A vulnerability was found in buildah. Incorrect following of symlinks while reading .containerignore and .dockerignore results in information disclosure.
A flaw was found in Buildah. The local path and the lowest subdirectory may be disclosed due to incorrect absolute path traversal, resulting in an impact to confidentiality.
CVE-2022-4123 is ostensibly in Buildah, but there's a referenced
merged fix in podman: https://github.com/containers/podman/pull/13531
CVE-2022-4122's reference helpfully has no information except a link
to what appears to be a RedHat-internal resource:
Mailed the RedHat CNA email to ask for more information.
"Ana McTaggart updated your request with the following comments:
In regards to these. These bugs come about when "podman --remote build ..." is run, thus affecting buildah, but the bug itself needs to be fixed in podman and the fix can be found https://github.com/containers/podman/pull/16315 [https://github.com/containers/podman/pull/16315], which was an external reference on the CVE. I think they're still working out a few details on how to implement it.
I'm not 100% sure how/when it will be fixed in Buildah, that seems to be a point of discussion on the podman side. We're still waiting for a fixed in version there as well. Hope this helps, let me know if you have any more questions."
So, the bugs are in Buildah, but can also be fixed in Podman. But no references to any upstream report in Buildah.