Bug 1921154 (CVE-2020-27534) - CVE-2020-27534 moby/buildkit: calls os.OpenFile with a potentially unsafe qemu-check temporary pathname
Summary: CVE-2020-27534 moby/buildkit: calls os.OpenFile with a potentially unsafe qem...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2020-27534
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1921156
TreeView+ depends on / blocked
 
Reported: 2021-01-27 15:44 UTC by Michael Kaplan
Modified: 2024-03-25 18:01 UTC (History)
16 users (show)

Fixed In Version: moby/buildkit v0.8.0
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in moby. Moby buildkit calls os.OpenFile with a potentially unsafe qemu-check temporary pathname, constructed with an empty first argument in an ioutil.TempDir call.
Clone Of:
Environment:
Last Closed: 2021-01-29 08:41:39 UTC
Embargoed:

Attachments (Terms of Use)

Description Michael Kaplan 2021-01-27 15:44:05 UTC 
util/binfmt_misc/check.go in moby buildkit calls os.OpenFile with a potentially unsafe qemu-check temporary pathname, constructed with an empty first argument in an ioutil.TempDir call.
Comment 1 Michael Kaplan 2021-01-27 15:44:09 UTC 
External References:

https://github.com/moby/buildkit/pull/1462
https://github.com/moby/moby/pull/40877
Comment 2 Mark Cooper 2021-01-29 06:37:17 UTC 
Originally I thought this might apply to linux fixing the check function, but not so. 

This vulnerability only relates to the Windows environment. Windows doesn't support binfmt and the check command, but the library assumes it's there and attempts to execute it.
Comment 3 Product Security DevOps Team 2021-01-29 08:41:39 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-27534
Note You need to log in before you can comment on or make changes to this bug.