Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 28 Sep 2016 08:54:01 -0700
From: Alex Crawford <alex.crawford@...eos.com>
To: oss-security@...ts.openwall.com
Cc: cve-assign <cve-assign@...re.org>
Subject: Re: CVE Request: docker2aci: Path traversals present
 in image converting

On 09/28, 张开翔 wrote:
> This is Kaixiang Zhang of the Cloud Security Team, Qihoo 360. I
> submitted an path traversal vulnerability to docker2aci
> <https://github.com/appc/docker2aci/issues/201> recently. The issue
> exists in image converting, there must be a possibility that it
> extracts embedded layer data to arbitrary directories or paths since
> no essential check for the output file path. Could you please assign a
> CVE number for it? Thanks.

Thanks for the report.

We are investigating your docker2aci report in order to evaluate the
total impact and provide a patch.

Our initial analysis confirms there is a path traversal bug in the
docker layer conversion library. However, due to the specific nature of
how a malicious image must be crafted to exploit this bug (ie. invalid
format), the attack vector is largely mitigated by how Docker registries
are implemented. Therefore, we believe the bug has limited impact and
will not affect typical usage of docker2aci.

The attacks vector requires crafting layer IDs which are not valid,
according to current Docker image specifications, and thus remote
exploitation relies on registries providing non-conformant Docker
images. Since common registry implementations like the Docker Registry
and quay.io validate layer IDs when an image is uploaded, this bug
should not affect the vast majority of usage of the library.

Just for reference, we typically investigate issues together with
reporters, evaluating the impact and requesting a CVE whenever needed.
In your case, this was not possible as we received your initial email at
02:38 UTC and you subsequently sent a PoC to oss-security at 08:27 UTC,
without any space for investigation on our side.

-Alex

Download attachment "signature.asc" of type "application/pgp-signature" (802 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.