Source: docker.io Version: 28.5.2+dfsg4-2 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerabilities were published for docker.io. CVE-2026-33747[0]: | BuildKit is a toolkit for converting source code to build artifacts | in an efficient, expressive and repeatable manner. Prior to version | 0.28.1, when using a custom BuildKit frontend, the frontend can | craft an API message that causes files to be written outside of the | BuildKit state directory for the execution context. The issue has | been fixed in v0.28.1. The vulnerability requires using an untrusted | BuildKit frontend set with `#syntax` or `--build-arg | BUILDKIT_SYNTAX`. Using these options with a well-known frontend | image like `docker/dockerfile` is not affected. CVE-2026-33748[1]: | BuildKit is a toolkit for converting source code to build artifacts | in an efficient, expressive and repeatable manner. Prior to version | 0.28.1, insufficient validation of Git URL fragment subdir | components may allow access to files outside the checked-out Git | repository root. Possible access is limited to files on the same | mounted filesystem. The issue has been fixed in version v0.28.1 The | issue affects only builds that use Git URLs with a subpath | component. As a workaround, avoid building Dockerfiles from | untrusted sources or using the subdir component from an untrusted | Git repository where the subdir component could point to a symlink. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-33747 https://www.cve.org/CVERecord?id=CVE-2026-33747 [1] https://security-tracker.debian.org/tracker/CVE-2026-33748 https://www.cve.org/CVERecord?id=CVE-2026-33748 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
