[meta-virtualization] [PATCH] docker: Fix CVE-2019-14271 loading of nsswitch based config inside chroot under Glibc
Bruce Ashfield
bruce.ashfield at gmail.com
Tue Sep 3 10:40:25 PDT 2019
On Tue, Sep 3, 2019 at 4:02 AM Hongxu Jia <hongxu.jia at windriver.com> wrote:
>
> Backport a patch from upstream to fix CVE-2019-14271
Given the docker version bumps that Stefan posted earlier, is this
still required ?
Bruce
>
> Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
> ---
> recipes-containers/docker/docker_git.bb | 1 +
> ...nss-libraries-in-Glibc-so-that-the-dynami.patch | 50 ++++++++++++++++++++++
> 2 files changed, 51 insertions(+)
> create mode 100644 recipes-containers/docker/files/0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch
>
> diff --git a/recipes-containers/docker/docker_git.bb b/recipes-containers/docker/docker_git.bb
> index e45f87e..e993017 100644
> --- a/recipes-containers/docker/docker_git.bb
> +++ b/recipes-containers/docker/docker_git.bb
> @@ -45,6 +45,7 @@ SRC_URI = "\
> file://docker.init \
> file://0001-libnetwork-use-GO-instead-of-go.patch \
> file://0001-imporve-hardcoded-CC-on-cross-compile.patch \
> + file://0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch \
> "
>
> require docker.inc
> diff --git a/recipes-containers/docker/files/0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch b/recipes-containers/docker/files/0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch
> new file mode 100644
> index 0000000..67ddd49
> --- /dev/null
> +++ b/recipes-containers/docker/files/0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch
> @@ -0,0 +1,50 @@
> +From b688546c8e35ce48d02dd5adf156399b37590b26 Mon Sep 17 00:00:00 2001
> +From: Justin Cormack <justin.cormack at docker.com>
> +Date: Thu, 25 Jul 2019 15:24:39 +0100
> +Subject: [PATCH] Initialize nss libraries in Glibc so that the dynamic
> + libraries are loaded in the host environment not in the chroot from untrusted
> + files.
> +
> +See also OpenVZ https://github.com/kolyshkin/vzctl/blob/a3f732ef751998913fcf0a11b3e05236b51fd7e9/src/enter.c#L227-L234
> +
> +Signed-off-by: Justin Cormack <justin.cormack at docker.com>
> +(cherry picked from commit cea6dca993c2b4cfa99b1e7a19ca134c8ebc236b)
> +Signed-off-by: Tibor Vass <tibor at docker.com>
> +
> +CVE: CVE-2019-14271
> +Upstream-Status: Backport [a316b10dab79d9298b02c7930958ed52e0ccf4e4]
> +Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
> +---
> + src/import/pkg/chrootarchive/archive.go | 9 +++++++++
> + 1 file changed, 9 insertions(+)
> +
> +diff --git a/src/import/pkg/chrootarchive/archive.go b/src/import/pkg/chrootarchive/archive.go
> +index 6ff61e6..83ed0c6 100644
> +--- a/src/import/pkg/chrootarchive/archive.go
> ++++ b/src/import/pkg/chrootarchive/archive.go
> +@@ -4,13 +4,22 @@ import (
> + "fmt"
> + "io"
> + "io/ioutil"
> ++ "net"
> + "os"
> ++ "os/user"
> + "path/filepath"
> +
> + "github.com/docker/docker/pkg/archive"
> + "github.com/docker/docker/pkg/idtools"
> + )
> +
> ++func init() {
> ++ // initialize nss libraries in Glibc so that the dynamic libraries are loaded in the host
> ++ // environment not in the chroot from untrusted files.
> ++ _, _ = user.Lookup("docker")
> ++ _, _ = net.LookupHost("localhost")
> ++}
> ++
> + // NewArchiver returns a new Archiver which uses chrootarchive.Untar
> + func NewArchiver(idMapping *idtools.IdentityMapping) *archive.Archiver {
> + if idMapping == nil {
> +--
> +2.8.1
> +
> --
> 2.8.1
>
--
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II
More information about the meta-virtualization
mailing list