From b6229fa5cff3cb7a503a3a9956a3ac71f2ecda52 Mon Sep 17 00:00:00 2001
From: Matthew Heon <mheon@redhat.com>
Date: Tue, 8 Sep 2020 09:30:26 -0400
Subject: [PATCH] Fix CVE-2020-14370

Convert defaultEnvVariables to a function to ensure that we do
not have a variable that can leak between container creation
calls. This resolve CVE-2020-14370 for the 1.6 branch of Podman.

Signed-off-by: Matthew Heon <mheon@redhat.com>
---
 cmd/podman/shared/create.go | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/cmd/podman/shared/create.go b/cmd/podman/shared/create.go
index dda36826e..b9f346691 100644
--- a/cmd/podman/shared/create.go
+++ b/cmd/podman/shared/create.go
@@ -822,15 +822,17 @@ func CreateContainerFromCreateConfig(r *libpod.Runtime, createConfig *cc.CreateC
 	return ctr, nil
 }
 
-var defaultEnvVariables = map[string]string{
-	"PATH": "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
-	"TERM": "xterm",
+func defaultEnvVariables() map[string]string {
+	return map[string]string{
+		"PATH": "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+		"TERM": "xterm",
+	}
 }
 
 // EnvVariablesFromData gets sets the default environment variables
 // for containers, and reads the variables from the image data, if present.
 func EnvVariablesFromData(data *inspect.ImageData) map[string]string {
-	env := defaultEnvVariables
+	env := defaultEnvVariables()
 	if data != nil {
 		for _, e := range data.Config.Env {
 			split := strings.SplitN(e, "=", 2)
-- 
2.26.2