Bug 2144989 (CVE-2022-4123)

Summary: CVE-2022-4123 podman: Path disclosure
Product: [Other] Security Response Reporter: Sage McTaggart <amctagga>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: amurdaca, bbaude, debarshir, dwalsh, go-sig, jburrell, jligon, jnovy, lsm5, mboddu, mheon, nalin, pehunt, pthomas, rh.container.bot, santiago, tsweeney, umohnani, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Buildah. The local path and the lowest subdirectory may be disclosed due to incorrect absolute path traversal, resulting in an impact to confidentiality.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 2145054, 2145055, 2145056, 2145057, 2145058, 2145059, 2145060, 2148228, 2148231, 2148234, 2148235, 2148236, 2148237, 2148238    
Bug Blocks: 2138202    

Description Sage McTaggart 2022-11-22 20:22:38 UTC
This flaw was found in Buildah via podman,.
> Type: information disclosure of a local absolute path
> Severity: very low. (A local path is not that sensitive information).
> Feel free to just disregard this report if you think this issue has
> too low importance.
> Summary: Podman may disclose the absolute path of an empty context dir
> when running "podman --remote build -t test1 -f /tmp/Dockerfile
> emptydir". The path could be logged in the container image. (The
> lowest subdirectory of the absolute path might not be disclosed, see
> discussion below)
> The issue was introduced in
> https://github.com/containers/podman/pull/13531
> that went into the Podman release v4.1.0-rc1

Comment 2 Sandipan Roy 2022-11-23 03:41:45 UTC
Created buildah tracking bugs for this issue:

Affects: fedora-35 [bug 2145054]
Affects: fedora-36 [bug 2145055]
Affects: fedora-37 [bug 2145056]

Comment 5 Sandipan Roy 2022-11-24 16:53:25 UTC
Created podman tracking bugs for this issue:

Affects: fedora-35 [bug 2148228]
Affects: fedora-36 [bug 2148231]
Affects: fedora-37 [bug 2148234]