'podman cp' will resolve a carefully crafted symlink in host-filesystem space, yielding unexpected results when cp'ing from container to host. An attacker could create a container image containing particular symlinks that, when copied by a victim user to the host filesystem, may overwrite existing files with others from the host.
This is a duplicate of this issue https://bugzilla.redhat.com/show_bug.cgi?id=1741709
This issue did not affect the versions of podman as shipped with Red Hat Enterprise Linux 8 as they did not include support for the copy function.
This issue did not affect the versions of podman as shipped in OpenShift Container Platform as they did not include support for the copy function.
Created podman tracking bugs for this issue:
Affects: fedora-all [bug 1754354]
Matt, Ed, Brent, Jhon do we have a fix for this?
#3829 is closed, and I've added regression tests, so I think this is resolved. I'm reluctant to close because I don't know which exact version and stream the reporter is on.