Bug 1784267

Summary: Remove quay.io from the default search list
Product: Red Hat Enterprise Linux 8 Reporter: Jason Shepherd <jshepherd>
Component: container-tools-rhel8-moduleAssignee: Jindrich Novy <jnovy>
Status: CLOSED ERRATA QA Contact: atomic-bugs <atomic-bugs>
Severity: unspecified Docs Contact: Gabriela Nečasová <gnecasov>
Priority: unspecified    
Version: 8.1CC: dmoppert, dornelas, dwalsh, jligon, jnovy, lmanasko, lsm5, pthomas, tsweeney, yujiang
Target Milestone: rc   
Target Release: 8.2   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: skopeo-0.1.40-8.el8 Doc Type: Bug Fix
Doc Text:
.Pulling images from the quay.io registry no longer leads to unintended images Previously, having the quay.io container image registry listed in the default registries search list provided in `/etc/containers/registries.conf` could allow a user to pull a spoofed image when using a short name. To fix this issue, the quay.io container image registry has been removed from the default registries search list in `/etc/containers/registries.conf`. As a result, pulling images from the `quay.io` registry now requires users to specify the full repository name, such as `quay.io/myorg/myimage`. The quay.io registry can be added back to the default registries search list in `/etc/containers/registries.conf` to reenable pulling container images using short names, however, this is not recommended as it could create a security risk.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-28 15:52:09 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1186913, 1734579    

Description Jason Shepherd 2019-12-17 06:38:25 UTC 
Description of problem:

Having multiple public repositories in the list can lead to typosquatting and supply chain attacks against Red Hat customers.


Version-Release number of selected component (if applicable):

container-tools-1:0.1.37-5.module+el8.1.0+4240+893c1ab8
From repo: rhel-8-for-x86_64-appstream-rpms

How reproducible:

$ cat /etc/containers/registries.conf | grep registries.search -A 1


Actual results:

[registries.search]
registries = ['registry.access.redhat.com', 'docker.io', 'registry.fedoraproject.org', 'quay.io', 'registry.centos.org']


Expected results:

[registries.search]
registries = ['registry.access.redhat.com', 'docker.io', 'registry.fedoraproject.org', 'registry.centos.org']



Additional info:

https://github.com/containers/libpod/issues/4549
Comment 1 Daniel Walsh 2019-12-17 14:16:53 UTC 
Also docker.io should be moved to the end of the list.
Comment 5 Yuhui Jiang 2020-03-30 10:12:56 UTC 
According to comment#4, move the status to VERIFIED
Comment 14 errata-xmlrpc 2020-04-28 15:52:09 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:1650