packages/umoci
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CVE-2021-29136

Browse Source 
(cherry picked from commit 4fd8a04a2ddd59c910145e5acc0f51084c5346e4)
This commit is contained in:
wang_yue111 2021-04-16 11:39:06 +08:00 committed by openeuler-sync-bot
parent 729c84d966
commit 00e3fc7029
2 changed files with 40 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
CVE-2021-29136.patch Normal file
View File

@ -0,0 +1,35 @@
From d9efc31daf2206f7d3fdb839863cf7a576a2eb57 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <cyphar@cyphar.com>
Date: Wed, 24 Mar 2021 00:17:06 +1100
Subject: [PATCH] layer: don't permit / type to be changed on extraction
If users can change the type of / to a symlink, they can cause umoci to
overwrite host files. This is obviously bad, and is not caught by the
rest of our directory escape detection code because the root itself has
been changed to a different directory.
Fixes: CVE-2021-29136
Reported-by: Robin Peraglie <robin@cure53.de>
Tested-by: Daniel Dao <dqminh89@gmail.com>
Reviewed-by: Tycho Andersen <tycho@tycho.pizza>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
---
oci/layer/tar_extract.go | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/oci/layer/tar_extract.go b/oci/layer/tar_extract.go
index 1b8c3d67..d7414105 100644
--- a/oci/layer/tar_extract.go
+++ b/oci/layer/tar_extract.go
@@ -404,6 +404,11 @@ func (te *TarExtractor) UnpackEntry(root string, hdr *tar.Header, r io.Reader) (
if filepath.Join("/", hdr.Name) == "/" {
// If we got an entry for the root, then unsafeDir is the full path.
unsafeDir, file = hdr.Name, "."
+ // If we're being asked to change the root type, bail because they may
+ // change it to a symlink which we could inadvertently follow.
+ if hdr.Typeflag != tar.TypeDir {
+ return errors.New("malicious tar entry -- refusing to change type of root directory")
+ }
}
dir, err := securejoin.SecureJoinVFS(root, unsafeDir, te.fsEval)
if err != nil {

6
umoci.spec
View File

@ -4,12 +4,13 @@
Name: umoci Name: umoci
Version: 0.4.5 Version: 0.4.5
Release: 3 Release: 4
Summary: Open Container Image manipulation tool Summary: Open Container Image manipulation tool
License: Apache-2.0 License: Apache-2.0
URL: https://github.com/opencontainers/umoci URL: https://github.com/opencontainers/umoci
Source0: https://github.com/opencontainers/umoci/archive/v0.4.5.tar.gz Source0: https://github.com/opencontainers/umoci/archive/v0.4.5.tar.gz
BuildRequires: fdupes go >= 1.6 go-md2man BuildRequires: fdupes go >= 1.6 go-md2man
Patch0: CVE-2021-29136.patch
%description %description
Umoci modifies Open Container images. Umoci intends to be a complete manipulation tool for OCI images. Umoci modifies Open Container images. Umoci intends to be a complete manipulation tool for OCI images.
@ -48,6 +49,9 @@ done
%{_mandir}/man1/umoci* %{_mandir}/man1/umoci*
%changelog %changelog
* Fri Apr 16 2021 wangyue <wangyue92@huawei.com> - 0.4.5-4
- Fix CVE-2021-29136
* Wed Sep 9 2020 Ge Wang <wangge20@huawei.com> - 0.4.5-3 * Wed Sep 9 2020 Ge Wang <wangge20@huawei.com> - 0.4.5-3
- Modify Source0 Url - Modify Source0 Url