Bug 1784267 - Remove quay.io from the default search list
Summary: Remove quay.io from the default search list
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: container-tools-rhel8-module
Version: 8.1
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: 8.2
Assignee: Jindrich Novy
QA Contact: atomic-bugs@redhat.com
Gabriela Nečasová
URL:
Whiteboard:
Depends On:
Blocks: 1186913 1734579
TreeView+ depends on / blocked
 
Reported: 2019-12-17 06:38 UTC by Jason Shepherd
Modified: 2022-05-02 05:03 UTC (History)
10 users (show)

Fixed In Version: skopeo-0.1.40-8.el8
Doc Type: Bug Fix
Doc Text:
.Pulling images from the quay.io registry no longer leads to unintended images Previously, having the quay.io container image registry listed in the default registries search list provided in `/etc/containers/registries.conf` could allow a user to pull a spoofed image when using a short name. To fix this issue, the quay.io container image registry has been removed from the default registries search list in `/etc/containers/registries.conf`. As a result, pulling images from the `quay.io` registry now requires users to specify the full repository name, such as `quay.io/myorg/myimage`. The quay.io registry can be added back to the default registries search list in `/etc/containers/registries.conf` to reenable pulling container images using short names, however, this is not recommended as it could create a security risk.
Clone Of:
Environment:
Last Closed: 2020-04-28 15:52:09 UTC
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-31369 0 None None None 2022-05-02 05:03:38 UTC
Red Hat Product Errata RHSA-2020:1650 0 None None None 2020-04-28 15:52:50 UTC

Description Jason Shepherd 2019-12-17 06:38:25 UTC
Description of problem:

Having multiple public repositories in the list can lead to typosquatting and supply chain attacks against Red Hat customers.


Version-Release number of selected component (if applicable):

container-tools-1:0.1.37-5.module+el8.1.0+4240+893c1ab8
From repo: rhel-8-for-x86_64-appstream-rpms

How reproducible:

$ cat /etc/containers/registries.conf | grep registries.search -A 1


Actual results:

[registries.search]
registries = ['registry.access.redhat.com', 'docker.io', 'registry.fedoraproject.org', 'quay.io', 'registry.centos.org']


Expected results:

[registries.search]
registries = ['registry.access.redhat.com', 'docker.io', 'registry.fedoraproject.org', 'registry.centos.org']



Additional info:

https://github.com/containers/libpod/issues/4549

Comment 1 Daniel Walsh 2019-12-17 14:16:53 UTC
Also docker.io should be moved to the end of the list.

Comment 5 Yuhui Jiang 2020-03-30 10:12:56 UTC
According to comment#4, move the status to VERIFIED

Comment 14 errata-xmlrpc 2020-04-28 15:52:09 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:1650


Note You need to log in before you can comment on or make changes to this bug.