During buildah image building process a crafted tar file containing symlinks may lead buildah to overwrite any file which the running uid have write permissions, compromising confidentiality, integrity and possibly allowing code execution.
Acknowledgments: Name: Erik Sjölund
Upstream commit for this issue: https://github.com/containers/buildah/commit/c61925b8936e93a5e900f91b653a846f7ea3a9ed
Created buildah tracking bugs for this issue: Affects: fedora-30 [bug 1817687] Affects: fedora-31 [bug 1817688] Affects: openstack-rdo [bug 1817693] Created podman tracking bugs for this issue: Affects: fedora-30 [bug 1817691] Affects: fedora-31 [bug 1817692] Affects: openstack-rdo [bug 1817694]
For openshift-3.11 openshift/imagebuilder does not depend on buildah, or podman. Also it doesn't allow a user to host a Dockerfile over HTTP.
Note, while there is a fix for buildah, it has not been vendored into Podman yet. We have a lot of other distributions using podman, we have to make sure they are in on this.
There's a issue on buildah during container image building process. Currently if buildah fails to fetch the content used as parameter for building, it tries to refetch it again without properly cleanup the build directory. An attack may leverage this by crafting a malicious input which will force buildah to overwrite any existing file which task's owner has write access.
I agree this is low, no one is using podman on a Openshift nodes, directly, it is only being used for the install and maintenance of images. Therefore noone is going to execute podman build.
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.2 Via RHSA-2020:1401 https://access.redhat.com/errata/RHSA-2020:1401
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.3 Via RHSA-2020:1396 https://access.redhat.com/errata/RHSA-2020:1396
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-10696
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.1 Via RHSA-2020:1449 https://access.redhat.com/errata/RHSA-2020:1449
Statement: While OpenShift Container Platform does include the vulnerable buildah code, it doesn't make use of the vulnerable function. Podman is also included in OpenShift Container Platform, but it isn't used to perform a build, so it has been given a low impact rating. OpenShift Container Platform 3.11 now used podman from the RHEL Extra repository, and not the podman package shipped in the OpenShift 3.11 RPM repository. This issue is fixed in podman in RHEL Extras so we won't fix the podman package shipped in the OpenShift 3.11 RPM repository.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:1926 https://access.redhat.com/errata/RHSA-2020:1926
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:1931 https://access.redhat.com/errata/RHSA-2020:1931
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:1932 https://access.redhat.com/errata/RHSA-2020:1932
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Extras Via RHSA-2020:2116 https://access.redhat.com/errata/RHSA-2020:2116
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Extras Via RHSA-2020:2117 https://access.redhat.com/errata/RHSA-2020:2117