CVE-2019-1002101: kubectl fix potential directory traversal #75037
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
k8s-ci-robot
added
the
release-note-none
k8s-ci-robot
added
size/L
|
/priority important-soon |
k8s-ci-robot
added
priority/important-soon
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: soltysh The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
approved
This was referenced Mar 6, 2019
|
/test pull-kubernetes-integration |
|
/test pull-kubernetes-e2e-gce-100-performance |
tallclair
reviewed
Mar 6, 2019
| linkname := header.Linkname | ||
| // error is returned if linkname can't be made relative to destFile, | ||
| // but relative can end up being ../dir that's why we also need to | ||
| // verify if relative path is the same after Clean-ing |
There was a problem hiding this comment.
nit:
Suggested change
| // verify if relative path is the same after Clean-ing | |
| // verify if relative path is the same after removing backticks |
k8s-ci-robot
added
the
lgtm
tedyu
reviewed
Mar 6, 2019
| // but relative can end up being ../dir that's why we also need to | ||
| // verify if relative path is the same after Clean-ing | ||
| relative, err := filepath.Rel(destFile, linkname) | ||
| if path.IsAbs(linkname) && (err != nil || relative != stripPathShortcuts(relative)) { |
There was a problem hiding this comment.
Should this check be separated into a util class so that other calls to os.Symlink() can utilize ?
|
Reading the untarAll() function, I think the on line 483 is redundant with the call on line 487. Created PR #75074 |
k8s-ci-robot
added
release-note
k8s-ci-robot
added a commit
that referenced
this pull request
Mar 12, 2019
…7-upstream-release-1.12 Automated cherry pick of #75037: Fix panic in kubectl cp command
k8s-ci-robot
added a commit
that referenced
this pull request
Mar 18, 2019
…7-upstream-release-1.13 Automated cherry pick of #75037: Fix panic in kubectl cp command
k8s-ci-robot
added a commit
that referenced
this pull request
Mar 21, 2019
…7-upstream-release-1.11 Automated cherry pick of #75037: Fix panic in kubectl cp command
philips
changed the title
liggitt
changed the title
honkiko
pushed a commit
to honkiko/kubernetes
that referenced
this pull request
Dec 5, 2019
kubectl cp potential directory traversal - CVE-2019-11246 kubectl cp potential directory traversal - CVE-2019-11246 kubernetes#75037 kubernetes#76788 See merge request !53
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What type of PR is this?
/kind bug
What this PR does / why we need it:
Fixes panic in
kubectl cpcommandSpecial notes for your reviewer:
/assign @tallclair @liggitt
Does this PR introduce a user-facing change?:
Update from Brandon @philips of the Kubernetes Security Commitee:
A security issue was discovered with the Kubernetes
kubectl cpcommand that could enable a directory traversal replacing or deleting files on a user’s workstation. The issue is High severity and upgrading kubectl to Kubernetes 1.11.9, 1.12.7, 1.13.5, and 1.14.0 is encouraged to fix this issue.Am I vulnerable?
Run
kubectl version --clientand if it does not say client version 1.11.9, 1.12.7, 1.13.5, and 1.14.0 or newer you are running a vulnerable version.How do I upgrade?
Follow installation instructions here https://kubernetes.io/docs/tasks/tools/install-kubectl/
Not all instructions will provide up to date kubectl versions at the time of this announcement. So, always confirm with
kubectl version.Vulnerability Details
The kubectl cp command allows copying files between containers and the user machine. To copy files from a container, Kubernetes creates a tar inside the container, copies it over the network, and kubectl unpacks it on the user’s machine.
If the tar binary in the container is malicious, it could run any code and output unexpected, malicious results. An attacker could use this to write files to any path on the user’s machine when kubectl cp is called, limited only by the system permissions of the local user.
Since fixing CVE-2018-1002100, the untar function calls the
cp.go:cleanto strip path traversals. However, that function can both create and follow symbolic links.See #75037 for details.
Thank you
Thank you to the reporter Ariel Zelivansky of Twistlock for identifying the issue, Maciej Szulik, Tim Pepper, and the patch release managers for the coordination in making this release.
Thank You,
Brandon on behalf of the Kubernetes Product Security Committee