Bug 1715667 (CVE-2019-10152) - CVE-2019-10152 podman: Improper symlink resolution allows access to host files when executing `podman cp` on running containers
Summary: CVE-2019-10152 podman: Improper symlink resolution allows access to host file...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-10152
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20190529,repor...
Depends On: 1715668 1717771
Blocks: 1714728
TreeView+ depends on / blocked
 
Reported: 2019-05-30 23:57 UTC by Sam Fowler
Modified: 2019-07-30 21:19 UTC (History)
24 users (show)

Fixed In Version: podman 1.4.0
Doc Type: If docs needed, set a value
Doc Text:
A path traversal vulnerability has been discovered in podman in the way it handles symlinks inside containers. An attacker who has compromised an existing container can cause arbitrary files on the host filesystem to be read/written when an administrator tries to copy a file from/to the container.
Clone Of:
Environment:
Last Closed: 2019-07-29 19:18:47 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:1907 None None None 2019-07-29 16:17:26 UTC

Description Sam Fowler 2019-05-30 23:57:42 UTC
Podman does not properly resolve symlinks within containers, allowing for access to files on the host system when executing `podman cp`. Symlinked files inside containers are resolved on the host, not within the container.


Upstream Issue:

https://github.com/containers/libpod/issues/3211


Upstream Fix:

https://github.com/containers/libpod/pull/3214

Comment 1 Sam Fowler 2019-05-30 23:59:28 UTC
Created podman tracking bugs for this issue:

Affects: fedora-all [bug 1715668]

Comment 21 Riccardo Schirone 2019-06-10 09:34:01 UTC
Function copyBetweenHostAndContainer() in cmd/podman/cp.go does not properly restricts the destination path of the copy operation, allowing an attacker who has control of a container to copy/overwrite files in the host filesystem instead of the container's one.

Comment 22 Riccardo Schirone 2019-06-10 09:38:18 UTC
During the `podman cp` operation, the destination path in the container is just joined with the base directory that contains the / root filesystem of the container from the host point of view. Thus a symlink in one of the components of the destination path can easily go outside the base directory of the container and access the host filesystem.

Comment 23 Riccardo Schirone 2019-06-10 09:41:58 UTC
Set Attack Complexity to High (AC:H) because the attacker cannot really choose what to write in the host filesystem, because that is chosen by the admin when doing the `podman cp` operation. However the attacker can choose where to write in the host filesystem, which may corrupt the host at best or allow the attacker access to it in the worst case.

Set User Interaction Required (UI:R) because an admin needs to issue a `podman cp` command to trigger the flaw and Privileges Required Low (PR:L) because the attacker already needs to have some privilege in a running container to setup the attack.

For these reasons, the flaw has a Medium Impact.

Comment 25 Riccardo Schirone 2019-06-10 12:31:13 UTC
On RHEL 7.6 and lower versions, users are forced to run podman as root because non-root users cannot run it, so an attacker can potentially overwrite any file writable by root.

Comment 31 Dave Baker 2019-06-25 07:52:41 UTC
Statement:

This issue does not affect the versions of podman as shipped with OpenShift Container Platform 4.1 or Red Hat Enterprise Linux 8 as they do not include support for the `cp` command.

Comment 32 errata-xmlrpc 2019-07-29 16:17:25 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extras

Via RHSA-2019:1907 https://access.redhat.com/errata/RHSA-2019:1907

Comment 33 Product Security DevOps Team 2019-07-29 19:18:47 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-10152


Note You need to log in before you can comment on or make changes to this bug.