-
Notifications
You must be signed in to change notification settings - Fork 38.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2019-1002101: kubectl fix potential directory traversal #75037
Conversation
/priority important-soon |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: soltysh The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/test pull-kubernetes-integration |
/test pull-kubernetes-e2e-gce-100-performance |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
Thanks!
linkname := header.Linkname | ||
// error is returned if linkname can't be made relative to destFile, | ||
// but relative can end up being ../dir that's why we also need to | ||
// verify if relative path is the same after Clean-ing |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit:
// verify if relative path is the same after Clean-ing | |
// verify if relative path is the same after removing backticks |
// but relative can end up being ../dir that's why we also need to | ||
// verify if relative path is the same after Clean-ing | ||
relative, err := filepath.Rel(destFile, linkname) | ||
if path.IsAbs(linkname) && (err != nil || relative != stripPathShortcuts(relative)) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this check be separated into a util class so that other calls to os.Symlink() can utilize ?
Reading the untarAll() function, I think the
on line 483 is redundant with the call on line 487. Created PR #75074 |
…7-upstream-release-1.12 Automated cherry pick of #75037: Fix panic in kubectl cp command
…7-upstream-release-1.13 Automated cherry pick of #75037: Fix panic in kubectl cp command
…7-upstream-release-1.11 Automated cherry pick of #75037: Fix panic in kubectl cp command
kubectl cp potential directory traversal - CVE-2019-11246 kubectl cp potential directory traversal - CVE-2019-11246 kubernetes#75037 kubernetes#76788 See merge request !53
What type of PR is this?
/kind bug
What this PR does / why we need it:
Fixes panic in
kubectl cp
commandSpecial notes for your reviewer:
/assign @tallclair @liggitt
Does this PR introduce a user-facing change?:
Update from Brandon @philips of the Kubernetes Security Commitee:
A security issue was discovered with the Kubernetes
kubectl cp
command that could enable a directory traversal replacing or deleting files on a user’s workstation. The issue is High severity and upgrading kubectl to Kubernetes 1.11.9, 1.12.7, 1.13.5, and 1.14.0 is encouraged to fix this issue.Am I vulnerable?
Run
kubectl version --client
and if it does not say client version 1.11.9, 1.12.7, 1.13.5, and 1.14.0 or newer you are running a vulnerable version.How do I upgrade?
Follow installation instructions here https://kubernetes.io/docs/tasks/tools/install-kubectl/
Not all instructions will provide up to date kubectl versions at the time of this announcement. So, always confirm with
kubectl version
.Vulnerability Details
The kubectl cp command allows copying files between containers and the user machine. To copy files from a container, Kubernetes creates a tar inside the container, copies it over the network, and kubectl unpacks it on the user’s machine.
If the tar binary in the container is malicious, it could run any code and output unexpected, malicious results. An attacker could use this to write files to any path on the user’s machine when kubectl cp is called, limited only by the system permissions of the local user.
Since fixing CVE-2018-1002100, the untar function calls the
cp.go:clean
to strip path traversals. However, that function can both create and follow symbolic links.See #75037 for details.
Thank you
Thank you to the reporter Ariel Zelivansky of Twistlock for identifying the issue, Maciej Szulik, Tim Pepper, and the patch release managers for the coordination in making this release.
Thank You,
Brandon on behalf of the Kubernetes Product Security Committee