|
| 1 | +From 41dca27cb53bca3c9255287f53e241b9d3bfd7de Mon Sep 17 00:00:00 2001 |
| 2 | +From: Peter Hunt~ <pehunt@redhat.com> |
| 3 | +Date: Wed, 14 Dec 2022 18:15:50 -0500 |
| 4 | +Subject: [PATCH] server: fail if HOME variable has a newline |
| 5 | + |
| 6 | +to prevent CVE-2022-4318 |
| 7 | + |
| 8 | +Signed-off-by: Peter Hunt~ <pehunt@redhat.com> |
| 9 | +--- |
| 10 | + server/container_create.go | 3 +++ |
| 11 | + test/ctr.bats | 8 ++++++++ |
| 12 | + 2 files changed, 11 insertions(+) |
| 13 | + |
| 14 | +diff --git a/server/container_create.go b/server/container_create.go |
| 15 | +index fb835b0..d07e2f1 100644 |
| 16 | +--- a/server/container_create.go |
| 17 | ++++ b/server/container_create.go |
| 18 | +@@ -196,6 +196,9 @@ func setupContainerUser(ctx context.Context, specgen *generate.Generator, rootfs |
| 19 | + for _, env := range specgen.Config.Process.Env { |
| 20 | + if strings.HasPrefix(env, "HOME=") { |
| 21 | + homedir = strings.TrimPrefix(env, "HOME=") |
| 22 | ++ if idx := strings.Index(homedir, `\n`); idx > -1 { |
| 23 | ++ return fmt.Errorf("invalid HOME environment; newline not allowed") |
| 24 | ++ } |
| 25 | + break |
| 26 | + } |
| 27 | + } |
| 28 | +diff --git a/test/ctr.bats b/test/ctr.bats |
| 29 | +index 67f941f..9c48149 100644 |
| 30 | +--- a/test/ctr.bats |
| 31 | ++++ b/test/ctr.bats |
| 32 | +@@ -938,3 +938,11 @@ function check_oci_annotation() { |
| 33 | + pod_id=$(crictl runp "$TESTDATA"/sandbox_config.json) |
| 34 | + ! crictl create "$pod_id" "$TESTDIR/config" "$TESTDATA"/sandbox_config.json |
| 35 | + } |
| 36 | ++ |
| 37 | ++@test "ctr HOME env newline invalid" { |
| 38 | ++ start_crio |
| 39 | ++ jq ' .envs = [{"key": "HOME=", "value": "/root:/sbin/nologin\\ntest::0:0::/:/bin/bash"}]' \ |
| 40 | ++ "$TESTDATA"/container_config.json > "$newconfig" |
| 41 | ++ |
| 42 | ++ ! crictl run "$newconfig" "$TESTDATA"/sandbox_config.json |
| 43 | ++} |
| 44 | +-- |
| 45 | +2.25.1 |
| 46 | + |
0 commit comments