Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 744196 (CVE-2020-14370)

Summary: <app-emulation/libpod-2.1.0: Information leak when using Varlink API (CVE-2020-14370)
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: ajak, zmedico
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/containers/podman/releases/tag/v2.1.0
Whiteboard: ~4 [noglsa cve]
Package list:
Runtime testing required: ---

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-09-23 03:18:26 UTC 
Description:
"This release resolves CVE-2020-14370, in which environment variables could be leaked between containers created using the Varlink API."
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-09-23 03:18:45 UTC 
Please bump when you can to 2.1.0, thanks!
Comment 2 Larry the Git Cow gentoo-dev 2020-09-23 05:40:55 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7ac56a337ac3e6c17ed58cfb9961de37e3da29ab

commit 7ac56a337ac3e6c17ed58cfb9961de37e3da29ab
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2020-09-23 05:38:54 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2020-09-23 05:40:26 +0000

    app-emulation/libpod: Bump to version 2.1.0
    
    Bug: https://bugs.gentoo.org/744196
    Package-Manager: Portage-3.0.8, Repoman-3.0.1
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-emulation/libpod/Manifest            |   1 +
 app-emulation/libpod/libpod-2.1.0.ebuild | 154 +++++++++++++++++++++++++++++++
 2 files changed, 155 insertions(+)
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-09-23 13:45:07 UTC 
Thanks! Please cleanup when ready.
Comment 4 Larry the Git Cow gentoo-dev 2020-09-23 16:12:37 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c9cf798651b74852c656c0d1c92fbb07ee9dd529

commit c9cf798651b74852c656c0d1c92fbb07ee9dd529
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2020-09-23 16:11:49 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2020-09-23 16:12:18 +0000

    app-emulation/libpod: Remove vulnerable versions
    
    Bug: https://bugs.gentoo.org/744196
    Package-Manager: Portage-3.0.8, Repoman-3.0.1
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-emulation/libpod/Manifest            |   8 --
 app-emulation/libpod/libpod-1.8.2.ebuild | 141 ----------------------------
 app-emulation/libpod/libpod-1.9.3.ebuild | 142 ----------------------------
 app-emulation/libpod/libpod-2.0.0.ebuild | 150 ------------------------------
 app-emulation/libpod/libpod-2.0.1.ebuild | 150 ------------------------------
 app-emulation/libpod/libpod-2.0.2.ebuild | 154 -------------------------------
 app-emulation/libpod/libpod-2.0.3.ebuild | 154 -------------------------------
 app-emulation/libpod/libpod-2.0.4.ebuild | 154 -------------------------------
 app-emulation/libpod/libpod-2.0.5.ebuild | 154 -------------------------------
 9 files changed, 1207 deletions(-)
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-09-24 00:44:37 UTC 
Thanks Zac. Tree is clean, no stable versions so no GLSA and all done.