Bug 2144983 (CVE-2022-4122)

Summary: CVE-2022-4122 podman: Symlink error leads to information disclosure
Product: [Other] Security Response Reporter: Sage McTaggart <amctagga>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: amurdaca, arajan, bbaude, debarshir, dwalsh, go-sig, jburrell, jligon, jnovy, lsm5, mboddu, mheon, nalin, pehunt, pthomas, rh.container.bot, santiago, tsweeney, umohnani, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---Flags: tsweeney: needinfo? (arajan)
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in buildah and podman. Incorrect following of symlinks while reading .containerignore and .dockerignore results in information disclosure.
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-04-24 14:39:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 2145047, 2145048, 2145049, 2145050, 2145051, 2145052, 2145053, 2148225, 2148226, 2148227, 2148229, 2148230, 2148232, 2148233    
Bug Blocks: 2138202    

Description Sage McTaggart 2022-11-22 20:16:31 UTC
#1podman build ..." follows symlinks when reading .containerignore and .dockerignore
We've received this potential security issue with Podman, and 
although not said, it's really in Buildah.  I've asked one of our 
engineers (Aditya) to fix it upstream, but I think it might be wise to 
backport to Podman 4.1.1 as noted in the issue.

Please adivise next steps and setup any CVE's or BZ's as appropriate.
more information in SNow -> https://redhat.service-now.com/surl.do?n=INC2395282

Comment 3 Sandipan Roy 2022-11-23 03:40:06 UTC
Created buildah tracking bugs for this issue:

Affects: fedora-35 [bug 2145047]
Affects: fedora-36 [bug 2145048]
Affects: fedora-37 [bug 2145049]

Comment 7 Sandipan Roy 2022-11-24 16:53:09 UTC
Created podman tracking bugs for this issue:

Affects: fedora-35 [bug 2148225]
Affects: fedora-36 [bug 2148226]
Affects: fedora-37 [bug 2148227]

Comment 11 Lokesh Mandvekar 2023-04-24 14:39:40 UTC
fixed in recent upstream releases of podman which are already shipped in fedora.