Bug 1744588 (CVE-2019-18466) - CVE-2019-18466 podman: resolving symlink in host filesystem leads to unexpected results of copy operation
Summary: CVE-2019-18466 podman: resolving symlink in host filesystem leads to unexpect...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-18466
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: Engineering1748474 1754354 Red Hat1754355 Engineering1759528 Engineering1762544
Blocks: Embargoed1744596
TreeView+ depends on / blocked
 
Reported: 2019-08-22 13:53 UTC by Marian Rehak
Modified: 2021-02-16 21:28 UTC (History)
25 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
It was discovered that podman resolves a symlink in the host context during a copy operation from the container to the host. An attacker could create a container image containing particular symlinks that, when copied by a victim user to the host filesystem, may overwrite existing files with others from the host.
Clone Of:
Environment:
Last Closed: 2020-04-01 04:31:49 UTC

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:1227 0 None None None 2020-04-01 00:25:21 UTC

Description Marian Rehak 2019-08-22 13:53:38 UTC 
'podman cp' will resolve a carefully crafted symlink in host-filesystem space, yielding unexpected results when cp'ing from container to host. An attacker could create a container image containing particular symlinks that, when copied by a victim user to the host filesystem, may overwrite existing files with others from the host.

Upstream Issue:
https://github.com/containers/libpod/issues/3829
Comment 6 Qi Wang 2019-09-10 16:27:30 UTC 
This is a duplicate of this issue https://bugzilla.redhat.com/show_bug.cgi?id=1741709
Comment 7 Riccardo Schirone 2019-09-19 14:35:22 UTC 
Upstream patch:
https://github.com/containers/libpod/commit/5c09c4d2947a759724f9d5aef6bac04317e03f7e
Comment 9 Sam Fowler 2019-09-23 02:48:49 UTC 
Created podman tracking bugs for this issue:

Affects: fedora-all [bug 1754354]
Comment 13 Daniel Walsh 2019-10-16 20:23:17 UTC 
Matt, Ed, Brent, Jhon do we have a fix for this?
Comment 14 Ed Santiago 2019-10-16 20:32:19 UTC 
#3829 is closed, and I've added regression tests, so I think this is resolved. I'm reluctant to close because I don't know which exact version and stream the reporter is on.
Comment 17 Sam Fowler 2020-01-15 01:17:18 UTC 
Statement:

This issue did not affect the versions of podman as shipped with Red Hat Enterprise Linux 8 as they did not include support for the copy function.

This issue did not affect the versions of podman as shipped in OpenShift Container Platform 3.11 and 4.1 as they did not include support for the copy function.

The version of podman shipped in OpenShift Container Platform 4.2 was superseded by the version delivered Red Hat Enterprise Linux 8.
Comment 18 errata-xmlrpc 2020-04-01 00:25:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extras

Via RHSA-2020:1227 https://access.redhat.com/errata/RHSA-2020:1227
Comment 19 Product Security DevOps Team 2020-04-01 04:31:49 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-18466
Note You need to log in before you can comment on or make changes to this bug.