From b6229fa5cff3cb7a503a3a9956a3ac71f2ecda52 Mon Sep 17 00:00:00 2001

From: Matthew Heon <mheon@redhat.com>

Date: Tue, 8 Sep 2020 09:30:26 -0400

Subject: [PATCH] Fix CVE-2020-14370

Convert defaultEnvVariables to a function to ensure that we do

not have a variable that can leak between container creation

calls. This resolve CVE-2020-14370 for the 1.6 branch of Podman.

Signed-off-by: Matthew Heon <mheon@redhat.com>

---

 cmd/podman/shared/create.go | 10 ++++++----

 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/cmd/podman/shared/create.go b/cmd/podman/shared/create.go

index dda36826e..b9f346691 100644

--- a/cmd/podman/shared/create.go

+++ b/cmd/podman/shared/create.go

@@ -822,15 +822,17 @@ func CreateContainerFromCreateConfig(r *libpod.Runtime, createConfig *cc.CreateC

 	return ctr, nil

 }

-var defaultEnvVariables = map[string]string{

-	"PATH": "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",

-	"TERM": "xterm",

+func defaultEnvVariables() map[string]string {

+	return map[string]string{

+		"PATH": "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",

+		"TERM": "xterm",

+	}

 }

 // EnvVariablesFromData gets sets the default environment variables

 // for containers, and reads the variables from the image data, if present.

 func EnvVariablesFromData(data *inspect.ImageData) map[string]string {

-	env := defaultEnvVariables

+	env := defaultEnvVariables()

 	if data != nil {

 		for _, e := range data.Config.Env {

 			split := strings.SplitN(e, "=", 2)

-- 

2.26.2