chore: update module github.com/moby/buildkit to v0.12.5 [security] - autoclosed

[renovate]

Update Request | Renovate Bot

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/moby/buildkit	v0.12.3 -> v0.12.5

GitHub Vulnerability Alerts

CVE-2024-23653

Impact

In addition to running containers as build steps, BuildKit also provides APIs for running interactive containers based on built images. It was possible to use these APIs to ask BuildKit to run a container with elevated privileges. Normally, running such containers is only allowed if special security.insecure entitlement is enabled both by buildkitd configuration and allowed by the user initializing the build request.

Patches

The issue has been fixed in v0.12.5 .

Workarounds

Avoid using BuildKit frontends from untrusted sources. A frontend image is usually specified as the #syntax line on your Dockerfile, or with --frontend flag when using buildctl build command.

References

CVE-2024-23652

Impact

A malicious BuildKit frontend or Dockerfile using RUN --mount could trick the feature that removes empty files created for the mountpoints into removing a file outside the container, from the host system.

Patches

The issue has been fixed in v0.12.5

Workarounds

Avoid using BuildKit frontend from an untrusted source or building an untrusted Dockerfile containing RUN --mount feature.

References

CVE-2024-23651

Impact

Two malicious build steps running in parallel sharing the same cache mounts with subpaths could cause a race condition that can lead to files from the host system being accessible to the build container.

Patches

The issue has been fixed in v0.12.5

Workarounds

Avoid using BuildKit frontend from an untrusted source or building an untrusted Dockerfile containing cache mounts with --mount=type=cache,source=... options.

References

https://www.openwall.com/lists/oss-security/2019/05/28/1

CVE-2024-23650

Impact

A malicious BuildKit client or frontend could craft a request that could lead to BuildKit daemon crashing with a panic.

Patches

The issue has been fixed in v0.12.5

Workarounds

Avoid using BuildKit frontends from untrusted sources. A frontend image is usually specified as the #syntax line on your Dockerfile, or with --frontend flag when using buildctl build command.

References

---

Release Notes

moby/buildkit (github.com/moby/buildkit)

v0.12.5

Compare Source

https://hub.docker.com/r/moby/buildkit

Notable changes:

This release contains following security fixes:

• Runc has been updated to v1.1.12 addressing GHSA-xr7r-f8xq-vfvv

• Fix possible race condition with accessing subpaths from cache mounts GHSA-m3r6-h7wv-7xxv

• Fix possible host system access from mount stub cleaner GHSA-4v98-7qmw-rqr8

• Fix interactive containers API validation against entitlements GHSA-wr6v-9f75-vh2g

• Fix possible panic when incorrect parameters sent from frontend GHSA-9p26-698r-w4hx

v0.12.4

Compare Source

Welcome to the 0.12.4 release of buildkit!

Please try out the release binaries and report any issues at
https://github.com/moby/buildkit/issues.

Notable changes

• Fix possible concurrent map access on remote cache export #​4346
• Fix hang on debug server listener #​4361
• Fix possible deadlock in History API under high number of parallel builds #​4362
• Fix possible panic on handling deleted records in History API #​4451
• Fix possible data corruption in zstd library #​4372

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.