[meta-virtualization] [PATCH] docker: Fix CVE-2019-14271 loading of nsswitch based config inside chroot under Glibc
akuster808
akuster808 at gmail.com
Tue Sep 3 11:28:44 PDT 2019
On 9/3/19 10:40 AM, Bruce Ashfield wrote:
> On Tue, Sep 3, 2019 at 4:02 AM Hongxu Jia <hongxu.jia at windriver.com> wrote:
>> Backport a patch from upstream to fix CVE-2019-14271
> Given the docker version bumps that Stefan posted earlier, is this
> still required ?
What about stable branches? can this be reused for any of them?
- armin
>
> Bruce
>
>> Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
>> ---
>> recipes-containers/docker/docker_git.bb | 1 +
>> ...nss-libraries-in-Glibc-so-that-the-dynami.patch | 50 ++++++++++++++++++++++
>> 2 files changed, 51 insertions(+)
>> create mode 100644 recipes-containers/docker/files/0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch
>>
>> diff --git a/recipes-containers/docker/docker_git.bb b/recipes-containers/docker/docker_git.bb
>> index e45f87e..e993017 100644
>> --- a/recipes-containers/docker/docker_git.bb
>> +++ b/recipes-containers/docker/docker_git.bb
>> @@ -45,6 +45,7 @@ SRC_URI = "\
>> file://docker.init \
>> file://0001-libnetwork-use-GO-instead-of-go.patch \
>> file://0001-imporve-hardcoded-CC-on-cross-compile.patch \
>> + file://0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch \
>> "
>>
>> require docker.inc
>> diff --git a/recipes-containers/docker/files/0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch b/recipes-containers/docker/files/0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch
>> new file mode 100644
>> index 0000000..67ddd49
>> --- /dev/null
>> +++ b/recipes-containers/docker/files/0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch
>> @@ -0,0 +1,50 @@
>> +From b688546c8e35ce48d02dd5adf156399b37590b26 Mon Sep 17 00:00:00 2001
>> +From: Justin Cormack <justin.cormack at docker.com>
>> +Date: Thu, 25 Jul 2019 15:24:39 +0100
>> +Subject: [PATCH] Initialize nss libraries in Glibc so that the dynamic
>> + libraries are loaded in the host environment not in the chroot from untrusted
>> + files.
>> +
>> +See also OpenVZ https://github.com/kolyshkin/vzctl/blob/a3f732ef751998913fcf0a11b3e05236b51fd7e9/src/enter.c#L227-L234
>> +
>> +Signed-off-by: Justin Cormack <justin.cormack at docker.com>
>> +(cherry picked from commit cea6dca993c2b4cfa99b1e7a19ca134c8ebc236b)
>> +Signed-off-by: Tibor Vass <tibor at docker.com>
>> +
>> +CVE: CVE-2019-14271
>> +Upstream-Status: Backport [a316b10dab79d9298b02c7930958ed52e0ccf4e4]
>> +Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
>> +---
>> + src/import/pkg/chrootarchive/archive.go | 9 +++++++++
>> + 1 file changed, 9 insertions(+)
>> +
>> +diff --git a/src/import/pkg/chrootarchive/archive.go b/src/import/pkg/chrootarchive/archive.go
>> +index 6ff61e6..83ed0c6 100644
>> +--- a/src/import/pkg/chrootarchive/archive.go
>> ++++ b/src/import/pkg/chrootarchive/archive.go
>> +@@ -4,13 +4,22 @@ import (
>> + "fmt"
>> + "io"
>> + "io/ioutil"
>> ++ "net"
>> + "os"
>> ++ "os/user"
>> + "path/filepath"
>> +
>> + "github.com/docker/docker/pkg/archive"
>> + "github.com/docker/docker/pkg/idtools"
>> + )
>> +
>> ++func init() {
>> ++ // initialize nss libraries in Glibc so that the dynamic libraries are loaded in the host
>> ++ // environment not in the chroot from untrusted files.
>> ++ _, _ = user.Lookup("docker")
>> ++ _, _ = net.LookupHost("localhost")
>> ++}
>> ++
>> + // NewArchiver returns a new Archiver which uses chrootarchive.Untar
>> + func NewArchiver(idMapping *idtools.IdentityMapping) *archive.Archiver {
>> + if idMapping == nil {
>> +--
>> +2.8.1
>> +
>> --
>> 2.8.1
>>
>
More information about the meta-virtualization
mailing list