diff --git a/CVE-2021-29136.patch b/CVE-2021-29136.patch new file mode 100644 index 0000000000000000000000000000000000000000..ea0e0578d37305be2d689158d105a271e819fee2 --- /dev/null +++ b/CVE-2021-29136.patch @@ -0,0 +1,35 @@ +From d9efc31daf2206f7d3fdb839863cf7a576a2eb57 Mon Sep 17 00:00:00 2001 +From: Aleksa Sarai +Date: Wed, 24 Mar 2021 00:17:06 +1100 +Subject: [PATCH] layer: don't permit / type to be changed on extraction + +If users can change the type of / to a symlink, they can cause umoci to +overwrite host files. This is obviously bad, and is not caught by the +rest of our directory escape detection code because the root itself has +been changed to a different directory. + +Fixes: CVE-2021-29136 +Reported-by: Robin Peraglie +Tested-by: Daniel Dao +Reviewed-by: Tycho Andersen +Signed-off-by: Aleksa Sarai +--- + oci/layer/tar_extract.go | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/oci/layer/tar_extract.go b/oci/layer/tar_extract.go +index 1b8c3d67..d7414105 100644 +--- a/oci/layer/tar_extract.go ++++ b/oci/layer/tar_extract.go +@@ -404,6 +404,11 @@ func (te *TarExtractor) UnpackEntry(root string, hdr *tar.Header, r io.Reader) ( + if filepath.Join("/", hdr.Name) == "/" { + // If we got an entry for the root, then unsafeDir is the full path. + unsafeDir, file = hdr.Name, "." ++ // If we're being asked to change the root type, bail because they may ++ // change it to a symlink which we could inadvertently follow. ++ if hdr.Typeflag != tar.TypeDir { ++ return errors.New("malicious tar entry -- refusing to change type of root directory") ++ } + } + dir, err := securejoin.SecureJoinVFS(root, unsafeDir, te.fsEval) + if err != nil { diff --git a/umoci.spec b/umoci.spec index 4064438d3002fb08cbe148d0989b0166533e41d0..31fea003935391be070dd925534e3c089e64d3a5 100644 --- a/umoci.spec +++ b/umoci.spec @@ -4,12 +4,14 @@ Name: umoci Version: 0.4.5 -Release: 3 +Release: 5 Summary: Open Container Image manipulation tool License: Apache-2.0 URL: https://github.com/opencontainers/umoci Source0: https://github.com/opencontainers/umoci/archive/v0.4.5.tar.gz -BuildRequires: fdupes go >= 1.6 go-md2man +Source1: https://github.com/cpuguy83/go-md2man/archive/v1.0.10.tar.gz +Patch0: CVE-2021-29136.patch +BuildRequires: fdupes go >= 1.6 %description Umoci modifies Open Container images. Umoci intends to be a complete manipulation tool for OCI images. @@ -48,6 +50,12 @@ done %{_mandir}/man1/umoci* %changelog +* Fri Apr 16 2021 wangyue - 0.4.5-5 +- Fix CVE-2021-29136 + +* Tue Feb 9 2021 lingsheng - 0.4.5-4 +- Fix unresolvable + * Wed Sep 9 2020 Ge Wang - 0.4.5-3 - Modify Source0 Url