Subj : Docker security issue
To   : All
From : MeaTLoTioN
Date : Mon Jun 03 2019 10:53 am

(Note: This PR was made public after discussions with the Docker security
team, if you find a security vulnerability please report it directly to
security@docker.com.)

There are certain classes of attacks (as evidenced in CVE-2018-15664)
which are caused by our allowing container processes to be executing
while we are doing filesystem operations on the container. In
particular, there are trivial TOCTOU races in symlink resolution and
scoping that can be exploited.

The most complete solution to this problem would be to modify
chrootarchive so that all of the archive operations occur with the root
as the container rootfs (and not the parent directory, which is what
causes the vulnerability since the parent is attacker-controlled).
Unfortunately, changes to this core piece of Docker are almost
impossible (the TarUntar interface has many copies and reimplementations
that would all need to be modified to be able to handle a new "root"
argument).

So, we instead settle for the next-best option which is to pause the
container during our usage of the filesystem. This is far from an ideal
solution (you can image some attack scenarios such as shared volume
mounts) where this is ineffectual but it does block the most basic
attack.

I am currently working on some new kernel functionality that would allow
for much safer resolution of paths inside untrusted roots, but as
above it would be difficult to modify Docker to use it. I am working on
adding support to filepath-securejoin though (however this will
require quite a few inteface changes).

Fixes: CVE-2018-15664


(ref: https://github.com/moby/moby/pull/39252#issue-281099435)

---
|14Best regards,
|11Ch|03rist|11ia|15n |11a|03ka |11Me|03aTLoT|11io|15N

|07ÄÄ |08[|10eml|08] |15ml@erb.pw |07ÄÄ |08[|10web|08] |15www.erb.pw |07ÄÄÄ¿
|07ÄÄ |08[|09fsx|08]  |1521:1/158 |07ÄÄ |08[|11tqw|08] |151337:1/101 |07ÂÄÄÙ
|07ÄÄ |08[|12rtn|08] |1580:774/81 |07ÄÂ |08[|14fdn|08] |152:250/5 |07ÄÄÄÙ
|07ÄÄ |08[|10ark|08]  |1510:104/2 |07ÄÙ

--- Mystic BBS v1.12 A43 2019/03/02 (Linux/64)
 * Origin: The Quantum Wormhole, Ramsgate, UK. bbs.erb.pw (1337:1/101)

.