Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS13ajdmLTQ2OG0tNm12OM4AA3e_
Environment variables still accessible through /proc
Impact
Environment variables can be read from procfs unless a new process is started.
PoC
use birdcage::{Birdcage, Sandbox};
use std::{env, fs};
fn main() {
Birdcage::new().lock().unwrap();
assert_eq!(env::var_os("SECRET"), None);
let environ = fs::read_to_string("/proc/self/environ").unwrap();
assert!(!environ.contains("SECRET"), "ENVIRON CONTAINS SECRET:\n{environ}");
}
$ SECRET=test cargo run
thread 'main' panicked at src/main.rs:10:5:
ENVIRON CONTAINS SECRET:
[truncated]
Possible Solutions
The simplest solution would be relying on the ptrace isolation and always spawning a new process by changing birdcage's API to create a new command. With an additional PID namespace the guarantees could be even further reinforced.
Permalink: https://github.com/advisories/GHSA-wj7f-468m-6mv8JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13ajdmLTQ2OG0tNm12OM4AA3e_
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 5 months ago
Updated: 5 months ago
CVSS Score: 4.0
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Identifiers: GHSA-wj7f-468m-6mv8
References:
- https://github.com/phylum-dev/birdcage/security/advisories/GHSA-wj7f-468m-6mv8
- https://github.com/advisories/GHSA-wj7f-468m-6mv8
Blast Radius: 1.0
Affected Packages
cargo:birdcage
Dependent packages: 0Dependent repositories: 0
Downloads: 9,999 total
Affected Version Ranges: < 0.7.0
Fixed in: 0.7.0
All affected versions: 0.1.0, 0.2.0, 0.2.1, 0.2.2, 0.3.0, 0.3.1, 0.4.0, 0.5.0, 0.6.0
All unaffected versions: 0.7.0, 0.7.1, 0.8.0, 0.8.1