Bug 2144983 (CVE-2022-4122) - CVE-2022-4122 podman: Symlink error leads to information disclosure [NEEDINFO]
Summary: CVE-2022-4122 podman: Symlink error leads to information disclosure
Alias: CVE-2022-4122
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 2145047 2145048 2145049 2145050 2145051 2145052 2145053 2148225 2148226 2148227 2148229 2148230 2148232 2148233
Blocks: 2138202
TreeView+ depends on / blocked
Reported: 2022-11-22 20:16 UTC by Sage McTaggart
Modified: 2023-04-24 14:39 UTC (History)
20 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in buildah and podman. Incorrect following of symlinks while reading .containerignore and .dockerignore results in information disclosure.
Clone Of:
Last Closed: 2023-04-24 14:39:40 UTC
tsweeney: needinfo? (arajan)

Attachments (Terms of Use)

Description Sage McTaggart 2022-11-22 20:16:31 UTC
#1podman build ..." follows symlinks when reading .containerignore and .dockerignore
We've received this potential security issue with Podman, and 
although not said, it's really in Buildah.  I've asked one of our 
engineers (Aditya) to fix it upstream, but I think it might be wise to 
backport to Podman 4.1.1 as noted in the issue.

Please adivise next steps and setup any CVE's or BZ's as appropriate.
more information in SNow -> https://redhat.service-now.com/surl.do?n=INC2395282

Comment 3 Sandipan Roy 2022-11-23 03:40:06 UTC
Created buildah tracking bugs for this issue:

Affects: fedora-35 [bug 2145047]
Affects: fedora-36 [bug 2145048]
Affects: fedora-37 [bug 2145049]

Comment 7 Sandipan Roy 2022-11-24 16:53:09 UTC
Created podman tracking bugs for this issue:

Affects: fedora-35 [bug 2148225]
Affects: fedora-36 [bug 2148226]
Affects: fedora-37 [bug 2148227]

Comment 11 Lokesh Mandvekar 2023-04-24 14:39:40 UTC
fixed in recent upstream releases of podman which are already shipped in fedora.

Note You need to log in before you can comment on or make changes to this bug.