A vulnerability was found in buildah. Incorrect following of symlinks while reading .containerignore and .dockerignore results in information disclosure.
A flaw was found in Buildah. The local path and the lowest subdirectory may be disclosed due to incorrect absolute path traversal, resulting in an impact to confidentiality.
CVE-2022-4123 is ostensibly in Buildah, but there's a referenced
merged fix in podman: https://github.com/containers/podman/pull/13531
CVE-2022-4122's reference helpfully has no information except a link
to what appears to be a RedHat-internal resource:
Mailed the RedHat CNA email to ask for more information.
"Ana McTaggart updated your request with the following comments:
In regards to these. These bugs come about when "podman --remote build ..." is run, thus affecting buildah, but the bug itself needs to be fixed in podman and the fix can be found https://github.com/containers/podman/pull/16315 [https://github.com/containers/podman/pull/16315], which was an external reference on the CVE. I think they're still working out a few details on how to implement it.
I'm not 100% sure how/when it will be fixed in Buildah, that seems to be a point of discussion on the podman side. We're still waiting for a fixed in version there as well. Hope this helps, let me know if you have any more questions."
So, the bugs are in Buildah, but can also be fixed in Podman. But no references to any upstream report in Buildah.
Buildah & Podman have been fairly updated. I'm not sure about CVE-2022-4123 but CVE-2022-4122 is surely fixed.
CVE-2022-4123 is fixed in podman-4.5.0: "Remote builds using the podman build command no longer allows .containerignore or .dockerignore files to be symlinks outside the build context."
Looking at the buildah release notes:
CVE-2022-4122 looks to be fixed in 1.29.0: "parse: default ignorefile must not point to symlink outside context"
Can't find a definitive reference to CVS-2022-4123, although there is a commit referencing an internal redhat system in relation to absolute paths in 1.32.0: "Make sure that pathnames picked up from the environment are absolute".