Detections
Analytics

SUSE SLED15: buildah / libgpg-error-devel / libgpg-error-devel-32bit / etc (SUSE-SU-2022:3766-1)

high Nessus Plugin ID 166586

Language:

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2022:3766-1 advisory.

 - CVE-2021-20206: Fixed an issue in libcni that could allow an attacker to execute arbitrary binaries on the host (bsc#1181961).
 - CVE-2020-10696: Fixed an issue that could lead to files being overwritten during the image building process (bsc#1167864).
 - CVE-2022-2990: Fixed possible information disclosure and modification / bsc#1202812

 Buildah was updated to version 1.27.1:

 * run: add container gid to additional groups

 - Add fix for CVE-2022-2990 / bsc#1202812


 Update to version 1.27.0:

 * Don't try to call runLabelStdioPipes if spec.Linux is not set
 * build: support filtering cache by duration using --cache-ttl
 * build: support building from commit when using git repo as build context
 * build: clean up git repos correctly when using subdirs
 * integration tests: quote '?' in shell scripts
 * test: manifest inspect should have OCIv1 annotation
 * vendor: bump to c/common@87fab4b7019a
 * Failure to determine a file or directory should print an error
 * refactor: remove unused CommitOptions from generateBuildOutput
 * stage_executor: generate output for cases with no commit
 * stage_executor, commit: output only if last stage in build
 * Use errors.Is() instead of os.Is{Not,}Exist
 * Minor test tweak for podman-remote compatibility
 * Cirrus: Use the latest imgts container
 * imagebuildah: complain about the right Dockerfile
 * tests: don't try to wrap `nil` errors
 * cmd/buildah.commitCmd: don't shadow 'err'
 * cmd/buildah.pullCmd: complain about DecryptConfig/EncryptConfig
 * Fix a copy/paste error message
 * Fix a typo in an error message
 * build,cache: support pulling/pushing cache layers to/from remote sources
 * Update vendor of containers/(common, storage, image)
 * Rename chroot/run.go to chroot/run_linux.go
 * Don't bother telling codespell to skip files that don't exist
 * Set user namespace defaults correctly for the library
 * imagebuildah: optimize cache hits for COPY and ADD instructions
 * Cirrus: Update VM images w/ updated bats
 * docs, run: show SELinux label flag for cache and bind mounts
 * imagebuildah, build: remove undefined concurrent writes
 * bump github.com/opencontainers/runtime-tools
 * Add FreeBSD support for 'buildah info'
 * Vendor in latest containers/(storage, common, image)
 * Add freebsd cross build targets
 * Make the jail package build on 32bit platforms
 * Cirrus: Ensure the build-push VM image is labeled
 * GHA: Fix dynamic script filename
 * Vendor in containers/(common, storage, image)
 * Run codespell
 * Remove import of github.com/pkg/errors
 * Avoid using cgo in pkg/jail
 * Rename footypes to fooTypes for naming consistency
 * Move cleanupTempVolumes and cleanupRunMounts to run_common.go
 * Make the various run mounts work for FreeBSD
 * Move get{Bind,Tmpfs,Secret,SSH}Mount to run_common.go
 * Move runSetupRunMounts to run_common.go
 * Move cleanableDestinationListFromMounts to run_common.go
 * Make setupMounts and runSetupBuiltinVolumes work on FreeBSD
 * Move setupMounts and runSetupBuiltinVolumes to run_common.go
 * Tidy up - runMakeStdioPipe can't be shared with linux
 * Move runAcceptTerminal to run_common.go
 * Move stdio copying utilities to run_common.go
 * Move runUsingRuntime and runCollectOutput to run_common.go
 * Move fileCloser, waitForSync and contains to run_common.go
 * Move checkAndOverrideIsolationOptions to run_common.go
 * Move DefaultNamespaceOptions to run_common.go
 * Move getNetworkInterface to run_common.go
 * Move configureEnvironment to run_common.go
 * Don't crash in configureUIDGID if Process.Capabilities is nil
 * Move configureUIDGID to run_common.go
 * Move runLookupPath to run_common.go
 * Move setupTerminal to run_common.go
 * Move etc file generation utilities to run_common.go
 * Add run support for FreeBSD
 * Add a simple FreeBSD jail library
 * Add FreeBSD support to pkg/chrootuser
 * Sync call signature for RunUsingChroot with chroot/run.go
 * test: verify feature to resolve basename with args
 * vendor: bump openshift/imagebuilder to master@4151e43
 * GHA: Remove required reserved-name use
 * buildah: set XDG_RUNTIME_DIR before setting default runroot
 * imagebuildah: honor build output even if build container is not commited
 * chroot: honor DefaultErrnoRet
