projects / docker.io.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 25add03) | patch
[PATCH] Pass root to chroot to for chroot Untar
authorBrian Goff <cpuguy83@gmail.com>
Thu, 30 May 2019 18:15:09 +0000 (11:15 -0700)
committerFelix Geyer <fgeyer@debian.org>
Sun, 21 Feb 2021 17:18:35 +0000 (17:18 +0000)
commit552cb05a41a614ad492d85140f80aa493d086802
tree4bfeed86d63ca385f47f90a34caef398f482e923tree | snapshot
parent25add03f067cab7d32a2e8ef05e70e0cd388ef09commit | diff
[PATCH] Pass root to chroot to for chroot Untar

This is useful for preventing CVE-2018-15664 where a malicious container
process can take advantage of a race on symlink resolution/sanitization.

Before this change chrootarchive would chroot to the destination
directory which is attacker controlled. With this patch we always chroot
to the container's root which is not attacker controlled.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Origin: upstream, https://github.com/moby/moby/pull/39292

Gbp-Pq: Name cve-2018-15664-01-pass-root-to-chroot-to-for-chroot-untar.patch
engine/daemon/archive.go diff | blob | history
engine/pkg/chrootarchive/archive.go diff | blob | history
engine/pkg/chrootarchive/archive_unix.go diff | blob | history
engine/pkg/chrootarchive/archive_windows.go diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.