[meta-virtualization] [PATCH] docker: Fix CVE-2019-14271 loading of nsswitch based config inside chroot under Glibc
Hongxu Jia
hongxu.jia at windriver.com
Tue Sep 3 01:01:00 PDT 2019
Backport a patch from upstream to fix CVE-2019-14271
Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
---
recipes-containers/docker/docker_git.bb | 1 +
...nss-libraries-in-Glibc-so-that-the-dynami.patch | 50 ++++++++++++++++++++++
2 files changed, 51 insertions(+)
create mode 100644 recipes-containers/docker/files/0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch
diff --git a/recipes-containers/docker/docker_git.bb b/recipes-containers/docker/docker_git.bb
index e45f87e..e993017 100644
--- a/recipes-containers/docker/docker_git.bb
+++ b/recipes-containers/docker/docker_git.bb
@@ -45,6 +45,7 @@ SRC_URI = "\
file://docker.init \
file://0001-libnetwork-use-GO-instead-of-go.patch \
file://0001-imporve-hardcoded-CC-on-cross-compile.patch \
+ file://0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch \
"
require docker.inc
diff --git a/recipes-containers/docker/files/0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch b/recipes-containers/docker/files/0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch
new file mode 100644
index 0000000..67ddd49
--- /dev/null
+++ b/recipes-containers/docker/files/0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch
@@ -0,0 +1,50 @@
+From b688546c8e35ce48d02dd5adf156399b37590b26 Mon Sep 17 00:00:00 2001
+From: Justin Cormack <justin.cormack at docker.com>
+Date: Thu, 25 Jul 2019 15:24:39 +0100
+Subject: [PATCH] Initialize nss libraries in Glibc so that the dynamic
+ libraries are loaded in the host environment not in the chroot from untrusted
+ files.
+
+See also OpenVZ https://github.com/kolyshkin/vzctl/blob/a3f732ef751998913fcf0a11b3e05236b51fd7e9/src/enter.c#L227-L234
+
+Signed-off-by: Justin Cormack <justin.cormack at docker.com>
+(cherry picked from commit cea6dca993c2b4cfa99b1e7a19ca134c8ebc236b)
+Signed-off-by: Tibor Vass <tibor at docker.com>
+
+CVE: CVE-2019-14271
+Upstream-Status: Backport [a316b10dab79d9298b02c7930958ed52e0ccf4e4]
+Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
+---
+ src/import/pkg/chrootarchive/archive.go | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/src/import/pkg/chrootarchive/archive.go b/src/import/pkg/chrootarchive/archive.go
+index 6ff61e6..83ed0c6 100644
+--- a/src/import/pkg/chrootarchive/archive.go
++++ b/src/import/pkg/chrootarchive/archive.go
+@@ -4,13 +4,22 @@ import (
+ "fmt"
+ "io"
+ "io/ioutil"
++ "net"
+ "os"
++ "os/user"
+ "path/filepath"
+
+ "github.com/docker/docker/pkg/archive"
+ "github.com/docker/docker/pkg/idtools"
+ )
+
++func init() {
++ // initialize nss libraries in Glibc so that the dynamic libraries are loaded in the host
++ // environment not in the chroot from untrusted files.
++ _, _ = user.Lookup("docker")
++ _, _ = net.LookupHost("localhost")
++}
++
+ // NewArchiver returns a new Archiver which uses chrootarchive.Untar
+ func NewArchiver(idMapping *idtools.IdentityMapping) *archive.Archiver {
+ if idMapping == nil {
+--
+2.8.1
+
--
2.8.1
More information about the meta-virtualization
mailing list