Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 834540 (CVE-2021-3602)

Summary: <app-containers/buildah-1.23.1: environment leakage into containers
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: minor CC: zmedico
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B4 [noglsa]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-03 22:35:31 UTC

An information disclosure flaw was found in Buildah, when building containers using chroot isolation. Running processes in container builds (e.g. Dockerfile RUN commands) can access environment variables from parent and grandparent processes. When run in a container in a CI/CD environment, environment variables may include sensitive information that was shared with the container in order to be used only by Buildah itself (e.g. container registry credentials).


URL says 1.21.3, 1.19.9, 1.17.2, 1.16.8 are patched. Looks like we
don't have any of these branches anymore except 1.21, making 1.23.1
apparently the first fixed version.

Please cleanup.
Comment 1 Larry the Git Cow gentoo-dev 2022-03-05 01:30:49 UTC
The bug has been referenced in the following commit(s):

commit c6ee53cac227e435bdc70fee8fd97dd4667df11b
Author:     Zac Medico <>
AuthorDate: 2022-03-05 01:30:14 +0000
Commit:     Zac Medico <>
CommitDate: 2022-03-05 01:30:33 +0000

    app-containers/buildah: Remove vulnerable versions
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Zac Medico <>

 app-containers/buildah/Manifest                 |  3 --
 app-containers/buildah/buildah-1.21.1-r1.ebuild | 51 -------------------------
 app-containers/buildah/buildah-1.24.0.ebuild    | 51 -------------------------
 app-containers/buildah/buildah-1.24.1.ebuild    | 51 -------------------------
 4 files changed, 156 deletions(-)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-05 17:00:51 UTC
Thanks! Minimal impact so no GLSA, all done.