Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2019-1002101: kubectl fix potential directory traversal #75037

Merged
merged 1 commit into from Mar 6, 2019

Conversation

@soltysh
Copy link
Contributor

soltysh commented Mar 6, 2019

What type of PR is this?
/kind bug

What this PR does / why we need it:
Fixes panic in kubectl cp command

Special notes for your reviewer:
/assign @tallclair @liggitt

Does this PR introduce a user-facing change?:

Fix panic in kubectl cp command

Update from Brandon @philips of the Kubernetes Security Commitee:

A security issue was discovered with the Kubernetes kubectl cp command that could enable a directory traversal replacing or deleting files on a user’s workstation. The issue is High severity and upgrading kubectl to Kubernetes 1.11.9, 1.12.7, 1.13.5, and 1.14.0 is encouraged to fix this issue.

Am I vulnerable?

Run kubectl version --client and if it does not say client version 1.11.9, 1.12.7, 1.13.5, and 1.14.0 or newer you are running a vulnerable version.

How do I upgrade?

Follow installation instructions here https://kubernetes.io/docs/tasks/tools/install-kubectl/

Not all instructions will provide up to date kubectl versions at the time of this announcement. So, always confirm with kubectl version.

Vulnerability Details

The kubectl cp command allows copying files between containers and the user machine. To copy files from a container, Kubernetes creates a tar inside the container, copies it over the network, and kubectl unpacks it on the user’s machine.

If the tar binary in the container is malicious, it could run any code and output unexpected, malicious results. An attacker could use this to write files to any path on the user’s machine when kubectl cp is called, limited only by the system permissions of the local user.

Since fixing CVE-2018-1002100, the untar function calls the cp.go:clean to strip path traversals. However, that function can both create and follow symbolic links.

See #75037 for details.

Thank you

Thank you to the reporter Ariel Zelivansky of Twistlock for identifying the issue, Maciej Szulik, Tim Pepper, and the patch release managers for the coordination in making this release.

Thank You,

Brandon on behalf of the Kubernetes Product Security Committee

@soltysh

This comment has been minimized.

Copy link
Contributor Author

soltysh commented Mar 6, 2019

/priority important-soon
/sig cli

@k8s-ci-robot

This comment has been minimized.

Copy link
Contributor

k8s-ci-robot commented Mar 6, 2019

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: soltysh

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@soltysh

This comment has been minimized.

Copy link
Contributor Author

soltysh commented Mar 6, 2019

/test pull-kubernetes-integration

@soltysh soltysh force-pushed the soltysh:cp_bug branch from dd99c3b to ee7edb7 Mar 6, 2019

@soltysh

This comment has been minimized.

Copy link
Contributor Author

soltysh commented Mar 6, 2019

/test pull-kubernetes-e2e-gce-100-performance

@tallclair
Copy link
Member

tallclair left a comment

/lgtm

Thanks!

linkname := header.Linkname
// error is returned if linkname can't be made relative to destFile,
// but relative can end up being ../dir that's why we also need to
// verify if relative path is the same after Clean-ing

This comment has been minimized.

Copy link
@tallclair

tallclair Mar 6, 2019

Member

nit:

Suggested change
// verify if relative path is the same after Clean-ing
// verify if relative path is the same after removing backticks

@k8s-ci-robot k8s-ci-robot added the lgtm label Mar 6, 2019

@k8s-ci-robot k8s-ci-robot merged commit 4706389 into kubernetes:master Mar 6, 2019

17 checks passed

cla/linuxfoundation soltysh authorized
Details
pull-kubernetes-bazel-build Job succeeded.
Details
pull-kubernetes-bazel-test Job succeeded.
Details
pull-kubernetes-conformance-image-test Skipped.
pull-kubernetes-cross Skipped.
pull-kubernetes-e2e-gce Job succeeded.
Details
pull-kubernetes-e2e-gce-100-performance Job succeeded.
Details
pull-kubernetes-e2e-gce-device-plugin-gpu Job succeeded.
Details
pull-kubernetes-godeps Skipped.
pull-kubernetes-integration Job succeeded.
Details
pull-kubernetes-kubemark-e2e-gce-big Job succeeded.
Details
pull-kubernetes-local-e2e Skipped.
pull-kubernetes-node-e2e Job succeeded.
Details
pull-kubernetes-typecheck Job succeeded.
Details
pull-kubernetes-verify Job succeeded.
Details
pull-publishing-bot-validate Skipped.
tide In merge pool.
Details
// but relative can end up being ../dir that's why we also need to
// verify if relative path is the same after Clean-ing
relative, err := filepath.Rel(destFile, linkname)
if path.IsAbs(linkname) && (err != nil || relative != stripPathShortcuts(relative)) {

This comment has been minimized.

Copy link
@tedyu

tedyu Mar 6, 2019

Contributor

Should this check be separated into a util class so that other calls to os.Symlink() can utilize ?

@tedyu

This comment has been minimized.

Copy link
Contributor

tedyu commented Mar 6, 2019

Reading the untarAll() function, I think the

                       defer outFile.Close()

on line 483 is redundant with the call on line 487.

Created PR #75074

@soltysh soltysh deleted the soltysh:cp_bug branch Mar 7, 2019

k8s-ci-robot added a commit that referenced this pull request Mar 12, 2019

Merge pull request #75042 from soltysh/automated-cherry-pick-of-#7503…
…7-upstream-release-1.12

Automated cherry pick of #75037: Fix panic in kubectl cp command

k8s-ci-robot added a commit that referenced this pull request Mar 18, 2019

Merge pull request #75041 from soltysh/automated-cherry-pick-of-#7503…
…7-upstream-release-1.13

Automated cherry pick of #75037: Fix panic in kubectl cp command

k8s-ci-robot added a commit that referenced this pull request Mar 21, 2019

Merge pull request #75043 from soltysh/automated-cherry-pick-of-#7503…
…7-upstream-release-1.11

Automated cherry pick of #75037: Fix panic in kubectl cp command

@philips philips changed the title Fix panic in kubectl cp command kubectl fix potential directory traversal - CVE-2019-1002101 Mar 28, 2019

@liggitt liggitt changed the title kubectl fix potential directory traversal - CVE-2019-1002101 CVE-2019-1002101: kubectl fix potential directory traversal Mar 28, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.