 * [CI:DOCS] improve pull-policy documentation
 * tests: retrofit test since --file does not supports dir
 * Switch to golang native error wrapping
 * BuildDockerfiles: error out if path to containerfile is a directory
 * define.downloadToDirectory: fail early if bad HTTP response
 * GHA: Allow re-use of Cirrus-Cron fail-mail workflow
 * add: fail on bad http response instead of writing to container
 * [CI:DOCS] Update buildahimage comment
 * lint: inspectable is never nil
 * vendor: c/common to common@7e1563b
 * build: support OCI hooks for ephemeral build containers
 * [CI:BUILD] Install latest buildah instead of compiling
 * Add subid support with BuildRequires and BUILDTAG [NO NEW TESTS NEEDED]
 * Make sure cpp is installed in buildah images
 * demo: use unshare for rootless invocations
 * buildah.spec.rpkg: initial addition
 * build: fix test for subid 4
 * build, userns: add support for --userns=auto
 * Fix building upstream buildah image
 * Remove redundant buildahimages-are-sane validation
 * Docs: Update multi-arch buildah images readme
 * Cirrus: Migrate multiarch build off github actions
 * retrofit-tests: we skip unused stages so use stages
 * stage_executor: dont rely on stage while looking for additional-context
 * buildkit, multistage: skip computing unwanted stages
 * More test cleanup
 * copier: work around freebsd bug for 'mkdir /'
 * Replace $BUILDAH_BINARY with buildah() function
 * Fix up buildah images
 * Make util and copier build on FreeBSD
 * Vendor in latest github.com/sirupsen/logrus
 * Makefile: allow building without .git
 * run_unix: don't return an error from getNetworkInterface
 * run_unix: return a valid DefaultNamespaceOptions
 * Update vendor of containers/storage
 * chroot: use ActKillThread instead of ActKill
 * use resolvconf package from c/common/libnetwork
 * update c/common to latest main
 * copier: add `NoOverwriteNonDirDir` option
 * Sort buildoptions and move cli/build functions to internal
 * Fix TODO: de-spaghettify run mounts
 * Move options parsing out of build.go and into pkg/cli
 * [CI:DOCS] Tutorial 04 - Include Debian/Ubuntu deps
 * build, multiarch: support splitting build logs for --platform
 * [CI:BUILD] WIP Cleanup Image Dockerfiles
 * cli remove stutter
 * docker-parity: ignore sanity check if baseImage history is null
 * build, commit: allow disabling image history with --omit-history
 * Fix use generic/ambiguous DEBUG name
 * Cirrus: use Ubuntu 22.04 LTS
 * Fix codespell errors
 * Remove util.StringInSlice because it is defined in containers/common
 * buildah: add support for renaming a device in rootless setups
 * squash: never use build cache when computing last step of last stage
 * Update vendor of containers/(common, storage, image)
 * buildkit: supports additionalBuildContext in builds via --build-context
 * buildah source pull/push: show progress bar
 * run: allow resuing secret twice in different RUN steps
 * test helpers: default to being rootless-aware
 * Add --cpp-flag flag to buildah build
 * build: accept branch and subdirectory when context is git repo
 * Vendor in latest containers/common
 * vendor: update c/storage and c/image
 * Fix gentoo install docs
 * copier: move NSS load to new process
 * Add test for prevention of reusing encrypted layers
 * Make `buildah build --label foo` create an empty 'foo' label again


 Update to version 1.26.4:

 * build, multiarch: support splitting build logs for --platform
 * copier: add `NoOverwriteNonDirDir` option
 * docker-parity: ignore sanity check if baseImage history is null
 * build, commit: allow disabling image history with --omit-history
 * buildkit: supports additionalBuildContext in builds via --build-context
 * Add --cpp-flag flag to buildah build

 Update to version 1.26.3:

 * define.downloadToDirectory: fail early if bad HTTP response
 * add: fail on bad http response instead of writing to container
 * squash: never use build cache when computing last step of last stage
 * run: allow resuing secret twice in different RUN steps
 * integration tests: update expected error messages
 * integration tests: quote '?' in shell scripts
 * Use errors.Is() to check for storage errors
 * lint: inspectable is never nil
 * chroot: use ActKillThread instead of ActKill
 * chroot: honor DefaultErrnoRet
 * Set user namespace defaults correctly for the library
 * contrib/rpm/buildah.spec: fix `rpm` parser warnings

 Drop requires on apparmor pattern, should be moved elsewhere for systems which want AppArmor instead of SELinux.

