Merge pull request from GHSA-7638-r9r3-rmjj

nalind · web-flow · commit 7f9540d2ab90 · 2021-07-15T10:09:26.000-04:00
[release-1.21] chroot: fix environment value leakage to intermediate processes
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,10 @@
 ![buildah logo](https://cdn.rawgit.com/containers/buildah/master/logos/buildah-logo_large.png)
 
 # Changelog
+## v1.21.3 (2021-07-01)
+    chroot: fix environment value leakage to intermediate processes
+    (CVE-2021-3602).
+
 ## v1.21.2 (2021-06-28)
   * vendor common@v0.38.12 and storage@v1.31.3
 
diff --git a/changelog.txt b/changelog.txt
@@ -1,3 +1,7 @@
+- Changelog for v1.21.3 (2021-07-01)
+  * chroot: fix environment value leakage to intermediate processes
+  (CVE-2021-3602).
+
 - Changelog for v1.21.2 (2021-06-28)
   * vendor common@v0.38.12 and storage@v1.31.3
 
diff --git a/chroot/run.go b/chroot/run.go
@@ -161,7 +161,7 @@ func RunUsingChroot(spec *specs.Spec, bundlePath, homeDir string, stdin io.Reade
 	cmd := unshare.Command(runUsingChrootCommand)
 	cmd.Stdin, cmd.Stdout, cmd.Stderr = stdin, stdout, stderr
 	cmd.Dir = "/"
-	cmd.Env = append([]string{fmt.Sprintf("LOGLEVEL=%d", logrus.GetLevel())}, os.Environ()...)
+	cmd.Env = []string{fmt.Sprintf("LOGLEVEL=%d", logrus.GetLevel())}
 
 	logrus.Debugf("Running %#v in %#v", cmd.Cmd, cmd)
 	confwg.Add(1)
@@ -207,7 +207,7 @@ func runUsingChrootMain() {
 		os.Exit(1)
 	}
 
-	if options.Spec == nil {
+	if options.Spec == nil || options.Spec.Process == nil {
 		fmt.Fprintf(os.Stderr, "invalid options spec in runUsingChrootMain\n")
 		os.Exit(1)
 	}
@@ -573,7 +573,7 @@ func runUsingChroot(spec *specs.Spec, bundlePath string, ctty *os.File, stdin io
 	cmd := unshare.Command(append([]string{runUsingChrootExecCommand}, spec.Process.Args...)...)
 	cmd.Stdin, cmd.Stdout, cmd.Stderr = stdin, stdout, stderr
 	cmd.Dir = "/"
-	cmd.Env = append([]string{fmt.Sprintf("LOGLEVEL=%d", logrus.GetLevel())}, os.Environ()...)
+	cmd.Env = []string{fmt.Sprintf("LOGLEVEL=%d", logrus.GetLevel())}
 	cmd.UnshareFlags = syscall.CLONE_NEWUTS | syscall.CLONE_NEWNS
 	requestedUserNS := false
 	for _, ns := range spec.Linux.Namespaces {
@@ -663,7 +663,7 @@ func runUsingChrootExecMain() {
 	// Set the hostname.  We're already in a distinct UTS namespace and are admins in the user
 	// namespace which created it, so we shouldn't get a permissions error, but seccomp policy
 	// might deny our attempt to call sethostname() anyway, so log a debug message for that.
-	if options.Spec == nil {
+	if options.Spec == nil || options.Spec.Process == nil {
 		fmt.Fprintf(os.Stderr, "invalid options spec passed in\n")
 		os.Exit(1)
 	}
@@ -819,7 +819,6 @@ func runUsingChrootExecMain() {
 // Output debug messages when that differs from what we're being asked to do.
 func logNamespaceDiagnostics(spec *specs.Spec) {
 	sawMountNS := false
-	sawUserNS := false
 	sawUTSNS := false
 	for _, ns := range spec.Linux.Namespaces {
 		switch ns.Type {
@@ -854,9 +853,8 @@ func logNamespaceDiagnostics(spec *specs.Spec) {
 			}
 		case specs.UserNamespace:
 			if ns.Path != "" {
-				logrus.Debugf("unable to join user namespace %q, creating a new one", ns.Path)
+				logrus.Debugf("unable to join user namespace, sorry about that")
 			}
-			sawUserNS = true
 		case specs.UTSNamespace:
 			if ns.Path != "" {
 				logrus.Debugf("unable to join UTS namespace %q, creating a new one", ns.Path)
@@ -867,9 +865,6 @@ func logNamespaceDiagnostics(spec *specs.Spec) {
 	if !sawMountNS {
 		logrus.Debugf("mount namespace not requested, but creating a new one anyway")
 	}
-	if !sawUserNS {
-		logrus.Debugf("user namespace not requested, but creating a new one anyway")
-	}
 	if !sawUTSNS {
 		logrus.Debugf("UTS namespace not requested, but creating a new one anyway")
 	}
diff --git a/contrib/rpm/buildah.spec b/contrib/rpm/buildah.spec
@@ -26,7 +26,7 @@
 
