x/vulndb: potential Go vuln in github.com/moby/buildkit: CVE-2024-23652

[GoVulnBot]

CVE-2024-23652 references github.com/moby/buildkit, which may be a Go module.

Description:
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. A malicious BuildKit frontend or Dockerfile using RUN --mount could trick the feature that removes empty files created for the mountpoints into removing a file outside the container, from the host system. The issue has been fixed in v0.12.5. Workarounds include avoiding using BuildKit frontends from an untrusted source or building an untrusted Dockerfile containing RUN --mount feature.

References:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2024-23652
• JSON: https://github.com/CVEProject/cvelist/tree/c99b32470221bca5b06270b4847ef695fbb558e6/2024/23xxx/CVE-2024-23652.json
• advisory: GHSA-4v98-7qmw-rqr8
• fix: executor: recheck mount stub path within root after container run moby/buildkit#4603
• web: https://github.com/moby/buildkit/releases/tag/v0.12.5
• Imported by: https://pkg.go.dev/github.com/moby/buildkit?tab=importedby

Cross references:

• Module github.com/moby/buildkit appears in issue x/vulndb: potential Go vuln in github.com/moby/buildkit: CVE-2023-26054 #1609 EFFECTIVELY_PRIVATE
• Module github.com/moby/buildkit appears in issue x/vulndb: potential Go vuln in github.com/moby/buildkit: CVE-2020-27534 #2296 LEGACY_FALSE_POSITIVE

See doc/triage.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/moby/buildkit
      vulnerable_at: 0.12.5
      packages:
        - package: buildkit
cves:
    - CVE-2024-23652
references:
    - advisory: https://github.com/moby/buildkit/security/advisories/GHSA-4v98-7qmw-rqr8
    - fix: https://github.com/moby/buildkit/pull/4603
    - web: https://github.com/moby/buildkit/releases/tag/v0.12.5

[gopherbot]

Change https://go.dev/cl/562377 mentions this issue: data/reports: add GO-2024-2494.yaml