Security update for buildah

Announcement ID:	SUSE-SU-2022:0770-1
Rating:	moderate
References:	bsc#1187812 bsc#1192999 jsc#SLE-23503
Cross-References:	CVE-2019-10214 CVE-2020-10696 CVE-2021-20206
CVSS scores:	CVE-2019-10214 ( SUSE ): 9.0 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H CVE-2019-10214 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2020-10696 ( SUSE ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2020-10696 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2021-20206 ( SUSE ): 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE-2021-20206 ( NVD ): 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Affected Products:	Containers Module 15-SP3 openSUSE Leap 15.3 SUSE Linux Enterprise High Performance Computing 15 SP3 SUSE Linux Enterprise Real Time 15 SP3 SUSE Linux Enterprise Server 15 SP3 SUSE Linux Enterprise Server 15 SP3 Business Critical Linux 15-SP3 SUSE Linux Enterprise Server for SAP Applications 15 SP3 SUSE Manager Proxy 4.2 SUSE Manager Retail Branch Server 4.2 SUSE Manager Server 4.2

An update that solves three vulnerabilities and contains one feature can now be installed.

Description:

This update for buildah fixes the following issues:

buildah was updated to version 1.23.1:

Update to version 1.22.3:

• Update dependencies
• Post-branch commit
• Accept repositories on login/logout

Update to version 1.22.0:

• c/image, c/storage, c/common vendor before Podman 3.3 release
• Proposed patch for 3399 (shadowutils)
• Fix handling of --restore shadow-utils
• runtime-flag (debug) test: handle old & new runc
• Allow dst and destination for target in secret mounts
• Multi-arch: Always push updated version-tagged img
• imagebuildah.stageExecutor.prepare(): remove pseudonym check
• refine dangling filter
• Chown with environment variables not set should fail
• Just restore protections of shadow-utils
• Remove specific kernel version number requirement from install.md
• Multi-arch image workflow: Make steps generic
• chroot: fix environment value leakage to intermediate processes
• Update nix pin with make nixpkgs
• buildah source - create and manage source images
• Update cirrus-cron notification GH workflow
• Reuse code from containers/common/pkg/parse
• Cirrus: Freshen VM images
• Fix excludes exception begining with / or ./
• Fix syntax for --manifest example
• vendor containers/common@main
• Cirrus: Drop dependence on fedora-minimal
• Adjust conformance-test error-message regex
• Workaround appearance of differing debug messages
• Cirrus: Install docker from package cache
• Switch rusagelogfile to use options.Out
• Turn stdio back to blocking when command finishes
• Add support for default network creation
• Cirrus: Updates for master->main rename
• Change references from master to main
• Add --env and --workingdir flags to run command
• [CI:DOCS] buildah bud: spelling --ignore-file requires parameter
• [CI:DOCS] push/pull: clarify supported transports
• Remove unused function arguments
• Create mountOptions for mount command flags
• Extract version command implementation to function
• Add --json flags to mount and version commands
• copier.Put(): set xattrs after ownership
• buildah add/copy: spelling
• buildah copy and buildah add should support .containerignore
• Remove unused util.StartsWithValidTransport
• Fix documentation of the --format option of buildah push
• Don't use alltransports.ParseImageName with known transports
• man pages: clarify rmi removes dangling parents
• [CI:DOCS] Fix links to c/image master branch
• imagebuildah: use the specified logger for logging preprocessing warnings
• Fix copy into workdir for a single file
• Fix docs links due to branch rename
• Update nix pin with make nixpkgs
• fix(docs): typo
• Move to v1.22.0-dev
• Fix handling of auth.json file while in a user namespace
• Add rusage-logfile flag to optionally send rusage to a file
• imagebuildah: redo step logging
• Add volumes to make running buildah within a container easier
• Add and use a "copy" helper instead of podman load/save
• Bump github.com/containers/common from 0.38.4 to 0.39.0
• containerImageRef/containerImageSource: don't buffer uncompressed layers
• containerImageRef(): squashed images have no parent images
• Sync. workflow across skopeo, buildah, and podman
• Bump github.com/containers/storage from 1.31.1 to 1.31.2
• Bump github.com/opencontainers/runc from 1.0.0-rc94 to 1.0.0-rc95
• Bump to v1.21.1-dev [NO TESTS NEEDED]

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• openSUSE Leap 15.3
  zypper in -t patch SUSE-2022-770=1
• Containers Module 15-SP3
  zypper in -t patch SUSE-SLE-Module-Containers-15-SP3-2022-770=1

Package List:

• openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64 i586)
  • buildah-1.23.1-150300.8.3.1
• Containers Module 15-SP3 (aarch64 ppc64le s390x x86_64)
  • buildah-1.23.1-150300.8.3.1

References:

• https://www.suse.com/security/cve/CVE-2019-10214.html
• https://www.suse.com/security/cve/CVE-2020-10696.html
• https://www.suse.com/security/cve/CVE-2021-20206.html
• https://bugzilla.suse.com/show_bug.cgi?id=1187812
• https://bugzilla.suse.com/show_bug.cgi?id=1192999
• https://jira.suse.com/browse/SLE-23503