Date: Wed, 28 Sep 2016 08:54:01 -0700 From: Alex Crawford <alex.crawford@...eos.com> To: oss-security@...ts.openwall.com Cc: cve-assign <cve-assign@...re.org> Subject: Re: CVE Request: docker2aci: Path traversals present in image converting On 09/28, 张开翔 wrote: > This is Kaixiang Zhang of the Cloud Security Team, Qihoo 360. I > submitted an path traversal vulnerability to docker2aci > <https://github.com/appc/docker2aci/issues/201> recently. The issue > exists in image converting, there must be a possibility that it > extracts embedded layer data to arbitrary directories or paths since > no essential check for the output file path. Could you please assign a > CVE number for it? Thanks. Thanks for the report. We are investigating your docker2aci report in order to evaluate the total impact and provide a patch. Our initial analysis confirms there is a path traversal bug in the docker layer conversion library. However, due to the specific nature of how a malicious image must be crafted to exploit this bug (ie. invalid format), the attack vector is largely mitigated by how Docker registries are implemented. Therefore, we believe the bug has limited impact and will not affect typical usage of docker2aci. The attacks vector requires crafting layer IDs which are not valid, according to current Docker image specifications, and thus remote exploitation relies on registries providing non-conformant Docker images. Since common registry implementations like the Docker Registry and quay.io validate layer IDs when an image is uploaded, this bug should not affect the vast majority of usage of the library. Just for reference, we typically investigate issues together with reporters, evaluating the impact and requesting a CVE whenever needed. In your case, this was not possible as we received your initial email at 02:38 UTC and you subsequently sent a PoC to oss-security at 08:27 UTC, without any space for investigation on our side. -Alex Download attachment "signature.asc" of type "application/pgp-signature" (802 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