[meta-virtualization] [PATCH] docker: Fix CVE-2019-14271 loading of nsswitch based config inside chroot under Glibc

Hongxu Jia hongxu.jia at windriver.com
Tue Sep 3 19:02:50 PDT 2019 

On 9/4/19 2:28 AM, akuster808 wrote:
>
> On 9/3/19 10:40 AM, Bruce Ashfield wrote:
>> On Tue, Sep 3, 2019 at 4:02 AM Hongxu Jia <hongxu.jia at windriver.com> wrote:
>>> Backport a patch from upstream to fix CVE-2019-14271
>> Given the docker version bumps that Stefan posted earlier, is this
>> still required ?
In Stefan upgraded patch earlier, it switched from moby:master to 
engine:19.03,

I found the upgraded version contains the patch

commit fa8dd90ceb7bcb9d554d27e0b9087ab83e54bd2b
Author: Justin Cormack <justin.cormack at docker.com>
Date:   Thu Jul 25 15:24:39 2019 +0100

     Initialize nss libraries in Glibc so that the dynamic libraries are 
loaded in the host
     environment not in the chroot from untrusted files.

     See also OpenVZ 
https://github.com/kolyshkin/vzctl/blob/a3f732ef751998913fcf0a11b3e05236b51fd7e9/src/enter.c#L227-L234

     Signed-off-by: Justin Cormack <justin.cormack at docker.com>
     (cherry picked from commit cea6dca993c2b4cfa99b1e7a19ca134c8ebc236b)
     Signed-off-by: Tibor Vass <tibor at docker.com>

$ git branch -r --contains fa8dd90ceb7bcb9d554d27e0b9087ab83e54bd2b
   origin/19.03

If Stefan's patch is accepted, please ignore this one

//Hongxu

> What about stable branches? can this be reused for any of them?

I am afraid it exists on master branch only

jia at pek-lpg-core1-vm2:/buildarea1/hjia/community/moby$ git branch -r 
--contains a316b10dab79d9298b02c7930958ed52e0ccf4e4
   origin/HEAD -> origin/master
   origin/master




> - armin
>> Bruce
>>
>>> Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
>>> ---
>>>   recipes-containers/docker/docker_git.bb            |  1 +
>>>   ...nss-libraries-in-Glibc-so-that-the-dynami.patch | 50 ++++++++++++++++++++++
>>>   2 files changed, 51 insertions(+)
>>>   create mode 100644 recipes-containers/docker/files/0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch
>>>
>>> diff --git a/recipes-containers/docker/docker_git.bb b/recipes-containers/docker/docker_git.bb
>>> index e45f87e..e993017 100644
>>> --- a/recipes-containers/docker/docker_git.bb
>>> +++ b/recipes-containers/docker/docker_git.bb
>>> @@ -45,6 +45,7 @@ SRC_URI = "\
>>>          file://docker.init \
>>>          file://0001-libnetwork-use-GO-instead-of-go.patch \
>>>          file://0001-imporve-hardcoded-CC-on-cross-compile.patch \
>>> +       file://0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch \
>>>          "
>>>
>>>   require docker.inc
>>> diff --git a/recipes-containers/docker/files/0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch b/recipes-containers/docker/files/0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch
>>> new file mode 100644
>>> index 0000000..67ddd49
>>> --- /dev/null
>>> +++ b/recipes-containers/docker/files/0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch
>>> @@ -0,0 +1,50 @@
>>> +From b688546c8e35ce48d02dd5adf156399b37590b26 Mon Sep 17 00:00:00 2001
>>> +From: Justin Cormack <justin.cormack at docker.com>
>>> +Date: Thu, 25 Jul 2019 15:24:39 +0100
>>> +Subject: [PATCH] Initialize nss libraries in Glibc so that the dynamic
>>> + libraries are loaded in the host environment not in the chroot from untrusted
>>> + files.
>>> +
>>> +See also OpenVZ https://github.com/kolyshkin/vzctl/blob/a3f732ef751998913fcf0a11b3e05236b51fd7e9/src/enter.c#L227-L234
>>> +
>>> +Signed-off-by: Justin Cormack <justin.cormack at docker.com>
>>> +(cherry picked from commit cea6dca993c2b4cfa99b1e7a19ca134c8ebc236b)
>>> +Signed-off-by: Tibor Vass <tibor at docker.com>
>>> +
>>> +CVE: CVE-2019-14271
>>> +Upstream-Status: Backport [a316b10dab79d9298b02c7930958ed52e0ccf4e4]
>>> +Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
>>> +---
>>> + src/import/pkg/chrootarchive/archive.go | 9 +++++++++
>>> + 1 file changed, 9 insertions(+)
>>> +
>>> +diff --git a/src/import/pkg/chrootarchive/archive.go b/src/import/pkg/chrootarchive/archive.go
>>> +index 6ff61e6..83ed0c6 100644
>>> +--- a/src/import/pkg/chrootarchive/archive.go
>>> ++++ b/src/import/pkg/chrootarchive/archive.go
>>> +@@ -4,13 +4,22 @@ import (
>>> +       "fmt"
>>> +       "io"
>>> +       "io/ioutil"
>>> ++      "net"
>>> +       "os"
>>> ++      "os/user"
>>> +       "path/filepath"
>>> +
>>> +       "github.com/docker/docker/pkg/archive"
>>> +       "github.com/docker/docker/pkg/idtools"
>>> + )
>>> +
>>> ++func init() {
>>> ++      // initialize nss libraries in Glibc so that the dynamic libraries are loaded in the host
>>> ++      // environment not in the chroot from untrusted files.
>>> ++      _, _ = user.Lookup("docker")
>>> ++      _, _ = net.LookupHost("localhost")
>>> ++}
>>> ++
>>> + // NewArchiver returns a new Archiver which uses chrootarchive.Untar
>>> + func NewArchiver(idMapping *idtools.IdentityMapping) *archive.Archiver {
>>> +       if idMapping == nil {
>>> +--
>>> +2.8.1
>>> +
>>> --
>>> 2.8.1
>>>
>

More information about the meta-virtualization mailing list