Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 884859 (CVE-2022-4122, CVE-2022-4123) - app-containers/buildah: multiple vulnerabilities
Summary: app-containers/buildah: multiple vulnerabilities
Status: CONFIRMED
Alias: CVE-2022-4122, CVE-2022-4123
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL:
Whiteboard: B4 [upstream]
Keywords:
Depends on:
Blocks:
 
Reported: 2022-12-08 17:53 UTC by John Helmert III
Modified: 2023-09-23 09:54 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-08 17:53:27 UTC 
CVE-2022-4122 (https://bugzilla.redhat.com/show_bug.cgi?id=2144983):

A vulnerability was found in buildah. Incorrect following of symlinks while reading .containerignore and .dockerignore results in information disclosure.

CVE-2022-4123 (https://bugzilla.redhat.com/show_bug.cgi?id=2144989):

A flaw was found in Buildah. The local path and the lowest subdirectory may be disclosed due to incorrect absolute path traversal, resulting in an impact to confidentiality.

CVE-2022-4123 is ostensibly in Buildah, but there's a referenced
merged fix in podman: https://github.com/containers/podman/pull/13531

CVE-2022-4122's reference helpfully has no information except a link
to what appears to be a RedHat-internal resource:
https://redhat.service-now.com/surl.do?n=INC2395282
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-08 18:00:58 UTC 
Mailed the RedHat CNA email to ask for more information.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-10 18:53:42 UTC 
"Ana McTaggart updated your request with the following comments:

In regards to these. These bugs come about when "podman --remote build ..." is run, thus affecting buildah, but the bug itself needs to be fixed in podman and the fix can be found https://github.com/containers/podman/pull/16315 [https://github.com/containers/podman/pull/16315], which was an external reference on the CVE. I think they're still working out a few details on how to implement it.
 I'm not 100% sure how/when it will be fixed in Buildah, that seems to be a point of discussion on the podman side. We're still waiting for a fixed in version there as well. Hope this helps, let me know if you have any more questions."

So, the bugs are in Buildah, but can also be fixed in Podman. But no references to any upstream report in Buildah.
Comment 3 Rahil Bhimjiani 2023-09-21 07:14:05 UTC 
Buildah & Podman have been fairly updated. I'm not sure about CVE-2022-4123 but CVE-2022-4122 is surely fixed.
Comment 4 Hans de Graaff gentoo-dev Security 2023-09-23 09:44:15 UTC 
CVE-2022-4123 is fixed in podman-4.5.0: "Remote builds using the podman build command no longer allows .containerignore or .dockerignore files to be symlinks outside the build context."
Comment 5 Hans de Graaff gentoo-dev Security 2023-09-23 09:54:37 UTC 
Looking at the buildah release notes:

CVE-2022-4122 looks to be fixed in 1.29.0: "parse: default ignorefile must not point to symlink outside context"

Can't find a definitive reference to CVS-2022-4123, although there is a commit referencing an internal redhat system in relation to absolute paths in 1.32.0: "Make sure that pathnames picked up from the environment are absolute".