From 840e7dad513b86f454573ad415701c0199f78d30 Mon Sep 17 00:00:00 2001 From: TomSweeneyRedHat Date: Tue, 24 Mar 2020 20:10:22 -0400 Subject: [PATCH] Fix potential CVE in tarfile w/ symlink Stealing @nalind 's workaround to avoid refetching content after a file read failure. Under the right circumstances that could be a symlink to a file meant to overwrite a good file with bad data. Testing: ``` goodstuff [1] 14901 127.0.0.1 - - [24/Mar/2020 20:15:50] "GET / HTTP/1.1" 200 - 127.0.0.1 - - [24/Mar/2020 20:15:50] "GET / HTTP/1.1" 200 - no FROM statement found goodstuff ``` Signed-off-by: TomSweeneyRedHat --- imagebuildah/util.go | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff -up a/imagebuildah/util.go.CVE-2020-10696 b/imagebuildah/util.go --- a/imagebuildah/util.go.CVE-2020-10696 +++ b/imagebuildah/util.go @@ -12,6 +12,7 @@ import ( "github.com/containers/buildah" "github.com/containers/storage/pkg/chrootarchive" + "github.com/containers/storage/pkg/ioutils" "github.com/pkg/errors" "github.com/sirupsen/logrus" ) @@ -47,7 +48,7 @@ func downloadToDirectory(url, dir string } dockerfile := filepath.Join(dir, "Dockerfile") // Assume this is a Dockerfile - if err := ioutil.WriteFile(dockerfile, body, 0600); err != nil { + if err := ioutils.AtomicWriteFile(dockerfile, body, 0600); err != nil { return errors.Wrapf(err, "Failed to write %q to %q", url, dockerfile) } }