Bug 1744588 (CVE-2019-18466)

Summary: CVE-2019-18466 podman: resolving symlink in host filesystem leads to unexpected results of copy operation
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ahardin, aos-bugs, bbaude, bleanhar, bmontgom, ccoleman, dedgar, dwalsh, eparis, jburrell, jgoulding, jligon, jnovy, jokerman, lsm5, mchappel, mheon, mpatel, nstielau, qiwan, rschiron, rtillery, santiago, sponnaga, umohnani
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
It was discovered that podman resolves a symlink in the host context during a copy operation from the container to the host. An attacker could create a container image containing particular symlinks that, when copied by a victim user to the host filesystem, may overwrite existing files with others from the host.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-01 04:31:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1748474, 1754354, 1754355, 1759528, 1762544    
Bug Blocks: 1744596    

Description Marian Rehak 2019-08-22 13:53:38 UTC 
'podman cp' will resolve a carefully crafted symlink in host-filesystem space, yielding unexpected results when cp'ing from container to host. An attacker could create a container image containing particular symlinks that, when copied by a victim user to the host filesystem, may overwrite existing files with others from the host.

Upstream Issue:
https://github.com/containers/libpod/issues/3829
Comment 6 Qi Wang 2019-09-10 16:27:30 UTC 
This is a duplicate of this issue https://bugzilla.redhat.com/show_bug.cgi?id=1741709
Comment 7 Riccardo Schirone 2019-09-19 14:35:22 UTC 
Upstream patch:
https://github.com/containers/libpod/commit/5c09c4d2947a759724f9d5aef6bac04317e03f7e
Comment 9 Sam Fowler 2019-09-23 02:48:49 UTC 
Created podman tracking bugs for this issue:

Affects: fedora-all [bug 1754354]
Comment 13 Daniel Walsh 2019-10-16 20:23:17 UTC 
Matt, Ed, Brent, Jhon do we have a fix for this?
Comment 14 Ed Santiago 2019-10-16 20:32:19 UTC 
#3829 is closed, and I've added regression tests, so I think this is resolved. I'm reluctant to close because I don't know which exact version and stream the reporter is on.
Comment 17 Sam Fowler 2020-01-15 01:17:18 UTC 
Statement:

This issue did not affect the versions of podman as shipped with Red Hat Enterprise Linux 8 as they did not include support for the copy function.

This issue did not affect the versions of podman as shipped in OpenShift Container Platform 3.11 and 4.1 as they did not include support for the copy function.

The version of podman shipped in OpenShift Container Platform 4.2 was superseded by the version delivered Red Hat Enterprise Linux 8.
Comment 18 errata-xmlrpc 2020-04-01 00:25:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extras

Via RHSA-2020:1227 https://access.redhat.com/errata/RHSA-2020:1227
Comment 19 Product Security DevOps Team 2020-04-01 04:31:49 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-18466