Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 834540 (CVE-2021-3602)

Summary: <app-containers/buildah-1.23.1: environment leakage into containers
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: zmedico
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://github.com/containers/buildah/security/advisories/GHSA-7638-r9r3-rmjj
Whiteboard: B4 [noglsa]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-03 22:35:31 UTC 
CVE-2021-3602:


An information disclosure flaw was found in Buildah, when building containers using chroot isolation. Running processes in container builds (e.g. Dockerfile RUN commands) can access environment variables from parent and grandparent processes. When run in a container in a CI/CD environment, environment variables may include sensitive information that was shared with the container in order to be used only by Buildah itself (e.g. container registry credentials).

Patch: https://github.com/containers/buildah/commit/a468ce0ffd347035d53ee0e26c205ef604097fb0

URL says 1.21.3, 1.19.9, 1.17.2, 1.16.8 are patched. Looks like we
don't have any of these branches anymore except 1.21, making 1.23.1
apparently the first fixed version.

Please cleanup.
Comment 1 Larry the Git Cow gentoo-dev 2022-03-05 01:30:49 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c6ee53cac227e435bdc70fee8fd97dd4667df11b

commit c6ee53cac227e435bdc70fee8fd97dd4667df11b
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2022-03-05 01:30:14 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2022-03-05 01:30:33 +0000

    app-containers/buildah: Remove vulnerable versions
    
    Bug: https://bugs.gentoo.org/834540
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-containers/buildah/Manifest                 |  3 --
 app-containers/buildah/buildah-1.21.1-r1.ebuild | 51 -------------------------
 app-containers/buildah/buildah-1.24.0.ebuild    | 51 -------------------------
 app-containers/buildah/buildah-1.24.1.ebuild    | 51 -------------------------
 4 files changed, 156 deletions(-)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-05 17:00:51 UTC 
Thanks! Minimal impact so no GLSA, all done.