MEDIUM 6.3

GHSA-49p4-px3h-rq49

Build breakout using malicious Containerfile and Git Smart HTTP server or GitHub release tar archive

Details

### Impact

When processing a build contexts or `add`/`copy` instructions, a malicious server serving a Git repository or a tar archive file can cause files outside of the build context directory to be included in the build context or copied into the build.

### Patches

Fixed in Buildah 1.44 and 1.43.2.

Are you affected?

Enter the version of the package you're using.

Affected packages

Go / github.com/containers/buildah

Introduced in: 1.38.1 Fixed in: 1.43.2

Fix go get github.com/containers/buildah@v1.43.2

References

https://github.com/containers/buildah/security/advisories/GHSA-49p4-px3h-rq49 [WEB]
https://github.com/podman-container-tools/buildah/security/advisories/GHSA-49p4-px3h-rq49 [WEB]
https://github.com/podman-container-tools/buildah [PACKAGE]