projects / docker.io.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 26b2abf) | patch
[PATCH] Pass root to chroot to for chroot Untar
authorBrian Goff <cpuguy83@gmail.com>
Thu, 30 May 2019 18:15:09 +0000 (11:15 -0700)
committerFelix Geyer <fgeyer@debian.org>
Sun, 14 Jun 2020 20:12:29 +0000 (21:12 +0100)
commit84c58b795ee765ae1da330dff1c5a1ef8ffff47d
treef192d36bdad772439c2a74dcd8a9aaad00ce2b06tree | snapshot
parent26b2abffade3b1a9ce919d01e21b5733167a1243commit | diff
[PATCH] Pass root to chroot to for chroot Untar

This is useful for preventing CVE-2018-15664 where a malicious container
process can take advantage of a race on symlink resolution/sanitization.

Before this change chrootarchive would chroot to the destination
directory which is attacker controlled. With this patch we always chroot
to the container's root which is not attacker controlled.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Origin: upstream, https://github.com/moby/moby/pull/39292

Gbp-Pq: Name cve-2018-15664-01-pass-root-to-chroot-to-for-chroot-untar.patch
engine/daemon/archive.go diff | blob | history
engine/pkg/chrootarchive/archive.go diff | blob | history
engine/pkg/chrootarchive/archive_unix.go diff | blob | history
engine/pkg/chrootarchive/archive_windows.go diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.