pkg/archive: nosysFileInfo: implement tar.FileInfoNames to prevent lookups #49152
Conversation
…okups commit e9bbc41 removed our fork of pkg/archive that was in place to mitigate CVE-2019-14271. As part of that change, a nosysFileInfo type was added to prevent tar.FileInfoHeader from looking up user- and group-names. A proposal was pending in go https://go.dev/issue/50102 to define an interface for implementing custom lookup functions to be implemented, and disable go's builtin lookup. That proposal was accepted, and is now implemented in go1.23. Thia patch makes the nosysFileInfo implement the tar.FileInfoNames interface to prevent tar.FileInfoHeader from performing its own lookups. While the mitigation implemented in e9bbc41 should already prevent this from happening, implementing the interface does not cost us much and is complementary to the existing mitigation. With this patch in place, we can consider removing the mitigation added in a316b10, which was discussed to be ineffective, but left in place for the time being. Signed-off-by: Sebastiaan van Stijn <[email protected]>
thaJeztah
added
status/2-code-review
kind/refactor
|
I'm now considering if this part is accurate;
Reading back some comments from @corhere in #42402 (comment) and some following that, there were still concerns about running go code inside the ("hostile") chrooted environment. The user-lookups addressed here (and patches before this) were the known cases where libraries could be loaded, but may not be comprehensive. So perhaps the moby/pkg/chrootarchive/archive_unix.go Lines 16 to 21 in 2c56497 I recall from some discussion though that there was doubt whether that |
relates to:
commit e9bbc41 removed our fork of pkg/archive that was in place to mitigate CVE-2019-14271. As part of that change, a nosysFileInfo type was added to prevent tar.FileInfoHeader from looking up user- and group-names.
A proposal was pending in go https://go.dev/issue/50102 to define an interface for implementing custom lookup functions to be implemented, and disable go's builtin lookup. That proposal was accepted, and is now implemented in go1.23.
Thia patch makes the nosysFileInfo implement the tar.FileInfoNames interface to prevent tar.FileInfoHeader from performing its own lookups. While the mitigation implemented in e9bbc41 should already prevent this from happening, implementing the interface does not cost us much and is complementary to the existing mitigation.
With this patch in place, we can consider removing the mitigation added in a316b10, which was discussed to be ineffective, but left in place for the time being.
- Description for the changelog
- A picture of a cute animal (not mandatory but encouraged)