mirror of
https://github.com/moby/moby.git
synced 2026-06-30 19:58:03 +00:00
2022313ffe
Move decompression outside RunInFS to prevent executing
attacker-controlled binaries from within the container filesystem.
When dockerd handles `PUT /containers/{id}/archive`, it switches root
into the container's filesystem before extracting the archive.
Previously, archive.Untar was called inside RunInFS, which meant
decompression binaries (xz, unpigz) were resolved via PATH inside the
container's filesystem. A malicious binary at /usr/bin/xz in the
container would be executed as host root.
Fix by calling decompressing the archive before entering the container
filesystem, then using unpacking the uncompressed tar stream inside
RunInFS.
This ensures decompression binaries are always resolved from the host
filesystem.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>