Environment leak between jobs

[towe75]

The driver leaks envionment variables. It basically accumulates all env variables over time.

Steps to reproduce:

1. run a job and set env "foo1"="bar"
2. inspect container, "foo1" is bar, like expected
3. run another job and set env "foo2" = "bar
4. inspect second container. It will show both "foo1" and "foo2" variables.

[drewbailey]

Update: This issue was reproduced without Nomad and we are working with upstream.

[fuero]

Any news on this? Any comment from the podman people?

[drewbailey]

I followed up again with the security team and received this

Sorry for the delay here. There were some issues getting a CVE number
assigned internally.

We fixed the issue upstream and it should be in the 2.0.5 release and
up. We finally have a CVE assigned and are working to get the fix
backported to other released versions from there. I'll forward this
along to the security team and see about getting more details on that.

I'm out this week but we should be able to re-run the test suite and it if the tests passes we are good to go.

[fuero]

@drewbailey thanks, please keep us posted!

[drewbailey]

from [email protected]

Hi,

The issue has been assigned CVE-2020-14370 and has been unembargoed.
The fix should be pushed to all major distributions now.

Again, apologies for the major delay in dealing with this. I can only
say that we'll try and be faster about dealing with such issues in the
future.

CVE: https://access.redhat.com/security/cve/cve-2020-14370

This should be fixed upstream in all podman distributions.

#55 ensures that this CVE has been fixed