Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2018-1002100: Kubectl copy doesn't check for paths outside of it's destination directory. #61297

Closed
brendandburns opened this issue Mar 16, 2018 · 6 comments
Labels
area/security kind/bug Categorizes issue or PR as related to a bug. official-cve-feed Issues or PRs related to CVEs officially announced by Security Response Committee (SRC) priority/critical-urgent Highest priority. Must be actively worked on as someone's top priority right now. sig/cli Categorizes an issue or PR as relevant to SIG CLI.
Milestone

Comments

@brendandburns
Copy link
Contributor

brendandburns commented Mar 16, 2018

Is this a BUG REPORT or FEATURE REQUEST?: Bug

/kind bug

What happened:
kubectl cp :/some/remote/dir /some/local/dir

If the container returns a malformed tarfile with paths like:

'/some/remote/dir/../../../../tmp/foo' kubectl writes this to /tmp/foo instead of /some/local/dir/tmp/foo

What you expected to happen:

I expect kubectl to clean up the path and write to /some/local/dir/tmp/foo

Notes
Original credit to @hansmi (Michael Hanselmann) for originally reporting the bug.

Tracked as CVE-2018-1002100

@k8s-ci-robot k8s-ci-robot added needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. kind/bug Categorizes issue or PR as related to a bug. labels Mar 16, 2018
@liggitt liggitt added the sig/cli Categorizes an issue or PR as relevant to SIG CLI. label Mar 17, 2018
@k8s-ci-robot k8s-ci-robot removed the needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. label Mar 17, 2018
@dims
Copy link
Member

dims commented Mar 17, 2018

/milestone v1.10

(match PR being marked v1.10)

@k8s-ci-robot k8s-ci-robot added this to the v1.10 milestone Mar 17, 2018
@jdumars jdumars added the priority/critical-urgent Highest priority. Must be actively worked on as someone's top priority right now. label Mar 18, 2018
@k8s-github-robot
Copy link

[MILESTONENOTIFIER] Milestone Issue Needs Approval

@brendandburns @kubernetes/sig-cli-misc

Action required: This issue must have the status/approved-for-milestone label applied by a SIG maintainer.

Issue Labels
  • sig/cli: Issue will be escalated to these SIGs if needed.
  • priority/critical-urgent: Never automatically move issue out of a release milestone; continually escalate to contributor and SIG through all available channels.
  • kind/bug: Fixes a bug discovered during the current release.
Help

@jdumars
Copy link
Member

jdumars commented Mar 18, 2018

@soltysh @pwittrock @adohe PTAL ~ if this is 1.10 blocking, please add the approved-for-milestone label

k8s-github-robot pushed a commit that referenced this issue Mar 18, 2018
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Fix a bug where malformed paths don't get written to the destination dir

Fixes #61297

@liggitt @hansmi @cjcullen @jessfraz
@xingxingxia
Copy link

What happened:
kubectl cp :/some/remote/dir /some/local/dir
If the container returns a malformed tarfile with paths like:
'/some/remote/dir/../../../../tmp/foo' kubectl writes this to /tmp/foo instead of /some/local/dir/tmp/foo

@brendandburns hi, tried to figure out the steps that can reproduce the issue but didn't figure out [1]. I didn't understand what is (and how to prepare) container returns a malformed tarfile with paths like '/some/remote/dir/../../../../tmp/foo'. Could you give more detail for me to reproduce? Thx
[1] the steps I tried:

$ kubectl exec ruby-ex-1-qnq2n -- ls -d /opt/app-root/src
/opt/app-root/src
$ kubectl exec ruby-ex-1-qnq2n -- mkdir -p /tmp/pod-dir1 
$ kubectl exec ruby-ex-1-qnq2n -- touch /tmp/pod-dir1/a.txt 
$ mkdir -p mydir1/mydir2
$ kubectl cp ruby-ex-1-qnq2n:/opt/app-root/src/../../../tmp/pod-dir1 mydir1/mydir2/  # please correct me if my understanding is wrong
$ ls mydir1/mydir2/
a.txt

@hansmi
Copy link

hansmi commented May 2, 2018

@xingxingxia Red Hat's OpenShift product was also affected by this and comparable issues. I'll be publishing the proof-of-concept code at https://hansmi.ch/articles/2018-04-openshift-s2i-security on May 4, 2018.

@liggitt liggitt changed the title Kubectl copy doesn't check for paths outside of it's destination directory. CVE-2018-1002100: Kubectl copy doesn't check for paths outside of it's destination directory. May 16, 2019
@PushkarJ
Copy link
Member

/label official-cve-feed

(Related to kubernetes/sig-security#1)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/security kind/bug Categorizes issue or PR as related to a bug. official-cve-feed Issues or PRs related to CVEs officially announced by Security Response Committee (SRC) priority/critical-urgent Highest priority. Must be actively worked on as someone's top priority right now. sig/cli Categorizes an issue or PR as relevant to SIG CLI.
Projects
None yet
Development

No branches or pull requests

10 participants