Bug 1715667 (CVE-2019-10152)
| Summary: | CVE-2019-10152 podman: Improper symlink resolution allows access to host files when executing `podman cp` on running containers | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Sam Fowler <sfowler> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | ahardin, aos-bugs, bbaude, bleanhar, bmontgom, ccoleman, dedgar, dominik.mierzejewski, dornelas, dwalsh, eparis, fhirtz, frantisek.kluknavsky, jburrell, jcoscia, jgoulding, jligon, jnovy, jokerman, jwang, lsm5, mchappel, mheon, mpatel, nstielau, pasik, sfowler, sponnaga, umohnani, ypu |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | podman 1.4.0 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A path traversal vulnerability has been discovered in podman in the way it handles symlinks inside containers. An attacker who has compromised an existing container can cause arbitrary files on the host filesystem to be read/written when an administrator tries to copy a file from/to the container.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-07-29 19:18:47 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1715668, 1717771 | ||
| Bug Blocks: | 1714728 | ||
|
Description
Sam Fowler
2019-05-30 23:57:42 UTC
Created podman tracking bugs for this issue: Affects: fedora-all [bug 1715668] Function copyBetweenHostAndContainer() in cmd/podman/cp.go does not properly restricts the destination path of the copy operation, allowing an attacker who has control of a container to copy/overwrite files in the host filesystem instead of the container's one. During the `podman cp` operation, the destination path in the container is just joined with the base directory that contains the / root filesystem of the container from the host point of view. Thus a symlink in one of the components of the destination path can easily go outside the base directory of the container and access the host filesystem. Set Attack Complexity to High (AC:H) because the attacker cannot really choose what to write in the host filesystem, because that is chosen by the admin when doing the `podman cp` operation. However the attacker can choose where to write in the host filesystem, which may corrupt the host at best or allow the attacker access to it in the worst case. Set User Interaction Required (UI:R) because an admin needs to issue a `podman cp` command to trigger the flaw and Privileges Required Low (PR:L) because the attacker already needs to have some privilege in a running container to setup the attack. For these reasons, the flaw has a Medium Impact. On RHEL 7.6 and lower versions, users are forced to run podman as root because non-root users cannot run it, so an attacker can potentially overwrite any file writable by root. Upstream Patch: https://github.com/containers/storage/commit/a6d51f68042c7dfd5a50e56fe291fcb2c6df97fb Statement: This issue does not affect the versions of podman as shipped with OpenShift Container Platform 4.1 or Red Hat Enterprise Linux 8 as they do not include support for the `cp` command. This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Extras Via RHSA-2019:1907 https://access.redhat.com/errata/RHSA-2019:1907 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-10152 |