Fix TOCTOU race bug in tar extraction#12961
Conversation
| } | ||
| // Only final created directory gets explicit permission | ||
| // call to avoid permission mask | ||
| return os.Chmod(path, perm) |
There was a problem hiding this comment.
This part doesn't seem to need modification
There was a problem hiding this comment.
I removed this change
While it is true that TOCTOU may happen during |
These discussions are not publicly visible, but the gist is that we do not believe a practical attack exists here. |
Signed-off-by: Shachar Tal <[email protected]>
|
/cherry-pick release/2.2 |
|
@AkihiroSuda: once the present PR merges, I will cherry-pick it on top of DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
github-project-automation
Bot
moved this from Needs Triage
to Review In Progress
in Pull Request Review
github-merge-queue
Bot
removed this pull request from the merge queue due to no response for status checks
github-project-automation
Bot
moved this from Review In Progress
to Done
in Pull Request Review
|
@AkihiroSuda: new pull request created: #12969 DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@AkihiroSuda: new pull request created: #12970 DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@AkihiroSuda: new pull request created: #12971 DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
/cherry-pick release/2.0 |
chrishenzie
added
cherry-picked/1.7.x
|
@chrishenzie: new pull request created: #13237 DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
9 participants
See https://github.com/containerd/containerd/security/advisories/GHSA-ww5g-h6rh-8wm3 for a conversation around this particular bug.