Overview
Request 883464 revoked
- Update to umoci v0.4.7. CVE-2021-29136 bsc#1184147
A security flaw was found in umoci, and has been fixed in this release. If
umoci was used to unpack a malicious image (using either umoci unpack or
umoci raw unpack) that contained a symlink entry for /., umoci would apply
subsequent layers to the target of the symlink (resolved on the host
filesystem). This means that if you ran umoci as root, a malicious image
could overwrite any file on the system (assuming you didn't have any other
access control restrictions). Thanks to Robin Peraglie from Cure53 for
discovering this bug. CVE-2021-29136
* umoci now compiles on FreeBSD and appears to work, with the notable
limitation that it currently refuses to extract non-Linux images on any
platform (this will be fixed in a future release).
* Initial fuzzer implementations for oss-fuzz.
* umoci will now read all trailing data from image layers, to combat the
existence of some image generators that appear to append NUL bytes to the
end of the gzip stream (which would previously cause checksum failures
because we didn't read nor checksum the trailing junk bytes). However,
umoci will still not read past the descriptor length.
* umoci now ignores all overlayfs xattrs during unpack and repack
operations, to avoid causing issues when packing a raw overlayfs
directory.
* For details, see CHANGELOG.md in the package.
- Created by cyphar
- In state revoked
- Open review for openSUSE:Backports:SLE-15-SP3:Staging:adi:8
Request History
cyphar created request
- Update to umoci v0.4.7. CVE-2021-29136 bsc#1184147
A security flaw was found in umoci, and has been fixed in this release. If
umoci was used to unpack a malicious image (using either umoci unpack or
umoci raw unpack) that contained a symlink entry for /., umoci would apply
subsequent layers to the target of the symlink (resolved on the host
filesystem). This means that if you ran umoci as root, a malicious image
could overwrite any file on the system (assuming you didn't have any other
access control restrictions). Thanks to Robin Peraglie from Cure53 for
discovering this bug. CVE-2021-29136
* umoci now compiles on FreeBSD and appears to work, with the notable
limitation that it currently refuses to extract non-Linux images on any
platform (this will be fixed in a future release).
* Initial fuzzer implementations for oss-fuzz.
* umoci will now read all trailing data from image layers, to combat the
existence of some image generators that appear to append NUL bytes to the
end of the gzip stream (which would previously cause checksum failures
because we didn't read nor checksum the trailing junk bytes). However,
umoci will still not read past the descriptor length.
* umoci now ignores all overlayfs xattrs during unpack and repack
operations, to avoid causing issues when packing a raw overlayfs
directory.
* For details, see CHANGELOG.md in the package.
bigironman added as a reviewer
Being evaluated by staging project "openSUSE:Backports:SLE-15-SP3:Staging:adi:8"
bigironman accepted review
Picked "openSUSE:Backports:SLE-15-SP3:Staging:adi:8"
maxlin_factory declined request
SLE package, please submit it to SLE project https://build.opensuse.org/package/live_build_log/openSUSE:Backports:SLE-15-SP3:Staging:adi:8/umoci/standard/x86_64
cyphar revoked request