 Name:           buildah
 # Bump version in define/types.go too
-Version:        1.21.2
+Version:        1.21.3
 Release:        1.git%{shortcommit}%{?dist}
 Summary:        A command line tool used to creating OCI Images
 License:        ASL 2.0
@@ -100,8 +100,12 @@ make DESTDIR=%{buildroot} PREFIX=%{_prefix} install install.completions
 %{_datadir}/bash-completion/completions/*
 
 %changelog
+* Thu Jul 1 2021 Nalin Dahyabhai <nalin@redhat.com> 1.21.3-1
+- chroot: fix environment value leakage to intermediate processes
+  (CVE-2021-3602)
+
 * Mon Jun 28, 2021 Tom Sweeney <tsweeney@redhat.com> 1.21.2-1
-  * vendor common@v0.38.12 and storage@v1.31.3
+- vendor common@v0.38.12 and storage@v1.31.3
 
 * Thu Jun 3, 2021 Daniel J Walsh <dwalsh@redhat.com> 1.21.1-1
 - Fix handling of auth.json file while in a user namespace
diff --git a/define/types.go b/define/types.go
@@ -28,7 +28,7 @@ const (
 	Package = "buildah"
 	// Version for the Package.  Bump version in contrib/rpm/buildah.spec
 	// too.
-	Version = "1.21.2"
+	Version = "1.21.3"
 
 	// DefaultRuntime if containers.conf fails.
 	DefaultRuntime = "runc"
diff --git a/docs/buildah-bud.md b/docs/buildah-bud.md
@@ -307,11 +307,13 @@ another process.
 Controls what type of isolation is used for running processes as part of `RUN`
 instructions.  Recognized types include *oci* (OCI-compatible runtime, the
 default), *rootless* (OCI-compatible runtime invoked using a modified
-configuration, with *--no-new-keyring* added to its *create*
-invocation, with network and UTS namespaces disabled, and IPC, PID,
-and user namespaces enabled; the default for unprivileged users), and
-*chroot* (an internal wrapper that leans more toward chroot(1) than
-container technology).
+configuration, with *--no-new-keyring* added to its *create* invocation,
+reusing the host's network and UTS namespaces, and creating private IPC, PID,
+mount, and user namespaces; the default for unprivileged users), and *chroot*
+(an internal wrapper that leans more toward chroot(1) than container
+technology, reusing the host's control group, network, IPC, and PID namespaces,
+and creating private mount and UTS namespaces, and creating user namespaces
+only when they're required for ID mapping).
 
 Note: You can also override the default isolation type by setting the
 BUILDAH\_ISOLATION environment variable.  `export BUILDAH_ISOLATION=oci`
diff --git a/docs/buildah-from.md b/docs/buildah-from.md
@@ -234,11 +234,13 @@ another process.
 Controls what type of isolation is used for running processes under `buildah
 run`.  Recognized types include *oci* (OCI-compatible runtime, the default),
 *rootless* (OCI-compatible runtime invoked using a modified
-configuration, with *--no-new-keyring* added to its *create*
-invocation, with network and UTS namespaces disabled, and IPC, PID,
-and user namespaces enabled; the default for unprivileged users), and
-*chroot* (an internal wrapper that leans more toward chroot(1) than
-container technology).
+configuration, with *--no-new-keyring* added to its *create* invocation,
+reusing the host's network and UTS namespaces, and creating private IPC, PID,
+mount, and user namespaces; the default for unprivileged users), and *chroot*
+(an internal wrapper that leans more toward chroot(1) than container
+technology, reusing the host's control group, network, IPC, and PID namespaces,
+and creating private mount and UTS namespaces, and creating user namespaces
+only when they're required for ID mapping).
 
 Note: You can also override the default isolation type by setting the
 BUILDAH\_ISOLATION environment variable.  `export BUILDAH_ISOLATION=oci`
diff --git a/docs/buildah-run.md b/docs/buildah-run.md
@@ -76,10 +76,13 @@ process.
 Controls what type of isolation is used for running the process.  Recognized
 types include *oci* (OCI-compatible runtime, the default), *rootless*
 (OCI-compatible runtime invoked using a modified configuration, with
-*--no-new-keyring* added to its *create* invocation, with network and
-UTS namespaces disabled, and IPC, PID, and user namespaces enabled;
-the default for unprivileged users), and *chroot* (an internal wrapper
-that leans more toward chroot(1) than container technology).
+*--no-new-keyring* added to its *create* invocation, reusing the host's network
+and UTS namespaces, and creating private IPC, PID, mount, and user namespaces;
+the default for unprivileged users), and *chroot* (an internal wrapper that
+leans more toward chroot(1) than container technology, reusing the host's
+control group, network, IPC, and PID namespaces, and creating private mount and
+UTS namespaces, and creating user namespaces only when they're required for ID
+mapping).
 
 Note: You can also override the default isolation type by setting the
 BUILDAH\_ISOLATION environment variable.  `export BUILDAH_ISOLATION=oci`
