| id: GO-TEST-ID |
| modules: |
| - module: github.com/moby/moby |
| versions: |
| - fixed: 20.10.20+incompatible |
| vulnerable_at: 20.10.19+incompatible |
| summary: Container build can leak any path on the host into the container |
| description: |- |
| ### Description |
| |
| Moby is the open source Linux container runtime and set of components used to |
| build a variety of downstream container runtimes, including Docker CE, Mirantis |
| Container Runtime (formerly Docker EE), and Docker Desktop. Moby allows for |
| building container images using a set of build instructions (usually named and |
| referred to as a "Dockerfile"), and a build context, which is not unlike the CWD |
| in which the Dockerfile instructions are executed. |
| |
| Containers may be built using a variety of tools and build backends available in |
| the Moby ecosystem; in all cases, builds may not include files outside of the |
| build context (such as using absolute or relative-parent paths). This is |
| enforced through both checks in the build backends, and the containerization of |
| the build process itself. |
| |
| Versions of Git where CVE-2022-39253 is present and exploited by a malicious |
| repository, when used in combination with Moby, are subject to an unexpected |
| inclusion of arbitrary filesystem paths in the build context, without any |
| visible warning to the user. |
| |
| This issue was originally reported by Wenxiang Qian of Tencent Blade Team, and |
| the root-cause analysis was performed by Cory Snider of Mirantis, with |
| assistance from Bjorn Neergaard of the same. The issue was then reported to the |
| Git project, and Taylor Blau led the process resolving the root issue in Git. |
| |
| ### Impact |
| |
| This vulnerability originates in Git, but can be used to violate assumptions |
| that may have security implications for users of Moby and related components. |
| Users may rely on the fact that a build context ensures that outside files |
| cannot be referenced or incorporated using multiple enforcement mechanisms, or |
| expect a warning if this does not hold true. A maliciously crafted Git |
| repository exploiting CVE-2022-39253 can violate this assumption, and |
| potentially include sensitive files that are subsequently uploaded to a |
| container image repository, or disclosed by code inside the resulting container |
| image. |
| |
| As this issue cannot be triggered remotely, except by users who already have |
| full control over the daemon through the API, and it requires exploiting a |
| vulnerability in Git by convincing a user to build a maliciously crafted |
| repository, the impact in Moby is considered low. |
| |
| ### Patches |
| |
| Moby 20.10.20, and Mirantis Container Runtime (formerly Docker Enterprise |
| Edition) 20.10.14 will contain mitigations for CVE-2022-39253 when a Git clone |
| is performed by Moby components (on either the daemon or API client side). |
| However, as these mitigations only apply to certain scenarios (build of |
| `git+<protocol>://...` URL contexts) and cannot protect against a malicious |
| repository already on disk, users should update to a version of Git containing |
| patches for CVE-2022-39253 on all their systems running both API clients and |
| daemons. |
| |
| Specifically, patches in Moby (including patches incorporated from BuildKit) |
| protect against the following: |
| |
| * `docker build` with the legacy builder (e.g. `DOCKER_BUILDKIT` unset or set to |
| 0) of a Git URL context. Note that depending on available API versions and the |
| CLI version, the Git clone operation can take place on either the client or the |
| daemon side. Both must be updated (or have Git updated) to fully protect this |
| build method. |
| * `docker build` with the BuildKit builder (e.g. `DOCKER_BUILDKIT=1`) of a Git |
| URL context. |
| * `docker buildx build` with `BUILDKIT_CONTEXT_KEEP_GIT_DIR=1` of a Git URL |
| context. |
| |
| Patches in BuildKit incorporated into Docker Compose protect against |
| CVE-2022-39253 during Compose-driven builds of Git URL contexts. |
| |
| Patches in Moby and related projects such as BuildKit, the Docker CLI, and |
| Docker Compose **cannot** fully protect against CVE-2022-39253, as it may be |
| triggered by a malicious repository already on disk that a unpatched Git client |
| has interacted with (specifically, commands that check out submodules such as |
| `git clone --recursive`, `git submodule update`, etc. may have already triggered |
| the Git vulnerability). |
| |
| ### Workarounds |
| |
| While this behavior is unexpected and undesirable, and has resulted in this |
| security advisory, users should keep in mind that building a container entails |
| arbitrary code execution. Users should not build a repository/build context they |
| do not trust, as containerization cannot protect against all possible attacks. |
| |
| When building with BuildKit (e.g. `docker buildx build` or `docker build` with |
| `DOCKER_BUILDKIT=1`), this issue cannot be exploited unless `--build-arg |
| BUILDKIT_CONTEXT_KEEP_GIT_DIR=1` was also passed, as by default BuildKit will |
| discard the `.git` directory of a Git URL context immediately after cloning and |
| checking out the repository. |
| |
| ### For more information |
| |
| If you have any questions or comments about this advisory: |
| |
| * [Open an issue](https://github.com/moby/moby/issues/new) |
| * Email us at [security@docker.com](mailto:security@docker.com) |
| ghsas: |
| - GHSA-vp35-85q5-9f25 |
| references: |
| - web: https://github.com/moby/moby/security/advisories/GHSA-vp35-85q5-9f25 |
| - web: https://github.blog/2022-10-17-git-security-vulnerabilities-announced/ |
| - package: https://github.com/moby/moby |
| - web: https://github.com/moby/moby/releases/tag/v20.10.20 |
| - web: https://lore.kernel.org/git/xmqq4jw1uku5.fsf@gitster.g/T/#u |
| notes: |
| - 'lint: redundant non-advisory reference to GHSA-vp35-85q5-9f25' |