Bug 1744588 (CVE-2019-18466) - CVE-2019-18466 podman: resolving symlink in host filesystem leads to unexpected results of copy operation
Summary: CVE-2019-18466 podman: resolving symlink in host filesystem leads to unexpect...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-18466
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1748474 1754354 1754355 1759528 1762544
Blocks: 1744596
TreeView+ depends on / blocked
 
Reported: 2019-08-22 13:53 UTC by Marian Rehak
Modified: 2021-02-16 21:28 UTC (History)
25 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
It was discovered that podman resolves a symlink in the host context during a copy operation from the container to the host. An attacker could create a container image containing particular symlinks that, when copied by a victim user to the host filesystem, may overwrite existing files with others from the host.
Clone Of:
Environment:
Last Closed: 2020-04-01 04:31:49 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:1227 0 None None None 2020-04-01 00:25:21 UTC

Description Marian Rehak 2019-08-22 13:53:38 UTC
'podman cp' will resolve a carefully crafted symlink in host-filesystem space, yielding unexpected results when cp'ing from container to host. An attacker could create a container image containing particular symlinks that, when copied by a victim user to the host filesystem, may overwrite existing files with others from the host.

Upstream Issue:
https://github.com/containers/libpod/issues/3829

Comment 6 Qi Wang 2019-09-10 16:27:30 UTC
This is a duplicate of this issue https://bugzilla.redhat.com/show_bug.cgi?id=1741709

Comment 9 Sam Fowler 2019-09-23 02:48:49 UTC
Created podman tracking bugs for this issue:

Affects: fedora-all [bug 1754354]

Comment 13 Daniel Walsh 2019-10-16 20:23:17 UTC
Matt, Ed, Brent, Jhon do we have a fix for this?

Comment 14 Ed Santiago 2019-10-16 20:32:19 UTC
#3829 is closed, and I've added regression tests, so I think this is resolved. I'm reluctant to close because I don't know which exact version and stream the reporter is on.

Comment 17 Sam Fowler 2020-01-15 01:17:18 UTC
Statement:

This issue did not affect the versions of podman as shipped with Red Hat Enterprise Linux 8 as they did not include support for the copy function.

This issue did not affect the versions of podman as shipped in OpenShift Container Platform 3.11 and 4.1 as they did not include support for the copy function.

The version of podman shipped in OpenShift Container Platform 4.2 was superseded by the version delivered Red Hat Enterprise Linux 8.

Comment 18 errata-xmlrpc 2020-04-01 00:25:20 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extras

Via RHSA-2020:1227 https://access.redhat.com/errata/RHSA-2020:1227

Comment 19 Product Security DevOps Team 2020-04-01 04:31:49 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-18466


Note You need to log in before you can comment on or make changes to this bug.