2144983 – (CVE-2022-4122) CVE-2022-4122 podman: Symlink error leads to information disclosure

Bug 2144983 (CVE-2022-4122) - CVE-2022-4122 podman: Symlink error leads to information disclosure

Summary: CVE-2022-4122 podman: Symlink error leads to information disclosure

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	CVE-2022-4122
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2145047 2145048 2145049 2145050 2145051 2145052 2145053 2148225 2148226 2148227 2148229 2148230 2148232 2148233
Blocks:	2138202
TreeView+	depends on / blocked

Reported:	2022-11-22 20:16 UTC by Sage McTaggart
Modified:	2024-02-18 04:25 UTC (History)
CC List:	20 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A vulnerability was found in buildah and podman. Incorrect following of symlinks while reading .containerignore and .dockerignore results in information disclosure.
Clone Of:
Environment:
Last Closed:	2023-04-24 14:39:40 UTC
Embargoed:

Attachments	(Terms of Use)

Description Sage McTaggart 2022-11-22 20:16:31 UTC

#1podman build ..." follows symlinks when reading .containerignore and .dockerignore
We've received this potential security issue with Podman, and 
although not said, it's really in Buildah.  I've asked one of our 
engineers (Aditya) to fix it upstream, but I think it might be wise to 
backport to Podman 4.1.1 as noted in the issue.

Please adivise next steps and setup any CVE's or BZ's as appropriate.
more information in SNow -> https://redhat.service-now.com/surl.do?n=INC2395282

Comment 3 Sandipan Roy 2022-11-23 03:40:06 UTC

Created buildah tracking bugs for this issue:

Affects: fedora-35 [bug 2145047]
Affects: fedora-36 [bug 2145048]
Affects: fedora-37 [bug 2145049]

Comment 7 Sandipan Roy 2022-11-24 16:53:09 UTC

Created podman tracking bugs for this issue:

Affects: fedora-35 [bug 2148225]
Affects: fedora-36 [bug 2148226]
Affects: fedora-37 [bug 2148227]

Comment 11 Lokesh Mandvekar 2023-04-24 14:39:40 UTC

fixed in recent upstream releases of podman which are already shipped in fedora.

Comment 12 Red Hat Bugzilla 2024-02-18 04:25:09 UTC

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days

Note You need to log in before you can comment on or make changes to this bug.

amurdaca
arajan
bbaude
debarshir
dwalsh
go-sig
jburrell
jligon
jnovy
lsm5
mboddu
mheon
nalin
pehunt
pthomas
rh.container.bot
santiago
tsweeney
umohnani
vkumar