Update module github.com/moby/buildkit to v0.12.5 [SECURITY] #457
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
renovate
bot
deleted the
renovate/go-github.com/moby/buildkit-vulnerability
branch
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v0.12.4->v0.12.5GitHub Vulnerability Alerts
CVE-2024-23653
Impact
In addition to running containers as build steps, BuildKit also provides APIs for running interactive containers based on built images. It was possible to use these APIs to ask BuildKit to run a container with elevated privileges. Normally, running such containers is only allowed if special
security.insecureentitlement is enabled both by buildkitd configuration and allowed by the user initializing the build request.Patches
The issue has been fixed in v0.12.5 .
Workarounds
Avoid using BuildKit frontends from untrusted sources. A frontend image is usually specified as the
#syntaxline on your Dockerfile, or with--frontendflag when usingbuildctl buildcommand.References
CVE-2024-23652
Impact
A malicious BuildKit frontend or Dockerfile using
RUN --mountcould trick the feature that removes empty files created for the mountpoints into removing a file outside the container, from the host system.Patches
The issue has been fixed in v0.12.5
Workarounds
Avoid using BuildKit frontend from an untrusted source or building an untrusted Dockerfile containing
RUN --mountfeature.References
CVE-2024-23651
Impact
Two malicious build steps running in parallel sharing the same cache mounts with subpaths could cause a race condition that can lead to files from the host system being accessible to the build container.
Patches
The issue has been fixed in v0.12.5
Workarounds
Avoid using BuildKit frontend from an untrusted source or building an untrusted Dockerfile containing cache mounts with
--mount=type=cache,source=...options.References
https://www.openwall.com/lists/oss-security/2019/05/28/1
CVE-2024-23650
Impact
A malicious BuildKit client or frontend could craft a request that could lead to BuildKit daemon crashing with a panic.
Patches
The issue has been fixed in v0.12.5
Workarounds
Avoid using BuildKit frontends from untrusted sources. A frontend image is usually specified as the
#syntaxline on your Dockerfile, or with--frontendflag when usingbuildctl buildcommand.References
Release Notes
moby/buildkit (github.com/moby/buildkit)
v0.12.5Compare Source
https://hub.docker.com/r/moby/buildkit
Notable changes:
This release contains following security fixes:
Runc has been updated to v1.1.12 addressing GHSA-xr7r-f8xq-vfvv
Fix possible race condition with accessing subpaths from cache mounts GHSA-m3r6-h7wv-7xxv
Fix possible host system access from mount stub cleaner GHSA-4v98-7qmw-rqr8
Fix interactive containers API validation against entitlements GHSA-wr6v-9f75-vh2g
Fix possible panic when incorrect parameters sent from frontend GHSA-9p26-698r-w4hx
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.