-
Notifications
You must be signed in to change notification settings - Fork 39k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2018-1002100: Kubectl copy doesn't check for paths outside of it's destination directory. #61297
Comments
|
/milestone v1.10 (match PR being marked v1.10) |
|
[MILESTONENOTIFIER] Milestone Issue Needs Approval @brendandburns @kubernetes/sig-cli-misc Action required: This issue must have the Issue Labels
|
|
@soltysh @pwittrock @adohe PTAL ~ if this is 1.10 blocking, please add the approved-for-milestone label |
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Fix a bug where malformed paths don't get written to the destination dir Fixes #61297 @liggitt @hansmi @cjcullen @jessfraz
@brendandburns hi, tried to figure out the steps that can reproduce the issue but didn't figure out [1]. I didn't understand what is (and how to prepare) container returns a |
|
@xingxingxia Red Hat's OpenShift product was also affected by this and comparable issues. I'll be publishing the proof-of-concept code at https://hansmi.ch/articles/2018-04-openshift-s2i-security on May 4, 2018. |
|
/label official-cve-feed (Related to kubernetes/sig-security#1) |
Is this a BUG REPORT or FEATURE REQUEST?: Bug
/kind bug
What happened:
kubectl cp :/some/remote/dir /some/local/dir
If the container returns a malformed tarfile with paths like:
'/some/remote/dir/../../../../tmp/foo' kubectl writes this to
/tmp/fooinstead of/some/local/dir/tmp/fooWhat you expected to happen:
I expect kubectl to clean up the path and write to
/some/local/dir/tmp/fooNotes
Original credit to @hansmi (Michael Hanselmann) for originally reporting the bug.
Tracked as CVE-2018-1002100
The text was updated successfully, but these errors were encountered: