Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 768597 (CVE-2021-20199) - <app-emulation/podman-3.0.1: insufficient network isolation between pods (CVE-2021-20199)
Summary: <app-emulation/podman-3.0.1: insufficient network isolation between pods (CVE...
Status: RESOLVED FIXED
Alias: CVE-2021-20199
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://github.com/containers/podman/...
Whiteboard: ~4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-02-03 22:36 UTC by John Helmert III
Modified: 2021-02-26 00:40 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-02-03 22:36:55 UTC
CVE-2021-20199 (https://bugzilla.redhat.com/show_bug.cgi?id=1919050):

Rootless containers run with Podman, receive all traffic with a source IP address of 127.0.0.1 (including from remote hosts). This impacts containerized applications that trust localhost (127.0.01) connections by default and do not require authentication. This issue affects Podman 1.8.0 onwards.


Merged PR: https://github.com/containers/podman/commit/f02aba659447ea9198851231d7f11a8bfdfe69ba
Maintainer, is it possible to backport the patch? If not we'll have to wait
for a release.
Comment 1 Severin Strobl 2021-02-11 22:52:26 UTC
There is https://github.com/containers/podman/pull/9221 which seems to be the backport to 2.2.1, but then again 3.0.0 was just released.
Comment 2 Larry the Git Cow gentoo-dev 2021-02-25 22:09:33 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a18840200a21a31f189ca330a3061791c0ed53c2

commit a18840200a21a31f189ca330a3061791c0ed53c2
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2021-02-25 21:45:15 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2021-02-25 22:09:29 +0000

    app-emulation/podman: Bump to version 3.0.1
    
    Bug: https://bugs.gentoo.org/768597
    Closes: https://bugs.gentoo.org/770505
    Package-Manager: Portage-3.0.15, Repoman-3.0.2
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-emulation/podman/Manifest            |   1 +
 app-emulation/podman/podman-3.0.1.ebuild | 165 +++++++++++++++++++++++++++++++
 2 files changed, 166 insertions(+)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-02-26 00:08:40 UTC
Please cleanup.
Comment 4 Larry the Git Cow gentoo-dev 2021-02-26 00:27:10 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d9f0cfadb9f345905a350a9389c1f0034ff22754

commit d9f0cfadb9f345905a350a9389c1f0034ff22754
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2021-02-26 00:26:27 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2021-02-26 00:26:51 +0000

    app-emulation/podman: Remove vulnerable version 2.2.1
    
    Bug: https://bugs.gentoo.org/768597
    Package-Manager: Portage-3.0.15, Repoman-3.0.2
    Signed-off-by: Zac Medico <zmedico@gentoo.org>

 app-emulation/podman/Manifest            |   1 -
 app-emulation/podman/podman-2.2.1.ebuild | 161 -------------------------------
 2 files changed, 162 deletions(-)
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-02-26 00:40:52 UTC
Thank you! No GLSA, closing.