGids { g.AddProcessAdditionalGid(gid) }
tests/bud.bats+16 −0 modified@@ -366,6 +366,22 @@ _EOF expect_output --substring "invalid response status" } +@test "build test has gid in supplemental groups" { + _prefetch alpine + run_buildah build $WITH_POLICY_JSON -t source -f $BUDFILES/supplemental-groups/Dockerfile + # gid 1000 must be in supplemental groups + expect_output --substring "Groups: 1000" +} + +@test "build test if supplemental groups has gid with --isolation chroot" { + test -z "${BUILDAH_ISOLATION}" || skip "BUILDAH_ISOLATION=${BUILDAH_ISOLATION} overrides --isolation" + + _prefetch alpine + run_buildah build --isolation chroot $WITH_POLICY_JSON -t source -f $BUDFILES/supplemental-groups/Dockerfile + # gid 1000 must be in supplemental groups + expect_output --substring "Groups: 1000" +} + # Test skipping images with FROM @test "build-test skipping unwanted stages with FROM" { mkdir -p ${TEST_SCRATCH_DIR}/bud/platform
tests/bud/supplemental-groups/Dockerfile+3 −0 added@@ -0,0 +1,3 @@ +FROM alpine +USER 1000:1000 +RUN cat /proc/$$/status
tests/run.bats+14 −0 modified@@ -349,6 +349,20 @@ function configure_and_check_user() { expect_output "888:888" } +@test "run --user and verify gid in supplemental groups" { + skip_if_no_runtime + + # Create the container. + _prefetch alpine + run_buildah from $WITH_POLICY_JSON alpine + ctr="$output" + + # Run with uid:gid 1000:1000 and verify if gid is present in additional groups + run_buildah run --user 1000:1000 "$ctr" cat /proc/self/status + # gid 1000 must be in additional/supplemental groups + expect_output --substring "Groups: 1000 " +} + @test "run --workingdir" { skip_if_no_runtime
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- github.com/advisories/GHSA-fjm8-m7m6-2fjpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-2990ghsaADVISORY
- access.redhat.com/security/cve/CVE-2022-2990ghsaWEB
- bugzilla.redhat.com/show_bug.cgighsax_refsource_MISCWEB
- github.com/containers/buildah/commit/4a8bf740e862f2438279c6feee2ea59ddf0cda0bghsaWEB
- github.com/containers/buildah/pull/4200ghsaWEB
- pkg.go.dev/vuln/GO-2022-1008ghsaWEB
- www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigationghsaWEB
- www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.