Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 884859 (CVE-2022-4122, CVE-2022-4123)

Summary: app-containers/buildah: multiple vulnerabilities
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: minor CC: zmedico
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B4 [upstream]
Package list:
Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-08 17:53:27 UTC
CVE-2022-4122 (

A vulnerability was found in buildah. Incorrect following of symlinks while reading .containerignore and .dockerignore results in information disclosure.

CVE-2022-4123 (

A flaw was found in Buildah. The local path and the lowest subdirectory may be disclosed due to incorrect absolute path traversal, resulting in an impact to confidentiality.

CVE-2022-4123 is ostensibly in Buildah, but there's a referenced
merged fix in podman:

CVE-2022-4122's reference helpfully has no information except a link
to what appears to be a RedHat-internal resource:
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-08 18:00:58 UTC
Mailed the RedHat CNA email to ask for more information.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-10 18:53:42 UTC
"Ana McTaggart updated your request with the following comments:

In regards to these. These bugs come about when "podman --remote build ..." is run, thus affecting buildah, but the bug itself needs to be fixed in podman and the fix can be found [], which was an external reference on the CVE. I think they're still working out a few details on how to implement it.
 I'm not 100% sure how/when it will be fixed in Buildah, that seems to be a point of discussion on the podman side. We're still waiting for a fixed in version there as well. Hope this helps, let me know if you have any more questions."

So, the bugs are in Buildah, but can also be fixed in Podman. But no references to any upstream report in Buildah.
Comment 3 Rahil Bhimjiani 2023-09-21 07:14:05 UTC
Buildah & Podman have been fairly updated. I'm not sure about CVE-2022-4123 but CVE-2022-4122 is surely fixed.
Comment 4 Hans de Graaff gentoo-dev Security 2023-09-23 09:44:15 UTC
CVE-2022-4123 is fixed in podman-4.5.0: "Remote builds using the podman build command no longer allows .containerignore or .dockerignore files to be symlinks outside the build context."
Comment 5 Hans de Graaff gentoo-dev Security 2023-09-23 09:54:37 UTC
Looking at the buildah release notes:

CVE-2022-4122 looks to be fixed in 1.29.0: "parse: default ignorefile must not point to symlink outside context"

Can't find a definitive reference to CVS-2022-4123, although there is a commit referencing an internal redhat system in relation to absolute paths in 1.32.0: "Make sure that pathnames picked up from the environment are absolute".