36 lines
1.5 KiB
Diff
36 lines
1.5 KiB
Diff
From d9efc31daf2206f7d3fdb839863cf7a576a2eb57 Mon Sep 17 00:00:00 2001
|
|
From: Aleksa Sarai <cyphar@cyphar.com>
|
|
Date: Wed, 24 Mar 2021 00:17:06 +1100
|
|
Subject: [PATCH] layer: don't permit / type to be changed on extraction
|
|
|
|
If users can change the type of / to a symlink, they can cause umoci to
|
|
overwrite host files. This is obviously bad, and is not caught by the
|
|
rest of our directory escape detection code because the root itself has
|
|
been changed to a different directory.
|
|
|
|
Fixes: CVE-2021-29136
|
|
Reported-by: Robin Peraglie <robin@cure53.de>
|
|
Tested-by: Daniel Dao <dqminh89@gmail.com>
|
|
Reviewed-by: Tycho Andersen <tycho@tycho.pizza>
|
|
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
|
|
---
|
|
oci/layer/tar_extract.go | 5 +++++
|
|
1 file changed, 5 insertions(+)
|
|
|
|
diff --git a/oci/layer/tar_extract.go b/oci/layer/tar_extract.go
|
|
index 1b8c3d67..d7414105 100644
|
|
--- a/oci/layer/tar_extract.go
|
|
+++ b/oci/layer/tar_extract.go
|
|
@@ -404,6 +404,11 @@ func (te *TarExtractor) UnpackEntry(root string, hdr *tar.Header, r io.Reader) (
|
|
if filepath.Join("/", hdr.Name) == "/" {
|
|
// If we got an entry for the root, then unsafeDir is the full path.
|
|
unsafeDir, file = hdr.Name, "."
|
|
+ // If we're being asked to change the root type, bail because they may
|
|
+ // change it to a symlink which we could inadvertently follow.
|
|
+ if hdr.Typeflag != tar.TypeDir {
|
|
+ return errors.New("malicious tar entry -- refusing to change type of root directory")
|
|
+ }
|
|
}
|
|
dir, err := securejoin.SecureJoinVFS(root, unsafeDir, te.fsEval)
|
|
if err != nil {
|