[meta-virtualization] [PATCH] docker: Fix CVE-2019-14271 loading of nsswitch based config inside chroot under Glibc

Bruce Ashfield bruce.ashfield at gmail.com
Tue Sep 3 10:40:25 PDT 2019


On Tue, Sep 3, 2019 at 4:02 AM Hongxu Jia <hongxu.jia at windriver.com> wrote:
>
> Backport a patch from upstream to fix CVE-2019-14271

Given the docker version bumps that Stefan posted earlier, is this
still required ?

Bruce

>
> Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
> ---
>  recipes-containers/docker/docker_git.bb            |  1 +
>  ...nss-libraries-in-Glibc-so-that-the-dynami.patch | 50 ++++++++++++++++++++++
>  2 files changed, 51 insertions(+)
>  create mode 100644 recipes-containers/docker/files/0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch
>
> diff --git a/recipes-containers/docker/docker_git.bb b/recipes-containers/docker/docker_git.bb
> index e45f87e..e993017 100644
> --- a/recipes-containers/docker/docker_git.bb
> +++ b/recipes-containers/docker/docker_git.bb
> @@ -45,6 +45,7 @@ SRC_URI = "\
>         file://docker.init \
>         file://0001-libnetwork-use-GO-instead-of-go.patch \
>         file://0001-imporve-hardcoded-CC-on-cross-compile.patch \
> +       file://0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch \
>         "
>
>  require docker.inc
> diff --git a/recipes-containers/docker/files/0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch b/recipes-containers/docker/files/0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch
> new file mode 100644
> index 0000000..67ddd49
> --- /dev/null
> +++ b/recipes-containers/docker/files/0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch
> @@ -0,0 +1,50 @@
> +From b688546c8e35ce48d02dd5adf156399b37590b26 Mon Sep 17 00:00:00 2001
> +From: Justin Cormack <justin.cormack at docker.com>
> +Date: Thu, 25 Jul 2019 15:24:39 +0100
> +Subject: [PATCH] Initialize nss libraries in Glibc so that the dynamic
> + libraries are loaded in the host environment not in the chroot from untrusted
> + files.
> +
> +See also OpenVZ https://github.com/kolyshkin/vzctl/blob/a3f732ef751998913fcf0a11b3e05236b51fd7e9/src/enter.c#L227-L234
> +
> +Signed-off-by: Justin Cormack <justin.cormack at docker.com>
> +(cherry picked from commit cea6dca993c2b4cfa99b1e7a19ca134c8ebc236b)
> +Signed-off-by: Tibor Vass <tibor at docker.com>
> +
> +CVE: CVE-2019-14271
> +Upstream-Status: Backport [a316b10dab79d9298b02c7930958ed52e0ccf4e4]
> +Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
> +---
> + src/import/pkg/chrootarchive/archive.go | 9 +++++++++
> + 1 file changed, 9 insertions(+)
> +
> +diff --git a/src/import/pkg/chrootarchive/archive.go b/src/import/pkg/chrootarchive/archive.go
> +index 6ff61e6..83ed0c6 100644
> +--- a/src/import/pkg/chrootarchive/archive.go
> ++++ b/src/import/pkg/chrootarchive/archive.go
> +@@ -4,13 +4,22 @@ import (
> +       "fmt"
> +       "io"
> +       "io/ioutil"
> ++      "net"
> +       "os"
> ++      "os/user"
> +       "path/filepath"
> +
> +       "github.com/docker/docker/pkg/archive"
> +       "github.com/docker/docker/pkg/idtools"
> + )
> +
> ++func init() {
> ++      // initialize nss libraries in Glibc so that the dynamic libraries are loaded in the host
> ++      // environment not in the chroot from untrusted files.
> ++      _, _ = user.Lookup("docker")
> ++      _, _ = net.LookupHost("localhost")
> ++}
> ++
> + // NewArchiver returns a new Archiver which uses chrootarchive.Untar
> + func NewArchiver(idMapping *idtools.IdentityMapping) *archive.Archiver {
> +       if idMapping == nil {
> +--
> +2.8.1
> +
> --
> 2.8.1
>


-- 
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II


More information about the meta-virtualization mailing list