Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2024-23650

Published: 31 January 2024

BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. A malicious BuildKit client or frontend could craft a request that could lead to BuildKit daemon crashing with a panic. The issue has been fixed in v0.12.5. As a workaround, avoid using BuildKit frontends from untrusted sources.

Notes

AuthorNote
alexmurray 
Traditionally the docker.io source package contained both the
library and docker application. However, in releases that
contain the
docker.io-app source package, the docker.io source package
contains only
the library whilst the docker application itself is contained
in the
docker.io-app package.
sbeattie 
docker packages contain an embedded copy of github:moby/buildkit

Priority

Medium

Cvss 3 Severity Score

5.3

Score breakdown

Status

Package Release Status
docker.io
Launchpad, Ubuntu, Debian 		bionic Needed

focal Needed

jammy Needed

mantic Needed

noble Needed

trusty Ignored
(end of standard support)
upstream Needs triage

xenial Not vulnerable
(code not present)
Patches:
upstream: https://github.com/moby/buildkit/pull/4601/commits/5d7d85f5a0388bb0faa0d9250f96b35814cff1f9
upstream: https://github.com/moby/buildkit/pull/4601/commits/e11862c24df3cea41d14fa76106ff5a8ad3f0bff
upstream: https://github.com/moby/buildkit/pull/4601/commits/8dfaf014d7f9721b501f99ab0aeb9f0ed957948d
upstream: https://github.com/moby/buildkit/pull/4601/commits/63664239f39d6a6643d442c8ae89137011b29e39
upstream: https://github.com/moby/buildkit/pull/4601/commits/6495c2bda891abb063a6474685a0fcad30da3269
docker.io-app
Launchpad, Ubuntu, Debian 		bionic Does not exist

focal Needed

jammy Needed

mantic Needed

noble Needed

trusty Ignored
(end of standard support)
upstream Needs triage

xenial Does not exist

Severity score breakdown

Parameter Value
Base score 5.3
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Scope Unchanged
Confidentiality None
Integrity impact None
Availability impact Low
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›

Further reading