 - Update BuildRequires to libassuan-devel >= 2.5.2, pkgconfig file is required to build.

 Update to version 1.26.2:

 * buildah: add support for renaming a device in rootless setups

 Update to version 1.26.1:

 * Make `buildah build --label foo` create an empty 'foo' label again
 * imagebuildah,build: move deepcopy of args before we spawn goroutine
 * Vendor in containers/storage v1.40.2
 * buildah.BuilderOptions.DefaultEnv is ignored, so mark it as deprecated
 * help output: get more consistent about option usage text
 * Handle OS version and features flags
 * buildah build: --annotation and --label should remove values
 * buildah build: add a --env
 * buildah: deep copy options.Args before performing concurrent build/stage
 * test: inline platform and builtinargs behaviour
 * vendor: bump imagebuilder to master/009dbc6
 * build: automatically set correct TARGETPLATFORM where expected
 * Vendor in containers/(common, storage, image)
 * imagebuildah, executor: process arg variables while populating baseMap
 * buildkit: add support for custom build output with --output
 * Cirrus: Update CI VMs to F36
 * fix staticcheck linter warning for deprecated function
 * Fix docs build on FreeBSD
 * copier.unwrapError(): update for Go 1.16
 * copier.PutOptions: add StripSetuidBit/StripSetgidBit/StripStickyBit
 * copier.Put(): write to read-only directories
 * Ed's periodic test cleanup
 * using consistent lowercase 'invalid' word in returned err msg
 * use etchosts package from c/common
 * run: set actual hostname in /etc/hostname to match docker parity
 * Update vendor of containers/(common,storage,image)
 * manifest-create: allow creating manifest list from local image
 * Update vendor of storage,common,image
 * Initialize network backend before first pull
 * oci spec: change special mount points for namespaces
 * tests/helpers.bash: assert handle corner cases correctly
 * buildah: actually use containers.conf settings
 * integration tests: learn to start a dummy registry
 * Fix error check to work on Podman
 * buildah build should accept at most one arg
 * tests: reduce concurrency for flaky bud-multiple-platform-no-run
 * vendor in latest containers/common,image,storage
 * manifest-add: allow override arch,variant while adding image
 * Remove a stray `\` from .containerenv
 * Vendor in latest opencontainers/selinux v1.10.1
 * build, commit: allow removing default identity labels
 * Create shorter names for containers based on image IDs
 * test: skip rootless on cgroupv2 in root env
 * fix hang when oci runtime fails
 * Set permissions for GitHub actions
 * copier test: use correct UID/GID in test archives
 * run: set parent-death signals and forward SIGHUP/SIGINT/SIGTERM

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://bugzilla.suse.com/1167864

https://bugzilla.suse.com/1181961

https://bugzilla.suse.com/1202812

https://www.suse.com/security/cve/CVE-2020-10696

https://www.suse.com/security/cve/CVE-2021-20206

https://www.suse.com/security/cve/CVE-2022-2990

http://www.nessus.org/u?471aac02

Plugin Details

Severity: High

ID: 166586

File Name: suse_SU-2022-3766-1.nasl

Version: 1.7

Type: Local

Agent: unix

Published: 10/27/2022

Updated: 6/25/2026

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, tenable_cloud_security, tenable_self_hosted_container_security, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 7.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2020-10696

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:libgpg-error0, p-cpe:/a:novell:suse_linux:buildah, p-cpe:/a:novell:suse_linux:libgpg-error-devel, p-cpe:/a:novell:suse_linux:libgpg-error0-32bit, cpe:/o:novell:suse_linux:15

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 10/26/2022

Vulnerability Publication Date: 3/31/2020

Reference Information

CVE: CVE-2020-10696, CVE-2021-20206, CVE-2022-2990

SuSE: SUSE-SU-2022:3766-1