Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/vulndb: potential Go vuln in github.com/moby/moby: GHSA-vp35-85q5-9f25 #1107

Closed
GoVulnBot opened this issue Nov 11, 2022 · 3 comments
Closed
Assignees
Labels
excluded: NOT_IMPORTABLE This vulnerability only exists in a binary and is not importable. NeedsTriage

Comments

@GoVulnBot
Copy link

In GitHub Security Advisory GHSA-vp35-85q5-9f25, there is a vulnerability in the following Go packages or modules:

Unit Fixed Vulnerable Ranges
github.com/moby/moby 20.10.20 <= 20.10.19

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: TODO
    versions:
      - introduced: TODO (earliest fixed "20.10.20", vuln range "<= 20.10.19")
    packages:
      - package: github.com/moby/moby
description: |-
    ### Description

    Moby is the open source Linux container runtime and set of components used to build a variety of downstream container runtimes, including Docker CE, Mirantis Container Runtime (formerly Docker EE), and Docker Desktop. Moby allows for building container images using a set of build instructions (usually named and referred to as a "Dockerfile"), and a build context, which is not unlike the CWD in which the Dockerfile instructions are executed.

    Containers may be built using a variety of tools and build backends available in the Moby ecosystem; in all cases, builds may not include files outside of the build context (such as using absolute or relative-parent paths). This is enforced through both checks in the build backends, and the containerization of the build process itself.

    Versions of Git where CVE-2022-39253 is present and exploited by a malicious repository, when used in combination with Moby, are subject to an unexpected inclusion of arbitrary filesystem paths in the build context, without any visible warning to the user.

    This issue was originally reported by Wenxiang Qian of Tencent Blade Team, and the root-cause analysis was performed by Cory Snider of Mirantis, with assistance from Bjorn Neergaard of the same. The issue was then reported to the Git project, and Taylor Blau led the process resolving the root issue in Git.

    ### Impact

    This vulnerability originates in Git, but can be used to violate assumptions that may have security implications for users of Moby and related components. Users may rely on the fact that a build context ensures that outside files cannot be referenced or incorporated using multiple enforcement mechanisms, or expect a warning if this does not hold true. A maliciously crafted Git repository exploiting CVE-2022-39253 can violate this assumption, and potentially include sensitive files that are subsequently uploaded to a container image repository, or disclosed by code inside the resulting container image.

    As this issue cannot be triggered remotely, except by users who already have full control over the daemon through the API, and it requires exploiting a vulnerability in Git by convincing a user to build a maliciously crafted repository, the impact in Moby is considered low.

    ### Patches

    Moby 20.10.20, and Mirantis Container Runtime (formerly Docker Enterprise Edition) 20.10.14 will contain mitigations for CVE-2022-39253 when a Git clone is performed by Moby components (on either the daemon or API client side). However, as these mitigations only apply to certain scenarios (build of `git+<protocol>://...` URL contexts) and cannot protect against a malicious repository already on disk, users should update to a version of Git containing patches for CVE-2022-39253 on all their systems running both API clients and daemons.

    Specifically, patches in Moby (including patches incorporated from BuildKit) protect against the following:

    * `docker build` with the legacy builder (e.g. `DOCKER_BUILDKIT` unset or set to 0) of a Git URL context. Note that depending on available API versions and the CLI version, the Git clone operation can take place on either the client or the daemon side. Both must be updated (or have Git updated) to fully protect this build method.
    * `docker build` with the BuildKit builder (e.g. `DOCKER_BUILDKIT=1`) of a Git URL context.
    * `docker buildx build` with `BUILDKIT_CONTEXT_KEEP_GIT_DIR=1` of a Git URL context.

    Patches in BuildKit incorporated into Docker Compose protect against CVE-2022-39253 during Compose-driven builds of Git URL contexts.

    Patches in Moby and related projects such as BuildKit, the Docker CLI, and Docker Compose **cannot** fully protect against CVE-2022-39253, as it may be triggered by a malicious repository already on disk that a unpatched Git client has interacted with (specifically, commands that check out submodules such as `git clone --recursive`, `git submodule update`, etc.  may have already triggered the Git vulnerability).

    ### Workarounds

    While this behavior is unexpected and undesirable, and has resulted in this security advisory, users should keep in mind that building a container entails arbitrary code execution. Users should not build a repository/build context they do not trust, as containerization cannot protect against all possible attacks.

    When building with BuildKit (e.g. `docker buildx build` or `docker build` with `DOCKER_BUILDKIT=1`), this issue cannot be exploited unless `--build-arg BUILDKIT_CONTEXT_KEEP_GIT_DIR=1` was also passed, as by default BuildKit will discard the `.git` directory of a Git URL context immediately after cloning and checking out the repository.

    ### For more information

    If you have any questions or comments about this advisory:

    * [Open an issue](https://github.com/moby/moby/issues/new)
    * Email us at [security@docker.com](mailto:security@docker.com)
ghsas:
  - GHSA-vp35-85q5-9f25

@zpavlinovic zpavlinovic self-assigned this Nov 11, 2022
@zpavlinovic zpavlinovic added the excluded: NOT_IMPORTABLE This vulnerability only exists in a binary and is not importable. label Nov 11, 2022
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/449739 mentions this issue: data/excluded: batch add GO-2022-1106, GO-2022-1105, GO-2022-1107

gopherbot pushed a commit that referenced this issue Nov 11, 2022
Fixes #1106, #1105, #1107

Change-Id: Ife5f466849f2bb78381ad33d916de6064d16c1d0
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/449739
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Zvonimir Pavlinovic <zpavlinovic@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/592835 mentions this issue: data/reports: unexclude 50 reports

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/607231 mentions this issue: data/reports: unexclude 20 reports (29)

gopherbot pushed a commit that referenced this issue Aug 21, 2024
  - data/reports/GO-2022-1079.yaml
  - data/reports/GO-2022-1080.yaml
  - data/reports/GO-2022-1081.yaml
  - data/reports/GO-2022-1089.yaml
  - data/reports/GO-2022-1099.yaml
  - data/reports/GO-2022-1100.yaml
  - data/reports/GO-2022-1105.yaml
  - data/reports/GO-2022-1106.yaml
  - data/reports/GO-2022-1107.yaml
  - data/reports/GO-2022-1119.yaml
  - data/reports/GO-2022-1120.yaml
  - data/reports/GO-2022-1121.yaml
  - data/reports/GO-2022-1132.yaml
  - data/reports/GO-2022-1135.yaml
  - data/reports/GO-2022-1138.yaml
  - data/reports/GO-2022-1147.yaml
  - data/reports/GO-2022-1151.yaml
  - data/reports/GO-2022-1152.yaml
  - data/reports/GO-2022-1153.yaml
  - data/reports/GO-2022-1154.yaml

Updates #1079
Updates #1080
Updates #1081
Updates #1089
Updates #1099
Updates #1100
Updates #1105
Updates #1106
Updates #1107
Updates #1119
Updates #1120
Updates #1121
Updates #1132
Updates #1135
Updates #1138
Updates #1147
Updates #1151
Updates #1152
Updates #1153
Updates #1154

Change-Id: Ice57e62cbaec73a848639ed6de50434eac91a368
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/607231
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
Commit-Queue: Tatiana Bradley <tatianabradley@google.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
excluded: NOT_IMPORTABLE This vulnerability only exists in a binary and is not importable. NeedsTriage
Projects
None yet
Development

No branches or pull requests

4 participants