Bugzilla – Bug 1184147
VUL-0: CVE-2021-29136: umoci: malicious layer allows overwriting of host files
Last modified: 2021-09-13 10:30:21 UTC
publick through https://github.com/opencontainers/umoci/security/advisories/GHSA-9m95-8hx6-7p9v Description Impact umoci 0.4.6 and earlier can be tricked into modifying host files by creating a malicious layer that has a symlink with the name "." (or "/"). Because umoci deletes inodes if they change types, this results in the rootfs directory being replaced with an attacker-controlled symlink. Subsequent image layers will then be applied on top of the target of the symlink (which could be any directory on the host filesystem the user running umoci has access to). While umoci does have defences against symlink-based attacks, they are all implemented by resolving things relative to the rootfs directory -- if the rootfs itself is a symlink, umoci resolves it first. This vulnerability affects both "umoci unpack" and "umoci raw unpack". Patches This issue has been patched in umoci 0.4.7, see the references section for the specific commit which fixed this vulnerability. Workarounds Note that if you use umoci as an unprivileged user (using the --rootless flag) then umoci will not be able to overwrite any files that your user doesn't have access to. Other possible mitigations are to run umoci under an LSM profile such as AppArmor or SELinux to restrict the level of access it has outside of container image directories. References [commit][commit] Credits Thanks to Robin Peraglie from Cure53 for discovering and reporting this vulnerability. For more information If you have any questions or comments about this advisory: Open an issue in https://github.com/opencontainers/umoci. Email us at security@opencontainers.org.
This is an autogenerated message for OBS integration: This bug (1184147) was mentioned in https://build.opensuse.org/request/show/883463 15.2 / umoci https://build.opensuse.org/request/show/883464 Backports:SLE-15-SP3 / umoci
SUSE-SU-2021:1116-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1184147 CVE References: CVE-2021-29136 JIRA References: Sources used: SUSE Manager Server 4.0 (src): umoci-0.4.6-3.9.1 SUSE Manager Retail Branch Server 4.0 (src): umoci-0.4.6-3.9.1 SUSE Manager Proxy 4.0 (src): umoci-0.4.6-3.9.1 SUSE Linux Enterprise Server for SAP 15-SP1 (src): umoci-0.4.6-3.9.1 SUSE Linux Enterprise Server 15-SP1-LTSS (src): umoci-0.4.6-3.9.1 SUSE Linux Enterprise Server 15-SP1-BCL (src): umoci-0.4.6-3.9.1 SUSE Linux Enterprise Module for Containers 15-SP3 (src): umoci-0.4.6-3.9.1 SUSE Linux Enterprise Module for Containers 15-SP2 (src): umoci-0.4.6-3.9.1 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): umoci-0.4.6-3.9.1 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): umoci-0.4.6-3.9.1 SUSE Enterprise Storage 6 (src): umoci-0.4.6-3.9.1 SUSE CaaS Platform 4.0 (src): umoci-0.4.6-3.9.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2021:0548-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1184147 CVE References: CVE-2021-29136 JIRA References: Sources used: openSUSE Leap 15.2 (src): umoci-0.4.6-lp152.2.3.1
openSUSE-SU-2021:0810-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1184147 CVE References: CVE-2021-29136 JIRA References: Sources used: openSUSE Backports SLE-15-SP2 (src): singularity-3.7.3-bp152.2.19.3
SUSE-SU-2021:1863-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1184147 CVE References: CVE-2021-29136 JIRA References: Sources used: SUSE Manager Server 4.0 (src): umoci-0.4.7-3.12.1 SUSE Manager Retail Branch Server 4.0 (src): umoci-0.4.7-3.12.1 SUSE Manager Proxy 4.0 (src): umoci-0.4.7-3.12.1 SUSE Linux Enterprise Server for SAP 15-SP1 (src): umoci-0.4.7-3.12.1 SUSE Linux Enterprise Server 15-SP1-LTSS (src): umoci-0.4.7-3.12.1 SUSE Linux Enterprise Server 15-SP1-BCL (src): umoci-0.4.7-3.12.1 SUSE Linux Enterprise Module for Containers 15-SP3 (src): umoci-0.4.7-3.12.1 SUSE Linux Enterprise Module for Containers 15-SP2 (src): umoci-0.4.7-3.12.1 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): umoci-0.4.7-3.12.1 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): umoci-0.4.7-3.12.1 SUSE Enterprise Storage 6 (src): umoci-0.4.7-3.12.1 SUSE CaaS Platform 4.0 (src): umoci-0.4.7-3.12.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2021:0846-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1184147 CVE References: CVE-2021-29136 JIRA References: Sources used: openSUSE Leap 15.2 (src): umoci-0.4.7-lp152.2.6.1
openSUSE-SU-2021:1863-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1184147 CVE References: CVE-2021-29136 JIRA References: Sources used: openSUSE Leap 15.3 (src): umoci-0.4.7-3.12.1
SUSE-SU-2021:1863-2: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1184147 CVE References: CVE-2021-29136 JIRA References: Sources used: SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): umoci-0.4.7-3.12.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
reelased