Skip to content

Commit 7f9540d

Browse files
authored
Merge pull request from GHSA-7638-r9r3-rmjj
[release-1.21] chroot: fix environment value leakage to intermediate processes
2 parents af2a1d4 + 099b77b commit 7f9540d

File tree

8 files changed

+41
-27
lines changed

8 files changed

+41
-27
lines changed

CHANGELOG.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,10 @@
11
![buildah logo](https://cdn.rawgit.com/containers/buildah/master/logos/buildah-logo_large.png)
22

33
# Changelog
4+
## v1.21.3 (2021-07-01)
5+
chroot: fix environment value leakage to intermediate processes
6+
(CVE-2021-3602).
7+
48
## v1.21.2 (2021-06-28)
59
* vendor common@v0.38.12 and storage@v1.31.3
610

changelog.txt

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,7 @@
1+
- Changelog for v1.21.3 (2021-07-01)
2+
* chroot: fix environment value leakage to intermediate processes
3+
(CVE-2021-3602).
4+
15
- Changelog for v1.21.2 (2021-06-28)
26
* vendor common@v0.38.12 and storage@v1.31.3
37

chroot/run.go

Lines changed: 5 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -161,7 +161,7 @@ func RunUsingChroot(spec *specs.Spec, bundlePath, homeDir string, stdin io.Reade
161161
cmd := unshare.Command(runUsingChrootCommand)
162162
cmd.Stdin, cmd.Stdout, cmd.Stderr = stdin, stdout, stderr
163163
cmd.Dir = "/"
164-
cmd.Env = append([]string{fmt.Sprintf("LOGLEVEL=%d", logrus.GetLevel())}, os.Environ()...)
164+
cmd.Env = []string{fmt.Sprintf("LOGLEVEL=%d", logrus.GetLevel())}
165165

166166
logrus.Debugf("Running %#v in %#v", cmd.Cmd, cmd)
167167
confwg.Add(1)
@@ -207,7 +207,7 @@ func runUsingChrootMain() {
207207
os.Exit(1)
208208
}
209209

210-
if options.Spec == nil {
210+
if options.Spec == nil || options.Spec.Process == nil {
211211
fmt.Fprintf(os.Stderr, "invalid options spec in runUsingChrootMain\n")
212212
os.Exit(1)
213213
}
@@ -573,7 +573,7 @@ func runUsingChroot(spec *specs.Spec, bundlePath string, ctty *os.File, stdin io
573573
cmd := unshare.Command(append([]string{runUsingChrootExecCommand}, spec.Process.Args...)...)
574574
cmd.Stdin, cmd.Stdout, cmd.Stderr = stdin, stdout, stderr
575575
cmd.Dir = "/"
576-
cmd.Env = append([]string{fmt.Sprintf("LOGLEVEL=%d", logrus.GetLevel())}, os.Environ()...)
576+
cmd.Env = []string{fmt.Sprintf("LOGLEVEL=%d", logrus.GetLevel())}
577577
cmd.UnshareFlags = syscall.CLONE_NEWUTS | syscall.CLONE_NEWNS
578578
requestedUserNS := false
579579
for _, ns := range spec.Linux.Namespaces {
@@ -663,7 +663,7 @@ func runUsingChrootExecMain() {
663663
// Set the hostname. We're already in a distinct UTS namespace and are admins in the user
664664
// namespace which created it, so we shouldn't get a permissions error, but seccomp policy
665665
// might deny our attempt to call sethostname() anyway, so log a debug message for that.
666-
if options.Spec == nil {
666+
if options.Spec == nil || options.Spec.Process == nil {
667667
fmt.Fprintf(os.Stderr, "invalid options spec passed in\n")
668668
os.Exit(1)
669669
}
@@ -819,7 +819,6 @@ func runUsingChrootExecMain() {
819819
// Output debug messages when that differs from what we're being asked to do.
820820
func logNamespaceDiagnostics(spec *specs.Spec) {
821821
sawMountNS := false
822-
sawUserNS := false
823822
sawUTSNS := false
824823
for _, ns := range spec.Linux.Namespaces {
825824
switch ns.Type {
@@ -854,9 +853,8 @@ func logNamespaceDiagnostics(spec *specs.Spec) {
854853
}
855854
case specs.UserNamespace:
856855
if ns.Path != "" {
857-
logrus.Debugf("unable to join user namespace %q, creating a new one", ns.Path)
856+
logrus.Debugf("unable to join user namespace, sorry about that")
858857
}
859-
sawUserNS = true
860858
case specs.UTSNamespace:
861859
if ns.Path != "" {
862860
logrus.Debugf("unable to join UTS namespace %q, creating a new one", ns.Path)
@@ -867,9 +865,6 @@ func logNamespaceDiagnostics(spec *specs.Spec) {
867865
if !sawMountNS {
868866
logrus.Debugf("mount namespace not requested, but creating a new one anyway")
869867
}
870-
if !sawUserNS {
871-
logrus.Debugf("user namespace not requested, but creating a new one anyway")
872-
}
873868
if !sawUTSNS {
874869
logrus.Debugf("UTS namespace not requested, but creating a new one anyway")
875870
}

contrib/rpm/buildah.spec

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -26,7 +26,7 @@
2626

2727
Name: buildah
2828
# Bump version in define/types.go too
29-
Version: 1.21.2
29+
Version: 1.21.3
3030
Release: 1.git%{shortcommit}%{?dist}
3131
Summary: A command line tool used to creating OCI Images
3232
License: ASL 2.0
@@ -100,8 +100,12 @@ make DESTDIR=%{buildroot} PREFIX=%{_prefix} install install.completions
100100
%{_datadir}/bash-completion/completions/*
101101

