From d9efc31daf2206f7d3fdb839863cf7a576a2eb57 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Wed, 24 Mar 2021 00:17:06 +1100 Subject: [PATCH 1/2] layer: don't permit / type to be changed on extraction If users can change the type of / to a symlink, they can cause umoci to overwrite host files. This is obviously bad, and is not caught by the rest of our directory escape detection code because the root itself has been changed to a different directory. Fixes: CVE-2021-29136 Reported-by: Robin Peraglie Tested-by: Daniel Dao Reviewed-by: Tycho Andersen Signed-off-by: Aleksa Sarai --- oci/layer/tar_extract.go | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/oci/layer/tar_extract.go b/oci/layer/tar_extract.go index 1b8c3d67c..d74141051 100644 --- a/oci/layer/tar_extract.go +++ b/oci/layer/tar_extract.go @@ -404,6 +404,11 @@ func (te *TarExtractor) UnpackEntry(root string, hdr *tar.Header, r io.Reader) ( if filepath.Join("/", hdr.Name) == "/" { // If we got an entry for the root, then unsafeDir is the full path. unsafeDir, file = hdr.Name, "." + // If we're being asked to change the root type, bail because they may + // change it to a symlink which we could inadvertently follow. + if hdr.Typeflag != tar.TypeDir { + return errors.New("malicious tar entry -- refusing to change type of root directory") + } } dir, err := securejoin.SecureJoinVFS(root, unsafeDir, te.fsEval) if err != nil { From c6feeab1fb4ab36b8bbfd7ce80ac3e3569240ad4 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Mon, 5 Apr 2021 21:56:28 +1000 Subject: [PATCH 2/2] CHANGELOG: update for 0.4.7 Signed-off-by: Aleksa Sarai --- CHANGELOG.md | 34 +++++++++++++++++++++++++++++++++- 1 file changed, 33 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index cf9b8790e..0b86e67c3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,38 @@ and this project adheres to [Semantic Versioning](http://semver.org/). ## [Unreleased] ## +### Security ### +- A security flaw was found in umoci, and has been fixed in this release. If + umoci was used to unpack a malicious image (using either `umoci unpack` or + `umoci raw unpack`) that contained a symlink entry for `/.`, umoci would + apply subsequent layers to the target of the symlink (resolved on the host + filesystem). This means that if you ran umoci as root, a malicious image + could overwrite any file on the system (assuming you didn't have any other + access control restrictions). CVE-2021-29136 + +### Added ### +- umoci now compiles on FreeBSD and appears to work, with the notable + limitation that it currently refuses to extract non-Linux images on any + platform (this will be fixed in a future release -- see #364). #357 +- Initial fuzzer implementations for oss-fuzz. #365 + +### Changed ### +- umoci will now read all trailing data from image layers, to combat the + existence of some image generators that appear to append NUL bytes to the end + of the gzip stream (which would previously cause checksum failures because we + didn't read nor checksum the trailing junk bytes). However, umoci will still + not read past the descriptor length. #360 +- umoci now ignores all overlayfs xattrs during unpack and repack operations, + to avoid causing issues when packing a raw overlayfs directory. #354 +- Changes to the (still-internal) APIs to allow for users to use umoci more + effectively as a library. + - The garbage collection API now supports custom GC policies. #338 + - The mutate API now returns information about what layers were added by the + operation. #344 + - The mutate API now supports custom compression, and has in-tree support for + zstd. #348 #350 + - Support overlayfs-style whiteouts during unpack and repack. #342 + ## [0.4.6] - 2020-06-24 ## umoci has been adopted by the Open Container Initative as a reference implementation of the OCI Image Specification. This will have little impact on @@ -22,7 +54,7 @@ piece of "boring container infrastructure" that can be used to build larger systems. ### Changed ### -* As part of the adoption procedure, the import path and module name of umoci +- As part of the adoption procedure, the import path and module name of umoci has changed from `github.com/openSUSE/umoci` to `github.com/opencontainers/umoci`. This means that users of our (still unstable) Go API will have to change their import paths in order to update to