[ASA-202009-11] podman: information disclosure

2020-09-26T00:00:00
ID ASA-202009-11
Type archlinux
Reporter ArchLinux
Modified 2020-09-26T00:00:00

Description

Arch Linux Security Advisory ASA-202009-11

Severity: High Date : 2020-09-26 CVE-ID : CVE-2020-14370 Package : podman Type : information disclosure Remote : Yes Link : https://security.archlinux.org/AVG-1233

Summary

The package podman before version 2.1.0-1 is vulnerable to information disclosure.

Resolution

Upgrade to 2.1.0-1.

pacman -Syu "podman>=2.1.0-1"

The problem has been fixed upstream in version 2.1.0.

Workaround

None.

Description

A flaw was discovered in Podman before upstream version 2.0.5. When using the deprecated Varlink API or the Docker-compatible REST API, if multiple containers are created in a short duration, the environment variables from the first containers will get leaked into subsequent containers. An attacker who has control over those subsequent containers may get access to secrets shared with previous containers through environment variables.

Impact

A local privileged user can potentially view secrets in environment variables.

References

https://github.com/containers/podman/commit/a7e864e6e7de894d4edde4fff00e53dc6a0b5074 https://security.archlinux.org/CVE-2020-14370