packages/umoci
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

remove unuse files

Browse Source 
(cherry picked from commit d4af79545be0a979bb703fea9f116d9dc05dd007)
This commit is contained in:
cherry530 2022-01-26 10:50:37 +08:00 committed by openeuler-sync-bot
parent 492d065b7c
commit 578245d51a
4 changed files with 8 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
CVE-2021-29136.patch
View File

@ -1,35 +0,0 @@
From d9efc31daf2206f7d3fdb839863cf7a576a2eb57 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <cyphar@cyphar.com>
Date: Wed, 24 Mar 2021 00:17:06 +1100
Subject: [PATCH] layer: don't permit / type to be changed on extraction
If users can change the type of / to a symlink, they can cause umoci to
overwrite host files. This is obviously bad, and is not caught by the
rest of our directory escape detection code because the root itself has
been changed to a different directory.
Fixes: CVE-2021-29136
Reported-by: Robin Peraglie <robin@cure53.de>
Tested-by: Daniel Dao <dqminh89@gmail.com>
Reviewed-by: Tycho Andersen <tycho@tycho.pizza>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
---
oci/layer/tar_extract.go | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/oci/layer/tar_extract.go b/oci/layer/tar_extract.go
index 1b8c3d67..d7414105 100644
--- a/oci/layer/tar_extract.go
+++ b/oci/layer/tar_extract.go
@@ -404,6 +404,11 @@ func (te *TarExtractor) UnpackEntry(root string, hdr *tar.Header, r io.Reader) (
if filepath.Join("/", hdr.Name) == "/" {
// If we got an entry for the root, then unsafeDir is the full path.
unsafeDir, file = hdr.Name, "."
+ // If we're being asked to change the root type, bail because they may
+ // change it to a symlink which we could inadvertently follow.
+ if hdr.Typeflag != tar.TypeDir {
+ return errors.New("malicious tar entry -- refusing to change type of root directory")
+ }
}
dir, err := securejoin.SecureJoinVFS(root, unsafeDir, te.fsEval)
if err != nil {

14
umoci.spec
View File

@ -3,14 +3,13 @@
%define tempdir github.com/openSUSE/umoci %define tempdir github.com/openSUSE/umoci
Name: umoci Name: umoci
Version: 0.4.5 Version: 0.4.7
Release: 5 Release: 1
Summary: Open Container Image manipulation tool Summary: Open Container Image manipulation tool
License: Apache-2.0 License: ISC and MIT and Apache-2.0
URL: https://github.com/opencontainers/umoci URL: https://github.com/opencontainers/umoci
Source0: https://github.com/opencontainers/umoci/archive/v0.4.5.tar.gz Source0: https://github.com/opencontainers/umoci/archive/v0.4.7.tar.gz
Source1: https://github.com/cpuguy83/go-md2man/archive/v1.0.10.tar.gz Source1: https://github.com/cpuguy83/go-md2man/archive/v1.0.10.tar.gz
Patch0: CVE-2021-29136.patch
BuildRequires: fdupes go >= 1.6 BuildRequires: fdupes go >= 1.6
%description %description
@ -35,7 +34,7 @@ mkdir -pv $HOME/go/src/%{tempdir}
rm -rf $HOME/go/src/%{tempdir}/* rm -rf $HOME/go/src/%{tempdir}/*
cp -ar * $HOME/go/src/%{tempdir} cp -ar * $HOME/go/src/%{tempdir}
make umoci make umoci
make local-doc make docs
%install %install
install -D -m 0755 %{name} %{buildroot}/%{_bindir}/%{name} install -D -m 0755 %{name} %{buildroot}/%{_bindir}/%{name}
@ -55,6 +54,9 @@ done
%{_mandir}/man1/umoci* %{_mandir}/man1/umoci*
%changelog %changelog
* Tue Jan 18 2022 SimpleUpdate Robot <tc@openeuler.org> - 0.4.7-1
- Upgrade to version 0.4.7
* Fri Apr 16 2021 wangyue <wangyue92@huawei.com> - 0.4.5-5 * Fri Apr 16 2021 wangyue <wangyue92@huawei.com> - 0.4.5-5
- Fix CVE-2021-29136 - Fix CVE-2021-29136

BIN
v0.4.5.tar.gz
View File

Binary file not shown.

BIN
v0.4.7.tar.gz Normal file
View File

Binary file not shown.