Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1693313 - CVE-2019-1002101 - oc/kubectl fix potential directory traversal
Summary: CVE-2019-1002101 - oc/kubectl fix potential directory traversal
Keywords:
Status: VERIFIED
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Command Line Interface
Version: 4.1
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: 4.1.0
Assignee: Maciej Szulik
QA Contact: Xingxing Xia
URL:
Whiteboard:
Depends On:
Blocks: 1693315 1693318 1693320
TreeView+ depends on / blocked
 
Reported: 2019-03-27 14:15 UTC by Maciej Szulik
Modified: 2019-04-16 10:58 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1693315 (view as bug list)
Environment:
Last Closed:
Target Upstream Version:


Attachments (Terms of Use)
pwn.tar (deleted)
2019-04-08 13:44 UTC, Xingxing Xia
no flags Details

Comment 2 Xingxing Xia 2019-04-01 08:05:43 UTC
First prepare data:
oc new-app centos/ruby-25-centos7~https://github.com/sclorg/ruby-ex.git
oc get po
NAME               READY   STATUS      RESTARTS   AGE
ruby-ex-1-deploy   0/1     Completed   0          3m46s
ruby-ex-1-qdcvp    1/1     Running     0          3m30s

oc rsh ruby-ex-1-qdcvp
sh-4.2$ cd /tmp
sh-4.2$ ln -s /bin/ls mysl

Then reproduce it with old oc that does not include the fix, e.g. 4.0.18:
4.0.18/oc cp ruby-ex-1-qdcvp:/tmp/mysl ./
tar: Removing leading `/' from member names
ls -l
lrwxrwxrwx. 1 tester qe         7 Apr  1 15:13 mysl -> /bin/ls

Finally use new oc that includes the fix, e.g. 4.0.22:
4.0.22/oc cp ruby-ex-1-qdcvp:/tmp/mysl ./
tar: Removing leading `/' from member names
warning: link "mysl" is pointing to "/bin/ls" which is outside target destination, skipping  <-- the issue is fixed

Comment 6 Xingxing Xia 2019-04-08 13:44:55 UTC
Created attachment 1553633 [details]
pwn.tar


Note You need to log in before you can comment on or make changes to this bug.