Bug 2144983 (CVE-2022-4122) - CVE-2022-4122 podman: Symlink error leads to information disclosure
Summary: CVE-2022-4122 podman: Symlink error leads to information disclosure
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: CVE-2022-4122
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2145047 2145048 2145049 2145050 2145051 2145052 2145053 2148225 2148226 2148227 2148229 2148230 2148232 2148233
Blocks: 2138202
TreeView+ depends on / blocked
 
Reported: 2022-11-22 20:16 UTC by Sage McTaggart
Modified: 2024-11-12 08:46 UTC (History)
20 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2023-04-24 14:39:40 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2024:2077 0 None None None 2024-04-29 00:26:23 UTC
Red Hat Product Errata RHSA-2024:9102 0 None None None 2024-11-12 08:46:16 UTC

Description Sage McTaggart 2022-11-22 20:16:31 UTC 
#1podman build ..." follows symlinks when reading .containerignore and .dockerignore
We've received this potential security issue with Podman, and 
although not said, it's really in Buildah.  I've asked one of our 
engineers (Aditya) to fix it upstream, but I think it might be wise to 
backport to Podman 4.1.1 as noted in the issue.

Please adivise next steps and setup any CVE's or BZ's as appropriate.
more information in SNow -> https://redhat.service-now.com/surl.do?n=INC2395282
Comment 3 Sandipan Roy 2022-11-23 03:40:06 UTC 
Created buildah tracking bugs for this issue:

Affects: fedora-35 [bug 2145047]
Affects: fedora-36 [bug 2145048]
Affects: fedora-37 [bug 2145049]
Comment 7 Sandipan Roy 2022-11-24 16:53:09 UTC 
Created podman tracking bugs for this issue:

Affects: fedora-35 [bug 2148225]
Affects: fedora-36 [bug 2148226]
Affects: fedora-37 [bug 2148227]
Comment 11 Lokesh Mandvekar 2023-04-24 14:39:40 UTC 
fixed in recent upstream releases of podman which are already shipped in fedora.
Comment 12 Red Hat Bugzilla 2024-02-18 04:25:09 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days
Comment 13 errata-xmlrpc 2024-04-29 00:26:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:2077 https://access.redhat.com/errata/RHSA-2024:2077
Comment 14 errata-xmlrpc 2024-11-12 08:46:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:9102 https://access.redhat.com/errata/RHSA-2024:9102
Note You need to log in before you can comment on or make changes to this bug.