Bug 1817651 (CVE-2020-10696)
| Summary: | CVE-2020-10696 buildah: Crafted input tar file may lead to local file overwrite during image build process | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Marco Benatto <mbenatto> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | adam.kaplan, amurdaca, aos-bugs, bbaude, bmontgom, dbecker, debarshir, dwalsh, eparis, ikavalio, imcleod, jburrell, jjoyce, jligon, jnovy, jokerman, jschluet, jshepherd, kbasil, lfriedma, lhh, lpeer, lsm5, mburns, mheon, mpatel, nalin, nstielau, rh.container.bot, santiago, sclewis, slinaber, sponnaga, thoger, tsweeney, umohnani, wzheng |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | buildah-1.14.5 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A path traversal flaw was found in Buildah. This flaw allows an attacker to trick a user into building a malicious container image hosted on an HTTP(s) server and then write files to the user's system anywhere that the user has permissions.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-04-14 16:31:48 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1817687, 1817688, 1817691, 1817692, 1817693, 1817694, 1817738, 1817739, 1817740, 1817741, 1817742, 1817743, 1817744, 1817745, 1817746, 1817747, 1817791, 1817792, 1818120, 1818121, 1818122, 1818125, 1818126, 1818127, 1819046, 1819047, 1819048, 1819049, 1819325, 1819326, 1819327, 1819328, 1819329, 1819330, 1819331, 1819332, 1819333, 1819334, 1819391, 1819393, 1819429, 1819430, 1819431, 1819432, 1819809, 1819810, 1819811, 1819812 | ||
| Bug Blocks: | 1814229 | ||
|
Description
Marco Benatto
2020-03-26 17:49:45 UTC
Acknowledgments: Name: Erik Sjölund Upstream commit for this issue: https://github.com/containers/buildah/commit/c61925b8936e93a5e900f91b653a846f7ea3a9ed Created buildah tracking bugs for this issue: Affects: fedora-30 [bug 1817687] Affects: fedora-31 [bug 1817688] Affects: openstack-rdo [bug 1817693] Created podman tracking bugs for this issue: Affects: fedora-30 [bug 1817691] Affects: fedora-31 [bug 1817692] Affects: openstack-rdo [bug 1817694] For openshift-3.11 openshift/imagebuilder does not depend on buildah, or podman. Also it doesn't allow a user to host a Dockerfile over HTTP. Note, while there is a fix for buildah, it has not been vendored into Podman yet. We have a lot of other distributions using podman, we have to make sure they are in on this. There's a issue on buildah during container image building process. Currently if buildah fails to fetch the content used as parameter for building, it tries to refetch it again without properly cleanup the build directory. An attack may leverage this by crafting a malicious input which will force buildah to overwrite any existing file which task's owner has write access. I agree this is low, no one is using podman on a Openshift nodes, directly, it is only being used for the install and maintenance of images. Therefore noone is going to execute podman build. This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.2 Via RHSA-2020:1401 https://access.redhat.com/errata/RHSA-2020:1401 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.3 Via RHSA-2020:1396 https://access.redhat.com/errata/RHSA-2020:1396 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-10696 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.1 Via RHSA-2020:1449 https://access.redhat.com/errata/RHSA-2020:1449 Statement: While OpenShift Container Platform does include the vulnerable buildah code, it doesn't make use of the vulnerable function. Podman is also included in OpenShift Container Platform, but it isn't used to perform a build, so it has been given a low impact rating. OpenShift Container Platform 3.11 now used podman from the RHEL Extra repository, and not the podman package shipped in the OpenShift 3.11 RPM repository. This issue is fixed in podman in RHEL Extras so we won't fix the podman package shipped in the OpenShift 3.11 RPM repository. This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:1926 https://access.redhat.com/errata/RHSA-2020:1926 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:1931 https://access.redhat.com/errata/RHSA-2020:1931 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:1932 https://access.redhat.com/errata/RHSA-2020:1932 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Extras Via RHSA-2020:2116 https://access.redhat.com/errata/RHSA-2020:2116 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Extras Via RHSA-2020:2117 https://access.redhat.com/errata/RHSA-2020:2117 |