1784267 – Remove quay.io from the default search list

Bug 1784267 - Remove quay.io from the default search list

Summary: Remove quay.io from the default search list

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	container-tools-rhel8-module
Sub Component:
Version:	8.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	8.2
Assignee:	Jindrich Novy
QA Contact:	atomic-bugs@redhat.com
Docs Contact:	Gabriela Nečasová
URL:
Whiteboard:
Depends On:
Blocks:	1186913 1734579
TreeView+	depends on / blocked

Reported:	2019-12-17 06:38 UTC by Jason Shepherd
Modified:	2022-05-02 05:03 UTC (History)
CC List:	10 users (show)
Fixed In Version:	skopeo-0.1.40-8.el8
Doc Type:	Bug Fix
Doc Text:	.Pulling images from the quay.io registry no longer leads to unintended images Previously, having the quay.io container image registry listed in the default registries search list provided in `/etc/containers/registries.conf` could allow a user to pull a spoofed image when using a short name. To fix this issue, the quay.io container image registry has been removed from the default registries search list in `/etc/containers/registries.conf`. As a result, pulling images from the `quay.io` registry now requires users to specify the full repository name, such as `quay.io/myorg/myimage`. The quay.io registry can be added back to the default registries search list in `/etc/containers/registries.conf` to reenable pulling container images using short names, however, this is not recommended as it could create a security risk.
Clone Of:
Environment:
Last Closed:	2020-04-28 15:52:09 UTC
Type:	Bug
Target Upstream Version:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-31369	0	None	None	None	2022-05-02 05:03:38 UTC
Red Hat Product Errata	RHSA-2020:1650	0	None	None	None	2020-04-28 15:52:50 UTC

Description Jason Shepherd 2019-12-17 06:38:25 UTC

Description of problem:

Having multiple public repositories in the list can lead to typosquatting and supply chain attacks against Red Hat customers.


Version-Release number of selected component (if applicable):

container-tools-1:0.1.37-5.module+el8.1.0+4240+893c1ab8
From repo: rhel-8-for-x86_64-appstream-rpms

How reproducible:

$ cat /etc/containers/registries.conf | grep registries.search -A 1


Actual results:

[registries.search]
registries = ['registry.access.redhat.com', 'docker.io', 'registry.fedoraproject.org', 'quay.io', 'registry.centos.org']


Expected results:

[registries.search]
registries = ['registry.access.redhat.com', 'docker.io', 'registry.fedoraproject.org', 'registry.centos.org']



Additional info:

https://github.com/containers/libpod/issues/4549

Comment 1 Daniel Walsh 2019-12-17 14:16:53 UTC

Also docker.io should be moved to the end of the list.

Comment 5 Yuhui Jiang 2020-03-30 10:12:56 UTC

According to comment#4, move the status to VERIFIED

Comment 14 errata-xmlrpc 2020-04-28 15:52:09 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:1650

Note You need to log in before you can comment on or make changes to this bug.