Bug 1905945 (CVE-2020-27833)

Summary: CVE-2020-27833 openshift/oc: zip slip - arbitrary file write vulnerability / arbitrary code execution using a specially crafted container image
Product: [Other] Security Response Reporter: Mark Cooper <mcooper>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bmontgom, dfreiber, drow, eparis, jburrell, jokerman, nstielau, security-response-team, sponnaga, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A Zip Slip vulnerability was found in the oc binary in openshift-clients where an arbitrary file write is achieved by using a specially crafted raw container image (.tar file) which contains symbolic links. The vulnerability is limited to the command `oc image extract`. If a symbolic link is first created pointing within the tarball, this allows further symbolic links to bypass the existing path check. This flaw allows the tarball to create links outside the tarball's parent directory, allowing for executables or configuration files to be overwritten, resulting in arbitrary code execution. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-28 01:43:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1966503, 1905948    
Bug Blocks: 1903168, 1939574    

Description Mark Cooper 2020-12-09 11:10:30 UTC 
A vulnerability was found in all versions of the `oc` binary packaged in openshift-clients, limited to the `oc image extract` command. An arbitrary file read and/or write can be achieved using a specially crafted container image (.tar file) that holds symbolic links. When a symbolic link is first created pointing within the tarball this bypasses the existing path checks. Subsequent symbolic links can then be created to link outside of the tarball's parent directory. If an executable or configuration file can be overwritten as a result, the vulnerability can turn into arbitrary code execution.
Comment 6 Mark Cooper 2020-12-15 01:07:00 UTC 
Acknowledgments:

Name: Chris Smowton (GitHub Security Lab)
Comment 8 Mark Cooper 2020-12-15 02:17:35 UTC 
Mitigation:

The option `--only-files=true` can be specified to ensure that only files and directories from the image are extracted and symbolic links are ignored. While this means that if a  image does implement malicious symbolic links, no links will be created outside the parent tarball. However, this does mean that if legitimate symbolic links are specific within the image these will also not be created.
Comment 10 Mark Cooper 2021-10-28 01:43:12 UTC 
Closing old flaw bug