1. Forum
  2. tqwNet
  3. TQW DOCKER

  • Docker security issue

    From MeaTLoTioN@1337:1/101 to All on Mon Jun 3 10:53:21 2019
    (Note: This PR was made public after discussions with the Docker security
    team, if you find a security vulnerability please report it directly to security@docker.com.)

    There are certain classes of attacks (as evidenced in CVE-2018-15664)
    which are caused by our allowing container processes to be executing
    while we are doing filesystem operations on the container. In
    particular, there are trivial TOCTOU races in symlink resolution and
    scoping that can be exploited.

    The most complete solution to this problem would be to modify
    chrootarchive so that all of the archive operations occur with the root
    as the container rootfs (and not the parent directory, which is what
    causes the vulnerability since the parent is attacker-controlled). Unfortunately, changes to this core piece of Docker are almost
    impossible (the TarUntar interface has many copies and reimplementations
    that would all need to be modified to be able to handle a new "root"
    argument).

    So, we instead settle for the next-best option which is to pause the
    container during our usage of the filesystem. This is far from an ideal solution (you can image some attack scenarios such as shared volume
    mounts) where this is ineffectual but it does block the most basic
    attack.

    I am currently working on some new kernel functionality that would allow
    for much safer resolution of paths inside untrusted roots, but as
    above it would be difficult to modify Docker to use it. I am working on
    adding support to filepath-securejoin though (however this will
    require quite a few inteface changes).

    Fixes: CVE-2018-15664


    (ref: https://github.com/moby/moby/pull/39252#issue-281099435)

    ---
    |14Best regards,
    |11Ch|03rist|11ia|15n |11a|03ka |11Me|03aTLoT|11io|15N

    |07ÄÄ |08[|10eml|08] |15ml@erb.pw |07ÄÄ |08[|10web|08] |15www.erb.pw |07ÄÄÄ¿ |07ÄÄ |08[|09fsx|08] |1521:1/158 |07ÄÄ |08[|11tqw|08] |151337:1/101 |07ÂÄÄÙ |07ÄÄ |08[|12rtn|08] |1580:774/81 |07ÄÂ |08[|14fdn|08] |152:250/5 |07ÄÄÄÙ
    |07ÄÄ |08[|10ark|08] |1510:104/2 |07ÄÙ

    --- Mystic BBS v1.12 A43 2019/03/02 (Linux/64)
    * Origin: The Quantum Wormhole, Ramsgate, UK. bbs.erb.pw (1337:1/101)