An information disclosure vulnerability was found in buildah, when using `buildah bud` with chroot isolation. Dockerfile RUN commands executed during rootless `buildah bud` execution can read environment variables from the host, which may include sensitive information, such as container registry credentials.
Created buildah tracking bugs for this issue: Affects: fedora-all [bug 1982880] Created podman tracking bugs for this issue: Affects: fedora-all [bug 1982881]
Upstream advisory: https://github.com/containers/buildah/security/advisories/GHSA-7638-r9r3-rmjj Upstream patches: https://github.com/containers/buildah/commit/a468ce0ffd347035d53ee0e26c205ef604097fb0 (main) https://github.com/containers/buildah/commit/23c478b815fb93c094070baa336bcb6a27c01683 (release-1.21) https://github.com/containers/buildah/commit/6e88db198c43bd5c44c2589aa381f57534cef3d7 (release-1.18) https://github.com/containers/buildah/commit/f4f2a7fc78fa4f12e2f6e6c4ab450aae0d182f3e (release-1.19) https://github.com/containers/buildah/commit/b8a1bcb8b648220b49daa45c9410dec58dc6ed7a (release-1.17) https://github.com/containers/buildah/commit/41d24dedddec67090bb5069f7d8b4c311b91f3d4 (release-1.16) https://github.com/containers/buildah/commit/8271e54634a48ccee06768f37702fd4a3daacb3d (release-1.11-rhel)
FEDORA-2021-723a480816 has been pushed to the Fedora 34 stable repository. If problem still persists, please make note of it in this bug report.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4154 https://access.redhat.com/errata/RHSA-2021:4154
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4221 https://access.redhat.com/errata/RHSA-2021:4221
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4222 https://access.redhat.com/errata/RHSA-2021:4222