Bug 1969264 (CVE-2021-3602) - CVE-2021-3602 buildah: Host environment variables leaked in build container when using chroot isolation
Summary: CVE-2021-3602 buildah: Host environment variables leaked in build container w...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2021-3602
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1972049 1977937 1977938 1977939 1977940 1977941 1977942 1977943 1977944 1982880 1982881
Blocks: 1968682
TreeView+ depends on / blocked
 
Reported: 2021-06-08 05:43 UTC by Sam Fowler
Modified: 2023-10-09 11:33 UTC (History)
32 users (show)

Fixed In Version: buildah 1.21.3, buildah 1.19.9, buildah 1.17.2, buildah 1.16.8
Doc Type: If docs needed, set a value
Doc Text:
An information disclosure flaw was found in Buildah, when building containers using chroot isolation. Running processes in container builds (e.g. Dockerfile RUN commands) can access environment variables from parent and grandparent processes. When run in a container in a CI/CD environment, environment variables may include sensitive information that was shared with the container in order to be used only by Buildah itself (e.g. container registry credentials).
Clone Of:
Environment:
Last Closed: 2021-10-28 02:59:42 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:4154 0 None None None 2021-11-09 17:25:29 UTC
Red Hat Product Errata RHSA-2021:4221 0 None None None 2021-11-09 17:47:19 UTC
Red Hat Product Errata RHSA-2021:4222 0 None None None 2021-11-09 17:47:54 UTC

Description Sam Fowler 2021-06-08 05:43:41 UTC 
An information disclosure vulnerability was found in buildah, when using `buildah bud` with chroot isolation. Dockerfile RUN commands executed during rootless `buildah bud` execution can read environment variables from the host, which may include sensitive information, such as container registry credentials.
Comment 15 Sam Fowler 2021-07-15 21:44:40 UTC 
Created buildah tracking bugs for this issue:

Affects: fedora-all [bug 1982880]


Created podman tracking bugs for this issue:

Affects: fedora-all [bug 1982881]
Comment 16 Sam Fowler 2021-07-16 00:00:21 UTC 
Upstream advisory:

https://github.com/containers/buildah/security/advisories/GHSA-7638-r9r3-rmjj


Upstream patches:

https://github.com/containers/buildah/commit/a468ce0ffd347035d53ee0e26c205ef604097fb0 (main)
https://github.com/containers/buildah/commit/23c478b815fb93c094070baa336bcb6a27c01683 (release-1.21)
https://github.com/containers/buildah/commit/6e88db198c43bd5c44c2589aa381f57534cef3d7 (release-1.18)
https://github.com/containers/buildah/commit/f4f2a7fc78fa4f12e2f6e6c4ab450aae0d182f3e (release-1.19)
https://github.com/containers/buildah/commit/b8a1bcb8b648220b49daa45c9410dec58dc6ed7a (release-1.17)
https://github.com/containers/buildah/commit/41d24dedddec67090bb5069f7d8b4c311b91f3d4 (release-1.16)
https://github.com/containers/buildah/commit/8271e54634a48ccee06768f37702fd4a3daacb3d (release-1.11-rhel)
Comment 17 Fedora Update System 2021-07-23 01:03:41 UTC 
FEDORA-2021-723a480816 has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 19 errata-xmlrpc 2021-11-09 17:25:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4154 https://access.redhat.com/errata/RHSA-2021:4154
Comment 20 errata-xmlrpc 2021-11-09 17:47:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4221 https://access.redhat.com/errata/RHSA-2021:4221
Comment 21 errata-xmlrpc 2021-11-09 17:47:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4222 https://access.redhat.com/errata/RHSA-2021:4222
Note You need to log in before you can comment on or make changes to this bug.