Bug 1693313 - CVE-2019-1002101 - oc/kubectl fix potential directory traversal
Summary: CVE-2019-1002101 - oc/kubectl fix potential directory traversal
Keywords:
Status: CLOSED DUPLICATE of bug 1686294
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: oc
Version: 4.1.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: 4.1.0
Assignee: Maciej Szulik
QA Contact: Xingxing Xia
URL:
Whiteboard:
Depends On:
Blocks: 1693315 1693318 1693320
TreeView+ depends on / blocked
 
Reported: 2019-03-27 14:15 UTC by Maciej Szulik
Modified: 2019-05-06 13:00 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: Insufficient checks during untarring copied contents allowed tar contents to "escape" destination directory. Consequence: It was possible to use a malicious tar to override contents on user's file system. Fix: Improve checks when untarring copied contents. Result: The tarred contents does not escape destination directory.
Clone Of:
: 1693315 (view as bug list)
Environment:
Last Closed: 2019-05-02 09:19:55 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
pwn.tar (10.00 KB, application/x-tar)
2019-04-08 13:44 UTC, Xingxing Xia
no flags Details

Comment 2 Xingxing Xia 2019-04-01 08:05:43 UTC
First prepare data:
oc new-app centos/ruby-25-centos7~https://github.com/sclorg/ruby-ex.git
oc get po
NAME               READY   STATUS      RESTARTS   AGE
ruby-ex-1-deploy   0/1     Completed   0          3m46s
ruby-ex-1-qdcvp    1/1     Running     0          3m30s

oc rsh ruby-ex-1-qdcvp
sh-4.2$ cd /tmp
sh-4.2$ ln -s /bin/ls mysl

Then reproduce it with old oc that does not include the fix, e.g. 4.0.18:
4.0.18/oc cp ruby-ex-1-qdcvp:/tmp/mysl ./
tar: Removing leading `/' from member names
ls -l
lrwxrwxrwx. 1 tester qe         7 Apr  1 15:13 mysl -> /bin/ls

Finally use new oc that includes the fix, e.g. 4.0.22:
4.0.22/oc cp ruby-ex-1-qdcvp:/tmp/mysl ./
tar: Removing leading `/' from member names
warning: link "mysl" is pointing to "/bin/ls" which is outside target destination, skipping  <-- the issue is fixed

Comment 6 Xingxing Xia 2019-04-08 13:44:55 UTC
Created attachment 1553633 [details]
pwn.tar

Comment 11 Maciej Szulik 2019-05-02 09:19:55 UTC

*** This bug has been marked as a duplicate of bug 1686294 ***


Note You need to log in before you can comment on or make changes to this bug.