Bug 1693313

Summary: CVE-2019-1002101 - oc/kubectl fix potential directory traversal
Product: OpenShift Container Platform Reporter: Maciej Szulik <maszulik>
Component: ocAssignee: Maciej Szulik <maszulik>
Status: CLOSED DUPLICATE QA Contact: Xingxing Xia <xxia>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 4.1.0CC: aos-bugs, fshaikh, jokerman, mmccomas, nbhatt
Target Milestone: ---   
Target Release: 4.1.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: Insufficient checks during untarring copied contents allowed tar contents to "escape" destination directory. Consequence: It was possible to use a malicious tar to override contents on user's file system. Fix: Improve checks when untarring copied contents. Result: The tarred contents does not escape destination directory.
 Story Points: ---
Clone Of:
: 1693315 (view as bug list) Environment:
Last Closed: 2019-05-02 09:19:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1693315, 1693318, 1693320    
Attachments:
Description Flags
pwn.tar none

Comment 2 Xingxing Xia 2019-04-01 08:05:43 UTC 
First prepare data:
oc new-app centos/ruby-25-centos7~https://github.com/sclorg/ruby-ex.git
oc get po
NAME               READY   STATUS      RESTARTS   AGE
ruby-ex-1-deploy   0/1     Completed   0          3m46s
ruby-ex-1-qdcvp    1/1     Running     0          3m30s

oc rsh ruby-ex-1-qdcvp
sh-4.2$ cd /tmp
sh-4.2$ ln -s /bin/ls mysl

Then reproduce it with old oc that does not include the fix, e.g. 4.0.18:
4.0.18/oc cp ruby-ex-1-qdcvp:/tmp/mysl ./
tar: Removing leading `/' from member names
ls -l
lrwxrwxrwx. 1 tester qe         7 Apr  1 15:13 mysl -> /bin/ls

Finally use new oc that includes the fix, e.g. 4.0.22:
4.0.22/oc cp ruby-ex-1-qdcvp:/tmp/mysl ./
tar: Removing leading `/' from member names
warning: link "mysl" is pointing to "/bin/ls" which is outside target destination, skipping  <-- the issue is fixed
Comment 6 Xingxing Xia 2019-04-08 13:44:55 UTC 
Created attachment 1553633 [details]
pwn.tar
Comment 11 Maciej Szulik 2019-05-02 09:19:55 UTC 

*** This bug has been marked as a duplicate of bug 1686294 ***