File CVE-2021-29136.patch of Package umoci.18907

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2021-29136.patch of Package umoci.18907

From 26f2e35a479e8c5895e25f3644723f9e723e4fc9 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <cyphar@cyphar.com>
Date: Wed, 24 Mar 2021 00:17:06 +1100
Subject: [PATCH] layer: don't permit / type to be changed on extraction

If users can change the type of / to a symlink, they can cause umoci to
overwrite host files. This is obviously bad, and is not caught by the
rest of our directory escape detection code because the root itself has
been changed to a different directory.

Fixes: CVE-2021-29136
Reported-by: Robin Peraglie <robin@cure53.de>
Tested-by: Daniel Dao <dqminh89@gmail.com>
Reviewed-by: Tycho Andersen <tycho@tycho.pizza>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
---
 oci/layer/tar_extract.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/oci/layer/tar_extract.go b/oci/layer/tar_extract.go
index 1b8c3d67c4d8..d74141051d7d 100644
--- a/oci/layer/tar_extract.go
+++ b/oci/layer/tar_extract.go
@@ -404,6 +404,11 @@ func (te *TarExtractor) UnpackEntry(root string, hdr *tar.Header, r io.Reader) (
 	if filepath.Join("/", hdr.Name) == "/" {
 		// If we got an entry for the root, then unsafeDir is the full path.
 		unsafeDir, file = hdr.Name, "."
+		// If we're being asked to change the root type, bail because they may
+		// change it to a symlink which we could inadvertently follow.
+		if hdr.Typeflag != tar.TypeDir {
+			return errors.New("malicious tar entry -- refusing to change type of root directory")
+		}
 	}
 	dir, err := securejoin.SecureJoinVFS(root, unsafeDir, te.fsEval)
 	if err != nil {
-- 
2.30.2

Places

File CVE-2021-29136.patch of Package umoci.18907

Places