Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
CVE-2019-1002101: kubectl fix potential directory traversal #75037
What type of PR is this?
What this PR does / why we need it:
Does this PR introduce a user-facing change?:
Update from Brandon @philips of the Kubernetes Security Commitee:
A security issue was discovered with the Kubernetes
Am I vulnerable?
How do I upgrade?
Follow installation instructions here https://kubernetes.io/docs/tasks/tools/install-kubectl/
Not all instructions will provide up to date kubectl versions at the time of this announcement. So, always confirm with
The kubectl cp command allows copying files between containers and the user machine. To copy files from a container, Kubernetes creates a tar inside the container, copies it over the network, and kubectl unpacks it on the user’s machine.
If the tar binary in the container is malicious, it could run any code and output unexpected, malicious results. An attacker could use this to write files to any path on the user’s machine when kubectl cp is called, limited only by the system permissions of the local user.
Since fixing CVE-2018-1002100, the untar function calls the
See #75037 for details.
Thank you to the reporter Ariel Zelivansky of Twistlock for identifying the issue, Maciej Szulik, Tim Pepper, and the patch release managers for the coordination in making this release.
Brandon on behalf of the Kubernetes Product Security Committee
[APPROVALNOTIFIER] This PR is APPROVED
This pull-request has been approved by: soltysh
The full list of commands accepted by this bot can be found here.
The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing