Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 28 Sep 2016 15:15:39 -0400 (EDT)
From: cve-assign@...re.org
To: zhangkaixiang@....cn
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE Request: docker2aci: Path traversals present in image converting

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> https://github.com/appc/docker2aci/issues/201
> 
> tmpLayerPath := path.Join(tmpDir, layerIDs[i])
> 
>          tmpLayerPath += ".tar"
> 
>          layerFile, err := extractEmbeddedLayer(lb.file, layerIDs[i], tmpLayerPath)// without essential check
>                                                                                    // for layerpath, may breakout
>                                                                                    // tmpDir.
> 
> Build or downloading a malicious image as an archive file, containing
> some layer files with relative names, like "../../../etc/ filename",
> as well modifying the content of some corresponding json file related
> to it. then running docker2aci to convert the docker's image to aci.
> Overview of the content of malicious image:
> 
> ../../../etc
> 
> ../../../etc/0ca87058da90257128ca83a1d0e1bd55236f43c75b915120c70498af6ad37625
> 
> ../../../etc/0ca87058da90257128ca83a1d0e1bd55236f43c75b915120c70498af6ad37625/json
> 
> ../../../etc/0ca87058da90257128ca83a1d0e1bd55236f43c75b915120c70498af6ad37625/VERSION
> 
> ../../../etc/0ca87058da90257128ca83a1d0e1bd55236f43c75b915120c70498af6ad37625/layer.tar
> 
> 
> and logs:
>          tmpDir:  /tmp/docker2aci-878549369
> tmpLayerPath:  /etc/0ca87058da90257128ca83a1d0e1bd55236f43c75b915120c70498af6ad37625.tar
> Extracting ../../../etc
> 
> then check the results:  ls /etc/*.tar
> /etc/0ca87058da90257128ca83a1d0e1bd55236f43c75b915120c70498af6ad37625.tar

>> From: Alex Crawford
>> 
>> Our initial analysis confirms there is a path traversal bug in the
>> docker layer conversion library. However, due to the specific nature
>> of how a malicious image must be crafted to exploit this bug (i.e.,
>> invalid format), the attack vector is largely mitigated ... the bug
>> has limited impact and will not affect typical usage of docker2aci.

Use CVE-2016-7569.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJX7BZQAAoJEHb/MwWLVhi2j48QAJMAr2JXCS3f8oYQ0pClZyyv
giFGlitDkJiq0ieJWq8YGeS/5319DiGYSuDftn/eQMMgTdTAO5pNDQMi6B/SO/e0
g5Wjl3clShOTT8uYdLrsSA3MzG8XENseOsjWBJRrXifPdEPQWCP1iTsyKewIEa1O
LRe04oGRW7snRbhsAsf4cgY2F4MW4yrlx0Gyi+6uZg4YQS4/FUaGcWtlM6+ax0Up
+S5QSrX8SMRSczLsPod+gD9x/x+SufrmmXGVU9iyFt55SYV1ZIVVG5IPsijU7uvT
YHEV/1kX4cLQ0QY7LByd7Pcaoz+njMV7XRYi3HuYyKg85TRxITfw8cXXaHEUDimi
c7hPSyKZ3vttWC70v+ACaKk22IGP5LoRLsNUUngWJgY+TEpNgFIAKOVVnJZyWzGB
ROvmEYA+9cO6Niyfs/nh2G+ASDbnlyaHUDya5Ps85kw5n782eKTUe+aWXZPuYpqa
DwT5tqLmp3UpEQTfjKRvOQG5KYvBKWPV3kPz2yBVybEFUSZgRIiaSXqazqpjNIyZ
ZW4TXEVGANjtuSrSUHe59AKChShEC4ZSop1WtKcDwQBg45YLsuudrZ3vtV6YybJR
Ndd4sEU0H3CWAKcaytnbu6IDcCucCfHwkXeel3LdX2MVLw10yRNvOwBA1mCBdBs3
isEgR9ts2t3oSQlVYbB2
=oBJi
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