High severityNVD Advisory· Published Dec 12, 2014· Updated May 6, 2026
CVE-2014-6407
CVE-2014-6407
Description
Docker before 1.3.2 allows remote attackers to write to arbitrary files and execute arbitrary code via a (1) symlink or (2) hard link attack in an image archive in a (a) pull or (b) load operation.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/docker/dockerGo | < 1.3.2 | 1.3.2 |
Affected products
3Patches
13ac6394b8082pkg/chrootarchive: pass TarOptions via CLI arg
5 files changed · +58 −4
builder/internals.go+0 −1 modified@@ -48,7 +48,6 @@ func (b *Builder) readContext(context io.Reader) error { return err } - os.MkdirAll(tmpdirPath, 0700) if err := chrootarchive.Untar(b.context, tmpdirPath, nil); err != nil { return err }
graph/load.go+2 −1 modified@@ -10,6 +10,7 @@ import ( "github.com/docker/docker/engine" "github.com/docker/docker/image" "github.com/docker/docker/pkg/archive" + "github.com/docker/docker/pkg/chrootarchive" "github.com/docker/docker/pkg/log" ) @@ -53,7 +54,7 @@ func (s *TagStore) CmdLoad(job *engine.Job) engine.Status { excludes[i] = k i++ } - if err := archive.Untar(repoFile, repoDir, &archive.TarOptions{Excludes: excludes}); err != nil { + if err := chrootarchive.Untar(repoFile, repoDir, &archive.TarOptions{Excludes: excludes}); err != nil { return job.Error(err) }
pkg/chrootarchive/archive.go+16 −2 modified@@ -1,11 +1,14 @@ package chrootarchive import ( + "bytes" + "encoding/json" "flag" "fmt" "io" "os" "runtime" + "strings" "syscall" "github.com/docker/docker/pkg/archive" @@ -22,7 +25,12 @@ func untar() { if err := syscall.Chdir("/"); err != nil { fatal(err) } - if err := archive.Untar(os.Stdin, "/", nil); err != nil { + options := new(archive.TarOptions) + dec := json.NewDecoder(strings.NewReader(flag.Arg(1))) + if err := dec.Decode(options); err != nil { + fatal(err) + } + if err := archive.Untar(os.Stdin, "/", options); err != nil { fatal(err) } os.Exit(0) @@ -33,12 +41,18 @@ var ( ) func Untar(archive io.Reader, dest string, options *archive.TarOptions) error { + var buf bytes.Buffer + enc := json.NewEncoder(&buf) + if err := enc.Encode(options); err != nil { + return fmt.Errorf("Untar json encode: %v", err) + } if _, err := os.Stat(dest); os.IsNotExist(err) { if err := os.MkdirAll(dest, 0777); err != nil { return err } } - cmd := reexec.Command("docker-untar", dest) + + cmd := reexec.Command("docker-untar", dest, buf.String()) cmd.Stdin = archive out, err := cmd.CombinedOutput() if err != nil {
pkg/chrootarchive/archive_test.go+39 −0 added@@ -0,0 +1,39 @@ +package chrootarchive + +import ( + "io/ioutil" + "os" + "path/filepath" + "testing" + + "github.com/docker/docker/pkg/archive" +) + +func TestChrootTarUntar(t *testing.T) { + tmpdir, err := ioutil.TempDir("", "docker-TestChrootTarUntar") + if err != nil { + t.Fatal(err) + } + defer os.RemoveAll(tmpdir) + src := filepath.Join(tmpdir, "src") + if err := os.MkdirAll(src, 0700); err != nil { + t.Fatal(err) + } + if err := ioutil.WriteFile(filepath.Join(src, "toto"), []byte("hello toto"), 0644); err != nil { + t.Fatal(err) + } + if err := ioutil.WriteFile(filepath.Join(src, "lolo"), []byte("hello lolo"), 0644); err != nil { + t.Fatal(err) + } + stream, err := archive.Tar(src, archive.Uncompressed) + if err != nil { + t.Fatal(err) + } + dest := filepath.Join(tmpdir, "src") + if err := os.MkdirAll(dest, 0700); err != nil { + t.Fatal(err) + } + if err := Untar(stream, dest, &archive.TarOptions{Excludes: []string{"lolo"}}); err != nil { + t.Fatal(err) + } +}
pkg/chrootarchive/init.go+1 −0 modified@@ -10,6 +10,7 @@ import ( func init() { reexec.Register("docker-untar", untar) reexec.Register("docker-applyLayer", applyLayer) + reexec.Init() } func fatal(err error) {
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
16- docs.docker.com/v1.3/release-notes/nvdVendor Advisory
- github.com/advisories/GHSA-5qgp-p5jc-w2rmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2014-6407ghsaADVISORY
- docs.docker.com/v1.3/release-notesghsaWEB
- github.com/docker/docker/commit/3ac6394b8082d4700483d52fbfe54914be537d9eghsaWEB
- lists.fedoraproject.org/pipermail/package-announce/2014-December/145154.htmlghsaWEB
- lists.opensuse.org/opensuse-security-announce/2014-12/msg00009.htmlghsaWEB
- secunia.com/advisories/60171ghsaWEB
- secunia.com/advisories/60241ghsaWEB
- web.nvd.nist.gov/view/vuln/detailghsaWEB
- www.openwall.com/lists/oss-security/2014/11/24/5ghsaWEB
- lists.fedoraproject.org/pipermail/package-announce/2014-December/145154.htmlnvd
- lists.opensuse.org/opensuse-security-announce/2014-12/msg00009.htmlnvd
- secunia.com/advisories/60171nvd
- secunia.com/advisories/60241nvd
- www.openwall.com/lists/oss-security/2014/11/24/5nvd
News mentions
0No linked articles in our index yet.