packages/umoci
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!12 Fix CVE-2021-29136

Browse Source 
From: @wang_yue111
Reviewed-by: @small_leek
Signed-off-by: @small_leek
This commit is contained in:
openeuler-ci-bot 2021-04-16 10:44:05 +08:00 committed by Gitee
commit 492d065b7c
2 changed files with 40 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
CVE-2021-29136.patch Normal file
View File

@ -0,0 +1,35 @@
From d9efc31daf2206f7d3fdb839863cf7a576a2eb57 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <cyphar@cyphar.com>
Date: Wed, 24 Mar 2021 00:17:06 +1100
Subject: [PATCH] layer: don't permit / type to be changed on extraction
If users can change the type of / to a symlink, they can cause umoci to
overwrite host files. This is obviously bad, and is not caught by the
rest of our directory escape detection code because the root itself has
been changed to a different directory.
Fixes: CVE-2021-29136
Reported-by: Robin Peraglie <robin@cure53.de>
Tested-by: Daniel Dao <dqminh89@gmail.com>
Reviewed-by: Tycho Andersen <tycho@tycho.pizza>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
---
oci/layer/tar_extract.go | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/oci/layer/tar_extract.go b/oci/layer/tar_extract.go
index 1b8c3d67..d7414105 100644
--- a/oci/layer/tar_extract.go
+++ b/oci/layer/tar_extract.go
@@ -404,6 +404,11 @@ func (te *TarExtractor) UnpackEntry(root string, hdr *tar.Header, r io.Reader) (
if filepath.Join("/", hdr.Name) == "/" {
// If we got an entry for the root, then unsafeDir is the full path.
unsafeDir, file = hdr.Name, "."
+ // If we're being asked to change the root type, bail because they may
+ // change it to a symlink which we could inadvertently follow.
+ if hdr.Typeflag != tar.TypeDir {
+ return errors.New("malicious tar entry -- refusing to change type of root directory")
+ }
}
dir, err := securejoin.SecureJoinVFS(root, unsafeDir, te.fsEval)
if err != nil {

6
umoci.spec
View File

@ -4,12 +4,13 @@
Name: umoci Name: umoci
Version: 0.4.5 Version: 0.4.5
Release: 4 Release: 5
Summary: Open Container Image manipulation tool Summary: Open Container Image manipulation tool
License: Apache-2.0 License: Apache-2.0
URL: https://github.com/opencontainers/umoci URL: https://github.com/opencontainers/umoci
Source0: https://github.com/opencontainers/umoci/archive/v0.4.5.tar.gz Source0: https://github.com/opencontainers/umoci/archive/v0.4.5.tar.gz
Source1: https://github.com/cpuguy83/go-md2man/archive/v1.0.10.tar.gz Source1: https://github.com/cpuguy83/go-md2man/archive/v1.0.10.tar.gz
Patch0: CVE-2021-29136.patch
BuildRequires: fdupes go >= 1.6 BuildRequires: fdupes go >= 1.6
%description %description
@ -54,6 +55,9 @@ done
%{_mandir}/man1/umoci* %{_mandir}/man1/umoci*
%changelog %changelog
* Fri Apr 16 2021 wangyue <wangyue92@huawei.com> - 0.4.5-5
- Fix CVE-2021-29136
* Tue Feb 9 2021 lingsheng <lingsheng@huawei.com> - 0.4.5-4 * Tue Feb 9 2021 lingsheng <lingsheng@huawei.com> - 0.4.5-4
- Fix unresolvable - Fix unresolvable