Bug 1744588 (CVE-2019-18466) - CVE-2019-18466 podman: resolving symlink in host filesystem leads to unexpected results of copy operation
Summary: CVE-2019-18466 podman: resolving symlink in host filesystem leads to unexpect...
Keywords:
Status: NEW
Alias: CVE-2019-18466
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1748474 1754354 1754355 1759528 1762544
Blocks: 1744596
TreeView+ depends on / blocked
 
Reported: 2019-08-22 13:53 UTC by Marian Rehak
Modified: 2019-11-04 15:06 UTC (History)
21 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
It was discovered that podman resolves a symlink in the host context during a copy operation from the container to the host. An attacker could create a container image containing particular symlinks that, when copied by a victim user to the host filesystem, may overwrite existing files with others from the host.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Marian Rehak 2019-08-22 13:53:38 UTC
'podman cp' will resolve a carefully crafted symlink in host-filesystem space, yielding unexpected results when cp'ing from container to host. An attacker could create a container image containing particular symlinks that, when copied by a victim user to the host filesystem, may overwrite existing files with others from the host.

Upstream Issue:
https://github.com/containers/libpod/issues/3829

Comment 6 Qi Wang 2019-09-10 16:27:30 UTC
This is a duplicate of this issue https://bugzilla.redhat.com/show_bug.cgi?id=1741709

Comment 8 Sam Fowler 2019-09-23 02:48:30 UTC
Statement:

This issue did not affect the versions of podman as shipped with Red Hat Enterprise Linux 8 as they did not include support for the copy function.

This issue did not affect the versions of podman as shipped in OpenShift Container Platform as they did not include support for the copy function.

Comment 9 Sam Fowler 2019-09-23 02:48:49 UTC
Created podman tracking bugs for this issue:

Affects: fedora-all [bug 1754354]

Comment 13 Daniel Walsh 2019-10-16 20:23:17 UTC
Matt, Ed, Brent, Jhon do we have a fix for this?

Comment 14 Ed Santiago 2019-10-16 20:32:19 UTC
#3829 is closed, and I've added regression tests, so I think this is resolved. I'm reluctant to close because I don't know which exact version and stream the reporter is on.


Note You need to log in before you can comment on or make changes to this bug.