pkg/archive: nosysFileInfo: implement tar.FileInfoNames to prevent lookups#49152
pkg/archive: nosysFileInfo: implement tar.FileInfoNames to prevent lookups#49152thaJeztah merged 1 commit intomoby:masterfrom
Conversation
thaJeztah
added
status/2-code-review
kind/refactor
|
I'm now considering if this part is accurate;
Reading back some comments from @corhere in #42402 (comment) and some following that, there were still concerns about running go code inside the ("hostile") chrooted environment. The user-lookups addressed here (and patches before this) were the known cases where libraries could be loaded, but may not be comprehensive. So perhaps the moby/pkg/chrootarchive/archive_unix.go Lines 16 to 21 in 2c56497 I recall from some discussion though that there was doubt whether that |
…okups commit e9bbc41 removed our fork of pkg/archive that was in place to mitigate CVE-2019-14271. As part of that change, a nosysFileInfo type was added to prevent tar.FileInfoHeader from looking up user- and group-names. A proposal was pending in go https://go.dev/issue/50102 to define an interface for implementing custom lookup functions to be implemented, and disable go's builtin lookup. That proposal was accepted, and is now implemented in go1.23. Thia patch makes the nosysFileInfo implement the tar.FileInfoNames interface to prevent tar.FileInfoHeader from performing its own lookups. While the mitigation implemented in e9bbc41 should already prevent this from happening, implementing the interface does not cost us much and is complementary to the existing mitigation. This patch keeps the mitigation added in a316b10 in place for any unforeseen other code. Signed-off-by: Sebastiaan van Stijn <[email protected]>
thaJeztah
force-pushed
the
pkg_archive_nolookups
branch
from
b15a72c to
2b4db93
Compare
|
For posterity; we discussed this PR in the maintainers call, and decided to keep the existing mitigations in place; while some bits are possibly redundant, defense in depth won't hurt, and they don't bring real maintenance cost. I'll bring this patch in, thanks Cory! |
2 participants
relates to:
commit e9bbc41 removed our fork of pkg/archive that was in place to mitigate CVE-2019-14271. As part of that change, a nosysFileInfo type was added to prevent tar.FileInfoHeader from looking up user- and group-names.
A proposal was pending in go https://go.dev/issue/50102 to define an interface for implementing custom lookup functions to be implemented, and disable go's builtin lookup. That proposal was accepted, and is now implemented in go1.23.
Thia patch makes the nosysFileInfo implement the tar.FileInfoNames interface to prevent tar.FileInfoHeader from performing its own lookups. While the mitigation implemented in e9bbc41 should already prevent this from happening, implementing the interface does not cost us much and is complementary to the existing mitigation.
With this patch in place, we can consider removing the mitigation added in a316b10, which was discussed to be ineffective, but left in place for the time being.
- Description for the changelog
- A picture of a cute animal (not mandatory but encouraged)