oss-sec mailing list archives
Re: CVE Request: docker2aci: Path traversals present in image converting
From: Alex Crawford <alex.crawford () coreos com>
Date: Wed, 28 Sep 2016 08:54:01 -0700
On 09/28, 张开翔 wrote:
This is Kaixiang Zhang of the Cloud Security Team, Qihoo 360. I submitted an path traversal vulnerability to docker2aci <https://github.com/appc/docker2aci/issues/201> recently. The issue exists in image converting, there must be a possibility that it extracts embedded layer data to arbitrary directories or paths since no essential check for the output file path. Could you please assign a CVE number for it? Thanks.
Thanks for the report. We are investigating your docker2aci report in order to evaluate the total impact and provide a patch. Our initial analysis confirms there is a path traversal bug in the docker layer conversion library. However, due to the specific nature of how a malicious image must be crafted to exploit this bug (ie. invalid format), the attack vector is largely mitigated by how Docker registries are implemented. Therefore, we believe the bug has limited impact and will not affect typical usage of docker2aci. The attacks vector requires crafting layer IDs which are not valid, according to current Docker image specifications, and thus remote exploitation relies on registries providing non-conformant Docker images. Since common registry implementations like the Docker Registry and quay.io validate layer IDs when an image is uploaded, this bug should not affect the vast majority of usage of the library. Just for reference, we typically investigate issues together with reporters, evaluating the impact and requesting a CVE whenever needed. In your case, this was not possible as we received your initial email at 02:38 UTC and you subsequently sent a PoC to oss-security at 08:27 UTC, without any space for investigation on our side. -Alex
Attachment:
signature.asc
Description: Digital signature
Current thread:
- CVE Request: docker2aci: Path traversals present in image converting 张开翔 (Sep 28)
- Re: CVE Request: docker2aci: Path traversals present in image converting Alex Crawford (Sep 28)
- Re: CVE Request: docker2aci: Path traversals present in image converting cve-assign (Sep 28)