Skip to content
This repository has been archived by the owner on Aug 14, 2020. It is now read-only.

Path traversals present in image converting #201

Closed
soh0ro0t opened this issue Sep 27, 2016 · 6 comments · Fixed by #204
Closed

Path traversals present in image converting #201

soh0ro0t opened this issue Sep 27, 2016 · 6 comments · Fixed by #204

Comments

@soh0ro0t
Copy link

soh0ro0t commented Sep 27, 2016

Description

> in code reviewing, i found a path traversal vulnerability in docker's image converting using docker2aci, there must be a possibility that it extracts embedded layer data to arbitrary directories or paths since no essential check for file path, RCE or privilege escalation would be performed.

> it is indeed true that i tested the issue by building a malicious image, if running as root, arbitrary file could be written into arbitrary paths, like backdoors, or running as unprivileged user, arbitrary files also could be extracted to some paths within the capabilities of current user.

> It is quite critical, right ? Could you request a CVE for that ?

@jonboulle
Copy link
Contributor

Thanks for submitting this bug report. docker2aci development is primarily handled by CoreOS, so we'd like to handle this via our Security Disclosure policy. Could you kindly send an email to security@coreos.com with more details so we can investigate further?

https://coreos.com/security/disclosure/

@soh0ro0t
Copy link
Author

fine

@soh0ro0t
Copy link
Author

the issue has been sent to security@coreos.com by email, no response. I gonna report it to oss-security for handling, and request a CVE identifier, ok ?

@lucab
Copy link
Contributor

lucab commented Sep 29, 2016

For reference, this has been assigned CVE-2016-7569 with a low to medium impact, typically mitigated for remote attack vectors.

Given the very short timeline for the disclosure, a patch is currently being worked on and will appear in the next release.

@lucab
Copy link
Contributor

lucab commented Oct 13, 2016

@thebeeman a proposed fix for this is up at #204, adding additional validation on crafted images. Can you please take a look at it?

@soh0ro0t
Copy link
Author

i reviewed the patch forCVE-2016-7569 and processed some tests with the previous malicious image, it addressed the issue.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants