Bug 1738599 - Source secret injection fails with docker CVE-2018-15664 patch
Summary: Source secret injection fails with docker CVE-2018-15664 patch
Keywords:
Status: CLOSED DUPLICATE of bug 1739315
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Build
Version: 3.9.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 3.11.z
Assignee: Gabe Montero
QA Contact: wewang
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-08-07 14:26 UTC by Adam Kaplan
Modified: 2019-08-20 13:52 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-08-20 13:52:21 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1714722 0 medium CLOSED CVE-2018-15664 docker: symlink-exchange race attacks in docker cp 2021-02-22 00:41:40 UTC

Description Adam Kaplan 2019-08-07 14:26:46 UTC 
Description of problem:

Hi,

I am running BuildConfig with s2i strategy on OKD 3.9 cluster and I am getting error:

```
{"message":"Error processing tar file(exit status 1): invalid symlink \"/tmp/..data\" -> \"..2019_08_06_16_00_26.551658995\""}
ERROR: Error occurred during injecting "/var/run/secrets/openshift.io/build/maven-setting" to "/tmp": Error response from daemon:

{"message":"Error processing tar file(exit status 1): invalid symlink \"/tmp/..data\" -> \"..2019_08_06_16_00_26.551658995\""}
```

My BuidConfig is:

```
apiVersion: build.openshift.io/v1
kind: BuildConfig
spec:
  source:
    secrets:
      - destinationDir: /tmp
        secret:
          name: maven-setting
```

Version of Docker daemon on compute node with failed build:

```
 Package version: docker-1.13.1-102.git7f2769b.el7.centos.x86_64
 Go version:      go1.10.3
```

Errors don`t occurs when I roll back docker package version to the older version:

```
Package version: docker-1.13.1-88.git07f3374.el7.centos.x86_64
 Go version:      go1.9.4
```

I found that it is due to this issue:
https://bugzilla.redhat.com/show_bug.cgi?id=1714722

Any plans to fix s2i secrets injection with CVE-2018-15664 fix in docker package?


Version-Release number of selected component (if applicable): OKD 3.9


Additional info:

Originally reported on Github: https://github.com/openshift/source-to-image/issues/987
Comment 1 Adam Kaplan 2019-08-07 14:37:51 UTC 
Targeting fix for 3.11.z as this is not an issue for OpenShift 4 (does not use Docker).
Comment 2 Jason Bodsworth 2019-08-16 00:10:22 UTC 
I have had the same issue in Openshift Container Platform 3.11.98 and 3.11.129.  One cluster was working (successfully building) whilst another was not.  After careful examination, the working cluster was running docker 1.13.1-96 and the cluster with the problem was running docker version 1.13.1-102.  It is clear that the introduction of the following fix has had a detrimental effect on s2i builds at the injection stage:

Bug 1714722 (CVE-2018-15664) - CVE-2018-15664 docker: symlink-exchange race attacks in docker cp

Downgrading docker works for now, however will be submitting a ticket to Red Hat to have this resolved in Openshift 3.11.
Comment 6 Adam Kaplan 2019-08-20 13:52:21 UTC 
Duplicated by 1739315, where work is being actively tracked.

*** This bug has been marked as a duplicate of bug 1739315 ***
Note You need to log in before you can comment on or make changes to this bug.