Bug 1969264 (CVE-2021-3602)

Summary: CVE-2021-3602 buildah: Host environment variables leaked in build container when using chroot isolation
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acui, adam.kaplan, amurdaca, aos-bugs, bbaude, bburky, bdettelb, bmontgom, container-sig, debarshir, dwalsh, eparis, jburrell, jligon, jnovy, jokerman, lsm5, mheon, nalin, nstielau, patrick, pehunt, pthomas, rh.container.bot, rphillips, santiago, security-response-team, sfowler, sponnaga, tomckay, tsweeney, umohnani
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: buildah 1.21.3, buildah 1.19.9, buildah 1.17.2, buildah 1.16.8 Doc Type: If docs needed, set a value
Doc Text:
An information disclosure flaw was found in Buildah, when building containers using chroot isolation. Running processes in container builds (e.g. Dockerfile RUN commands) can access environment variables from parent and grandparent processes. When run in a container in a CI/CD environment, environment variables may include sensitive information that was shared with the container in order to be used only by Buildah itself (e.g. container registry credentials).
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-28 02:59:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1972049, 1977937, 1977938, 1977939, 1977940, 1977941, 1977942, 1977943, 1977944, 1982880, 1982881    
Bug Blocks: 1968682    

Description Sam Fowler 2021-06-08 05:43:41 UTC 
An information disclosure vulnerability was found in buildah, when using `buildah bud` with chroot isolation. Dockerfile RUN commands executed during rootless `buildah bud` execution can read environment variables from the host, which may include sensitive information, such as container registry credentials.
Comment 15 Sam Fowler 2021-07-15 21:44:40 UTC 
Created buildah tracking bugs for this issue:

Affects: fedora-all [bug 1982880]


Created podman tracking bugs for this issue:

Affects: fedora-all [bug 1982881]
Comment 16 Sam Fowler 2021-07-16 00:00:21 UTC 
Upstream advisory:

https://github.com/containers/buildah/security/advisories/GHSA-7638-r9r3-rmjj


Upstream patches:

https://github.com/containers/buildah/commit/a468ce0ffd347035d53ee0e26c205ef604097fb0 (main)
https://github.com/containers/buildah/commit/23c478b815fb93c094070baa336bcb6a27c01683 (release-1.21)
https://github.com/containers/buildah/commit/6e88db198c43bd5c44c2589aa381f57534cef3d7 (release-1.18)
https://github.com/containers/buildah/commit/f4f2a7fc78fa4f12e2f6e6c4ab450aae0d182f3e (release-1.19)
https://github.com/containers/buildah/commit/b8a1bcb8b648220b49daa45c9410dec58dc6ed7a (release-1.17)
https://github.com/containers/buildah/commit/41d24dedddec67090bb5069f7d8b4c311b91f3d4 (release-1.16)
https://github.com/containers/buildah/commit/8271e54634a48ccee06768f37702fd4a3daacb3d (release-1.11-rhel)
Comment 17 Fedora Update System 2021-07-23 01:03:41 UTC 
FEDORA-2021-723a480816 has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 19 errata-xmlrpc 2021-11-09 17:25:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4154 https://access.redhat.com/errata/RHSA-2021:4154
Comment 20 errata-xmlrpc 2021-11-09 17:47:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4221 https://access.redhat.com/errata/RHSA-2021:4221
Comment 21 errata-xmlrpc 2021-11-09 17:47:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4222 https://access.redhat.com/errata/RHSA-2021:4222