[meta-virtualization] [sumo] [PATCH v1] docker: CVE-2018-10892
Bruce Ashfield
bruce.ashfield at gmail.com
Tue Oct 9 20:20:48 PDT 2018
Your patch is coming through corrupted:
----
Applying: docker: CVE-2018-10892
/home/bruce/poky/meta-virtualization/.git/rebase-apply/patch:44:
trailing whitespace.
Upstream-Status: Backport
fatal: corrupt patch at line 45
Patch failed at 0001 docker: CVE-2018-10892
The copy of the patch that failed is found in:
/home/bruce/poky/meta-virtualization/.git/rebase-apply/patch
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
----
Check your MTA and how you are sending the patch to the list.
Bruce
On Fri, Oct 5, 2018 at 12:33 PM Sinan Kaya <okaya at kernel.org> wrote:
>
> * CVE-2018-10892
> Docker does not block /proc/acpi pathnames. The flaw allows an attacker to
> modify host's hardware like enabling/disabling Bluetooth or turning up/down
> keyboard brightness.
>
> Affects < 18.03.01
>
> CVE: CVE-2018-10892
> Ref: https://access.redhat.com/security/cve/cve-2018-10892
> Signed-off-by: Sinan Kaya <okaya at kernel.org>
> ---
> recipes-containers/docker/docker_git.bb | 2 ++
> .../docker/files/CVE-2018-10892.patch | 34 +++++++++++++++++++
> 2 files changed, 36 insertions(+)
> create mode 100644 recipes-containers/docker/files/CVE-2018-10892.patch
>
> diff --git a/recipes-containers/docker/docker_git.bb
> b/recipes-containers/docker/docker_git.bb
> index e055a4f..7c7bd4c 100644
> --- a/recipes-containers/docker/docker_git.bb
> +++ b/recipes-containers/docker/docker_git.bb
> @@ -30,6 +30,8 @@ SRC_URI = "\
> file://0001-libnetwork-use-GO-instead-of-go.patch \
> "
>
> +SRC_URI_append_docker += "CVE-2018-10892.patch"
> +
> # Apache-2.0 for docker
> LICENSE = "Apache-2.0"
> LIC_FILES_CHKSUM =
> "file://src/import/LICENSE;md5=9740d093a080530b5c5c6573df9af45a"
> diff --git a/recipes-containers/docker/files/CVE-2018-10892.patch
> b/recipes-containers/docker/files/CVE-2018-10892.patch
> new file mode 100644
> index 0000000..60d0496
> --- /dev/null
> +++ b/recipes-containers/docker/files/CVE-2018-10892.patch
> @@ -0,0 +1,34 @@
> +From af52f266ea15e6000ed057b13d62d27ddd5441a0 Mon Sep 17 00:00:00 2001
> +From: Antonio Murdaca <runcom at redhat.com>
> +Date: Thu, 5 Jul 2018 17:06:08 +0200
> +Subject: [PATCH] Add /proc/acpi to masked paths
> +
> +The deafult OCI linux spec in oci/defaults{_linux}.go in Docker/Moby
> +from 1.11 to current upstream master does not block /proc/acpi pathnames
> +allowing attackers to modify host's hardware like enabling/disabling
> +bluetooth or turning up/down keyboard brightness. SELinux prevents all
> +of this if enabled.
> +
> +Signed-off-by: Antonio Murdaca <runcom at redhat.com>
> +CVE: CVE-2018-10892
> +Upstream-Status: Backport
> [https://github.com/moby/moby/pull/37404/commits/569b9702a59804617e1cd3611fbbe953e4247b3e]
> +Signed-off-by: Sinan Kaya<okaya at kernel.org>
> +---
> + oci/defaults.go | 1 +
> + 1 file changed, 1 insertion(+)
> +
> +diff --git a/oci/defaults.go b/oci/defaults.go
> +index 4145412dd..992157b0f 100644
> +--- a/oci/defaults.go
> ++++ b/oci/defaults.go
> +@@ -114,6 +114,7 @@ func DefaultLinuxSpec() specs.Spec {
> +
> + s.Linux = &specs.Linux{
> + MaskedPaths: []string{
> ++ "/proc/acpi",
> + "/proc/kcore",
> + "/proc/keys",
> + "/proc/latency_stats",
> +--
> +2.19.0
> +
> --
> 2.19.0
>
> --
> _______________________________________________
> meta-virtualization mailing list
> meta-virtualization at yoctoproject.org
> https://lists.yoctoproject.org/listinfo/meta-virtualization
--
"Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end"
More information about the meta-virtualization
mailing list