Closed soh0ro0t closed 8 years ago
jonboulle
commented
8 years ago Thanks for submitting this bug report. docker2aci development is primarily handled by CoreOS, so we'd like to handle this via our Security Disclosure policy. Could you kindly send an email to security@coreos.com with more details so we can investigate further?
soh0ro0t
commented
8 years ago fine
soh0ro0t
commented
8 years ago the issue has been sent to security@coreos.com by email, no response. I gonna report it to oss-security for handling, and request a CVE identifier, ok ?
lucab
commented
8 years ago For reference, this has been assigned CVE-2016-7569 with a low to medium impact, typically mitigated for remote attack vectors.
Given the very short timeline for the disclosure, a patch is currently being worked on and will appear in the next release.
lucab
commented
8 years ago @TheBeeMan a proposed fix for this is up at https://github.com/appc/docker2aci/pull/204, adding additional validation on crafted images. Can you please take a look at it?
soh0ro0t
commented
8 years ago i reviewed the patch forCVE-2016-7569 and processed some tests with the previous malicious image, it addressed the issue.
Description
> in code reviewing, i found a path traversal vulnerability in docker's image converting using docker2aci, there must be a possibility that it extracts embedded layer data to arbitrary directories or paths since no essential check for file path, RCE or privilege escalation would be performed.
> it is indeed true that i tested the issue by building a malicious image, if running as root, arbitrary file could be written into arbitrary paths, like backdoors, or running as unprivileged user, arbitrary files also could be extracted to some paths within the capabilities of current user.
> It is quite critical, right ? Could you request a CVE for that ?