| From 840e7dad513b86f454573ad415701c0199f78d30 Mon Sep 17 00:00:00 2001 |
| From: TomSweeneyRedHat <tsweeney@redhat.com> |
| Date: Tue, 24 Mar 2020 20:10:22 -0400 |
| Subject: [PATCH] Fix potential CVE in tarfile w/ symlink |
| |
| Stealing @nalind 's workaround to avoid refetching |
| content after a file read failure. Under the right |
| circumstances that could be a symlink to a file meant |
| to overwrite a good file with bad data. |
| |
| Testing: |
| ``` |
| goodstuff |
| |
| [1] 14901 |
| |
| 127.0.0.1 - - [24/Mar/2020 20:15:50] "GET / HTTP/1.1" 200 - |
| 127.0.0.1 - - [24/Mar/2020 20:15:50] "GET / HTTP/1.1" 200 - |
| no FROM statement found |
| |
| goodstuff |
| ``` |
| |
| Signed-off-by: TomSweeneyRedHat <tsweeney@redhat.com> |
| |
| imagebuildah/util.go | 5 +++-- |
| 1 file changed, 3 insertions(+), 2 deletions(-) |
| |
| diff --git a/imagebuildah/util.go b/imagebuildah/util.go |
| index 29ea60970..5f14c9883 100644 |
| |
| |
| @@ -14,6 +14,7 @@ import ( |
| |
| "github.com/containers/buildah" |
| "github.com/containers/storage/pkg/chrootarchive" |
| + "github.com/containers/storage/pkg/ioutils" |
| "github.com/opencontainers/runtime-spec/specs-go" |
| "github.com/pkg/errors" |
| "github.com/sirupsen/logrus" |
| @@ -57,7 +58,7 @@ func downloadToDirectory(url, dir string) error { |
| } |
| dockerfile := filepath.Join(dir, "Dockerfile") |
| // Assume this is a Dockerfile |
| - if err := ioutil.WriteFile(dockerfile, body, 0600); err != nil { |
| + if err := ioutils.AtomicWriteFile(dockerfile, body, 0600); err != nil { |
| return errors.Wrapf(err, "Failed to write %q to %q", url, dockerfile) |
| } |
| } |
| @@ -75,7 +76,7 @@ func stdinToDirectory(dir string) error { |
| if err := chrootarchive.Untar(reader, dir, nil); err != nil { |
| dockerfile := filepath.Join(dir, "Dockerfile") |
| // Assume this is a Dockerfile |
| - if err := ioutil.WriteFile(dockerfile, b, 0600); err != nil { |
| + if err := ioutils.AtomicWriteFile(dockerfile, b, 0600); err != nil { |
| return errors.Wrapf(err, "Failed to write bytes to %q", dockerfile) |
| } |
| } |