Fedora Account System
Red Hat Associate
Red Hat Customer
The fix for CVE-2022-4318 in CRI-O is incorrect and has been bypassable since it was introduced on December 14, 2022. The check in server/container_create.go uses a Go raw string literal (`\n`) instead of an interpreted string literal ("\n"), causing it to search for the literal two-character sequence backslash-n (0x5c 0x6e) rather than an actual newline character (0x0a). An attacker who can set environment variables on a container (via the CRI CreateContainer request) can supply a real newline character in the HOME environment variable, bypassing the check entirely. The unsanitized value is then passed to utils.GeneratePasswd, which uses fmt.Sprintf to construct the container's /etc/passwd content, allowing arbitrary line injection.