102102
%changelog
103+
* Thu Jul 1 2021 Nalin Dahyabhai <nalin@redhat.com> 1.21.3-1
104+
- chroot: fix environment value leakage to intermediate processes
105+
(CVE-2021-3602)
106+
103107
* Mon Jun 28, 2021 Tom Sweeney <tsweeney@redhat.com> 1.21.2-1
104-
* vendor common@v0.38.12 and storage@v1.31.3
108+
- vendor common@v0.38.12 and storage@v1.31.3
105109

106110
* Thu Jun 3, 2021 Daniel J Walsh <dwalsh@redhat.com> 1.21.1-1
107111
- Fix handling of auth.json file while in a user namespace

define/types.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -28,7 +28,7 @@ const (
2828
Package = "buildah"
2929
// Version for the Package. Bump version in contrib/rpm/buildah.spec
3030
// too.
31-
Version = "1.21.2"
31+
Version = "1.21.3"
3232

3333
// DefaultRuntime if containers.conf fails.
3434
DefaultRuntime = "runc"

docs/buildah-bud.md

Lines changed: 7 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -307,11 +307,13 @@ another process.
307307
Controls what type of isolation is used for running processes as part of `RUN`
308308
instructions. Recognized types include *oci* (OCI-compatible runtime, the
309309
default), *rootless* (OCI-compatible runtime invoked using a modified
310-
configuration, with *--no-new-keyring* added to its *create*
311-
invocation, with network and UTS namespaces disabled, and IPC, PID,
312-
and user namespaces enabled; the default for unprivileged users), and
313-
*chroot* (an internal wrapper that leans more toward chroot(1) than
314-
container technology).
310+
configuration, with *--no-new-keyring* added to its *create* invocation,
311+
reusing the host's network and UTS namespaces, and creating private IPC, PID,
312+
mount, and user namespaces; the default for unprivileged users), and *chroot*
313+
(an internal wrapper that leans more toward chroot(1) than container
314+
technology, reusing the host's control group, network, IPC, and PID namespaces,
315+
and creating private mount and UTS namespaces, and creating user namespaces
316+
only when they're required for ID mapping).
315317

316318
Note: You can also override the default isolation type by setting the
317319
BUILDAH\_ISOLATION environment variable. `export BUILDAH_ISOLATION=oci`

docs/buildah-from.md

Lines changed: 7 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -234,11 +234,13 @@ another process.
234234
Controls what type of isolation is used for running processes under `buildah
235235
run`. Recognized types include *oci* (OCI-compatible runtime, the default),
236236
*rootless* (OCI-compatible runtime invoked using a modified
237-
configuration, with *--no-new-keyring* added to its *create*
238-
invocation, with network and UTS namespaces disabled, and IPC, PID,
239-
and user namespaces enabled; the default for unprivileged users), and
240-
*chroot* (an internal wrapper that leans more toward chroot(1) than
241-
container technology).
237+
configuration, with *--no-new-keyring* added to its *create* invocation,
238+
reusing the host's network and UTS namespaces, and creating private IPC, PID,
239+
mount, and user namespaces; the default for unprivileged users), and *chroot*
240+
(an internal wrapper that leans more toward chroot(1) than container
241+
technology, reusing the host's control group, network, IPC, and PID namespaces,
242+
and creating private mount and UTS namespaces, and creating user namespaces
243+
only when they're required for ID mapping).
242244

243245
Note: You can also override the default isolation type by setting the
244246
BUILDAH\_ISOLATION environment variable. `export BUILDAH_ISOLATION=oci`

docs/buildah-run.md

Lines changed: 7 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -76,10 +76,13 @@ process.
7676
Controls what type of isolation is used for running the process. Recognized
7777
types include *oci* (OCI-compatible runtime, the default), *rootless*
7878
(OCI-compatible runtime invoked using a modified configuration, with
79-
*--no-new-keyring* added to its *create* invocation, with network and
80-
UTS namespaces disabled, and IPC, PID, and user namespaces enabled;
81-
the default for unprivileged users), and *chroot* (an internal wrapper
82-
that leans more toward chroot(1) than container technology).
79+
*--no-new-keyring* added to its *create* invocation, reusing the host's network
80+
and UTS namespaces, and creating private IPC, PID, mount, and user namespaces;
81+
the default for unprivileged users), and *chroot* (an internal wrapper that
82+
leans more toward chroot(1) than container technology, reusing the host's
83+
control group, network, IPC, and PID namespaces, and creating private mount and
84+
UTS namespaces, and creating user namespaces only when they're required for ID
85+
mapping).
8386

8487
Note: You can also override the default isolation type by setting the
8588
BUILDAH\_ISOLATION environment variable. `export BUILDAH_ISOLATION=oci`

0 commit comments

Comments
 (0)