Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 28 Sep 2016 08:27:15 +0000
From: 张开翔 <>
To: "" <>
CC: cve-assign <>
Subject: CVE Request: docker2aci: Path traversals present in image converting


This is Kaixiang Zhang of the Cloud Security Team, Qihoo 360. I submitted an path traversal vulnerability to docker2aci <> recently. The issue exists in image converting, there must be a possibility that it extracts embedded layer data to arbitrary directories or paths since no essential check for the output file path. Could you please assign a CVE number for it? Thanks.

Source info

tmpLayerPath := path.Join(tmpDir, layerIDs[i])

         tmpLayerPath += ".tar"

         layerFile, err := extractEmbeddedLayer(lb.file, layerIDs[i], tmpLayerPath)// without essential check for layerpath, may breakout tmpDir.


Build or downloading a malicious image as an archive file, containing some layer files with relative names ,like “../../../etc/ filename”, as well modifying the content of some corresponding json file related to it. then running docker2aci to convert the docker’s image to aci. Overview of the content of malicious image:






and logs:
         tmpDir:  /tmp/docker2aci-878549369
tmpLayerPath:  /etc/0ca87058da90257128ca83a1d0e1bd55236f43c75b915120c70498af6ad37625.tar
Extracting ../../../etc

then check the results:  ls /etc/*.tar

Of course, the tar file content could be modified by yourself.

Best regards&

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