[meta-virtualization] [PATCH] docker: Fix CVE-2019-14271 loading of nsswitch based config inside chroot under Glibc

akuster808 akuster808 at gmail.com
Tue Sep 3 19:44:27 PDT 2019 


On 9/3/19 7:02 PM, Hongxu Jia wrote:
> On 9/4/19 2:28 AM, akuster808 wrote:
>>
>> On 9/3/19 10:40 AM, Bruce Ashfield wrote:
>>> On Tue, Sep 3, 2019 at 4:02 AM Hongxu Jia <hongxu.jia at windriver.com>
>>> wrote:
>>>> Backport a patch from upstream to fix CVE-2019-14271
>>> Given the docker version bumps that Stefan posted earlier, is this
>>> still required ?
> In Stefan upgraded patch earlier, it switched from moby:master to
> engine:19.03,
>
> I found the upgraded version contains the patch
>
> commit fa8dd90ceb7bcb9d554d27e0b9087ab83e54bd2b
> Author: Justin Cormack <justin.cormack at docker.com>
> Date:   Thu Jul 25 15:24:39 2019 +0100
>
>     Initialize nss libraries in Glibc so that the dynamic libraries
> are loaded in the host
>     environment not in the chroot from untrusted files.
>
>     See also OpenVZ
> https://github.com/kolyshkin/vzctl/blob/a3f732ef751998913fcf0a11b3e05236b51fd7e9/src/enter.c#L227-L234
>
>     Signed-off-by: Justin Cormack <justin.cormack at docker.com>
>     (cherry picked from commit cea6dca993c2b4cfa99b1e7a19ca134c8ebc236b)
>     Signed-off-by: Tibor Vass <tibor at docker.com>
>
> $ git branch -r --contains fa8dd90ceb7bcb9d554d27e0b9087ab83e54bd2b
>   origin/19.03
>
> If Stefan's patch is accepted, please ignore this one
>
> //Hongxu
>
>> What about stable branches? can this be reused for any of them?
>
> I am afraid it exists on master branch only
ok. Thanks for checking.

- armin
>
> jia at pek-lpg-core1-vm2:/buildarea1/hjia/community/moby$ git branch -r
> --contains a316b10dab79d9298b02c7930958ed52e0ccf4e4
>   origin/HEAD -> origin/master
>   origin/master
>
>
>
>
>> - armin
>>> Bruce
>>>
>>>> Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
>>>> ---
>>>>   recipes-containers/docker/docker_git.bb            |  1 +
>>>>   ...nss-libraries-in-Glibc-so-that-the-dynami.patch | 50
>>>> ++++++++++++++++++++++
>>>>   2 files changed, 51 insertions(+)
>>>>   create mode 100644
>>>> recipes-containers/docker/files/0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch
>>>>
>>>> diff --git a/recipes-containers/docker/docker_git.bb
>>>> b/recipes-containers/docker/docker_git.bb
>>>> index e45f87e..e993017 100644
>>>> --- a/recipes-containers/docker/docker_git.bb
>>>> +++ b/recipes-containers/docker/docker_git.bb
>>>> @@ -45,6 +45,7 @@ SRC_URI = "\
>>>>          file://docker.init \
>>>>          file://0001-libnetwork-use-GO-instead-of-go.patch \
>>>>          file://0001-imporve-hardcoded-CC-on-cross-compile.patch \
>>>> +      
>>>> file://0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch
>>>> \
>>>>          "
>>>>
>>>>   require docker.inc
>>>> diff --git
>>>> a/recipes-containers/docker/files/0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch
>>>> b/recipes-containers/docker/files/0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch
>>>>
>>>> new file mode 100644
>>>> index 0000000..67ddd49
>>>> --- /dev/null
>>>> +++
>>>> b/recipes-containers/docker/files/0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch
>>>> @@ -0,0 +1,50 @@
>>>> +From b688546c8e35ce48d02dd5adf156399b37590b26 Mon Sep 17 00:00:00
>>>> 2001
>>>> +From: Justin Cormack <justin.cormack at docker.com>
>>>> +Date: Thu, 25 Jul 2019 15:24:39 +0100
>>>> +Subject: [PATCH] Initialize nss libraries in Glibc so that the
>>>> dynamic
>>>> + libraries are loaded in the host environment not in the chroot
>>>> from untrusted
>>>> + files.
>>>> +
>>>> +See also OpenVZ
>>>> https://github.com/kolyshkin/vzctl/blob/a3f732ef751998913fcf0a11b3e05236b51fd7e9/src/enter.c#L227-L234
>>>> +
>>>> +Signed-off-by: Justin Cormack <justin.cormack at docker.com>
>>>> +(cherry picked from commit cea6dca993c2b4cfa99b1e7a19ca134c8ebc236b)
>>>> +Signed-off-by: Tibor Vass <tibor at docker.com>
>>>> +
>>>> +CVE: CVE-2019-14271
>>>> +Upstream-Status: Backport [a316b10dab79d9298b02c7930958ed52e0ccf4e4]
>>>> +Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
>>>> +---
>>>> + src/import/pkg/chrootarchive/archive.go | 9 +++++++++
>>>> + 1 file changed, 9 insertions(+)
>>>> +
>>>> +diff --git a/src/import/pkg/chrootarchive/archive.go
>>>> b/src/import/pkg/chrootarchive/archive.go
>>>> +index 6ff61e6..83ed0c6 100644
>>>> +--- a/src/import/pkg/chrootarchive/archive.go
>>>> ++++ b/src/import/pkg/chrootarchive/archive.go
>>>> +@@ -4,13 +4,22 @@ import (
>>>> +       "fmt"
>>>> +       "io"
>>>> +       "io/ioutil"
>>>> ++      "net"
>>>> +       "os"
>>>> ++      "os/user"
>>>> +       "path/filepath"
>>>> +
>>>> +       "github.com/docker/docker/pkg/archive"
>>>> +       "github.com/docker/docker/pkg/idtools"
>>>> + )
>>>> +
>>>> ++func init() {
>>>> ++      // initialize nss libraries in Glibc so that the dynamic
>>>> libraries are loaded in the host
>>>> ++      // environment not in the chroot from untrusted files.
>>>> ++      _, _ = user.Lookup("docker")
>>>> ++      _, _ = net.LookupHost("localhost")
>>>> ++}
>>>> ++
>>>> + // NewArchiver returns a new Archiver which uses chrootarchive.Untar
>>>> + func NewArchiver(idMapping *idtools.IdentityMapping)
>>>> *archive.Archiver {
>>>> +       if idMapping == nil {
>>>> +--
>>>> +2.8.1
>>>> +
>>>> -- 
>>>> 2.8.1
>>>>
>>
>

More information about the meta-virtualization mailing list