CVE-2021-3602

描述

### Impact When running processes using "chroot" isolation, the process being run can examine the environment variables of its immediate parent and grandparent processes (CVE-2021-3602). This isolation type is often used when running `buildah` in unprivileged containers, and it is often used to do so in CI/CD environments. If sensitive information is exposed to the original `buildah` process through its environment, that information will unintentionally be shared with child processes which it starts as part of handling RUN instructions or during `buildah run`. The commands that `buildah` is instructed to run can read that information if they choose to. ### Patches Users should upgrade packages, or images which contain packages, to include version 1.21.3 or later. ### Workarounds As a workaround, invoking `buildah` in a container under `env -i` to have it started with a reinitialized environment should prevent the leakage. ### For more information If you have any questions or comments about this advisory: * Open an issue in [buildah](https://github.com/containers/buildah/issues) * Email us at [the buildah general mailing list](mailto:[email protected]), or [the podman security mailing list](mailto:[email protected]) if it's sensitive.

受影響套件(3)

• Debian/golang-github-containers-buildahfrom 0
• Go/github.com/containers/buildahfrom 0, < 1.16.8
• Go/github.com/containers/buildahfrom 0, < 1.22.0

CVSS 分數

參考連結(8)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-3602
• ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2021-3602
• PATCHhttps://github.com/containers/buildah
• WEBhttps://bugzilla.redhat.com/show_bug.cgi?id=1969264
• WEBhttps://github.com/containers/buildah/commit/a468ce0ffd347035d53ee0e26c205ef604097fb0
• WEBhttps://github.com/containers/buildah/security/advisories/GHSA-7638-r9r3-rmjj
• WEBhttps://pkg.go.dev/vuln/GO-2022-0345
• WEBhttps://ubuntu.com/security/CVE-2021-3602