You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
49 lines
1.4 KiB
49 lines
1.4 KiB
4 years ago
|
From 840e7dad513b86f454573ad415701c0199f78d30 Mon Sep 17 00:00:00 2001
|
||
|
From: TomSweeneyRedHat <tsweeney@redhat.com>
|
||
|
Date: Tue, 24 Mar 2020 20:10:22 -0400
|
||
|
Subject: [PATCH] Fix potential CVE in tarfile w/ symlink
|
||
|
|
||
|
Stealing @nalind 's workaround to avoid refetching
|
||
|
content after a file read failure. Under the right
|
||
|
circumstances that could be a symlink to a file meant
|
||
|
to overwrite a good file with bad data.
|
||
|
|
||
|
Testing:
|
||
|
```
|
||
|
goodstuff
|
||
|
|
||
|
[1] 14901
|
||
|
|
||
|
127.0.0.1 - - [24/Mar/2020 20:15:50] "GET / HTTP/1.1" 200 -
|
||
|
127.0.0.1 - - [24/Mar/2020 20:15:50] "GET / HTTP/1.1" 200 -
|
||
|
no FROM statement found
|
||
|
|
||
|
goodstuff
|
||
|
```
|
||
|
|
||
|
Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com>
|
||
|
---
|
||
|
imagebuildah/util.go | 5 +++--
|
||
|
1 file changed, 3 insertions(+), 2 deletions(-)
|
||
|
|
||
|
diff -up a/imagebuildah/util.go.CVE-2020-10696 b/imagebuildah/util.go
|
||
|
--- a/imagebuildah/util.go.CVE-2020-10696
|
||
|
+++ b/imagebuildah/util.go
|
||
|
@@ -12,6 +12,7 @@ import (
|
||
|
|
||
|
"github.com/containers/buildah"
|
||
|
"github.com/containers/storage/pkg/chrootarchive"
|
||
|
+ "github.com/containers/storage/pkg/ioutils"
|
||
|
"github.com/pkg/errors"
|
||
|
"github.com/sirupsen/logrus"
|
||
|
)
|
||
|
@@ -47,7 +48,7 @@ func downloadToDirectory(url, dir string
|
||
|
}
|
||
|
dockerfile := filepath.Join(dir, "Dockerfile")
|
||
|
// Assume this is a Dockerfile
|
||
|
- if err := ioutil.WriteFile(dockerfile, body, 0600); err != nil {
|
||
|
+ if err := ioutils.AtomicWriteFile(dockerfile, body, 0600); err != nil {
|
||
|
return errors.Wrapf(err, "Failed to write %q to %q", url, dockerfile)
|
||
|
}
|
||
|
}
|