[meta-virtualization] [PATCH] docker: Fix CVE-2019-14271 loading of nsswitch based config inside chroot under Glibc
Bruce Ashfield
bruce.ashfield at gmail.com
Thu Sep 26 07:34:16 PDT 2019
On Tue, Sep 3, 2019 at 10:03 PM Hongxu Jia <hongxu.jia at windriver.com> wrote:
> On 9/4/19 2:28 AM, akuster808 wrote:
> >
> > On 9/3/19 10:40 AM, Bruce Ashfield wrote:
> >> On Tue, Sep 3, 2019 at 4:02 AM Hongxu Jia <hongxu.jia at windriver.com>
> wrote:
> >>> Backport a patch from upstream to fix CVE-2019-14271
> >> Given the docker version bumps that Stefan posted earlier, is this
> >> still required ?
> In Stefan upgraded patch earlier, it switched from moby:master to
> engine:19.03,
>
> I found the upgraded version contains the patch
>
> commit fa8dd90ceb7bcb9d554d27e0b9087ab83e54bd2b
> Author: Justin Cormack <justin.cormack at docker.com>
> Date: Thu Jul 25 15:24:39 2019 +0100
>
> Initialize nss libraries in Glibc so that the dynamic libraries are
> loaded in the host
> environment not in the chroot from untrusted files.
>
> See also OpenVZ
>
> https://github.com/kolyshkin/vzctl/blob/a3f732ef751998913fcf0a11b3e05236b51fd7e9/src/enter.c#L227-L234
>
> Signed-off-by: Justin Cormack <justin.cormack at docker.com>
> (cherry picked from commit cea6dca993c2b4cfa99b1e7a19ca134c8ebc236b)
> Signed-off-by: Tibor Vass <tibor at docker.com>
>
> $ git branch -r --contains fa8dd90ceb7bcb9d554d27e0b9087ab83e54bd2b
> origin/19.03
>
> If Stefan's patch is accepted, please ignore this one
>
> //Hongxu
>
> > What about stable branches? can this be reused for any of them?
>
> I am afraid it exists on master branch only
>
> jia at pek-lpg-core1-vm2:/buildarea1/hjia/community/moby$ git branch -r
> --contains a316b10dab79d9298b02c7930958ed52e0ccf4e4
> origin/HEAD -> origin/master
> origin/master
>
>
>
FYI: I just pushed changes to master that should address this (and the
other docker uprevs that were pending).
Bruce
>
>
> > - armin
> >> Bruce
> >>
> >>> Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
> >>> ---
> >>> recipes-containers/docker/docker_git.bb | 1 +
> >>> ...nss-libraries-in-Glibc-so-that-the-dynami.patch | 50
> ++++++++++++++++++++++
> >>> 2 files changed, 51 insertions(+)
> >>> create mode 100644
> recipes-containers/docker/files/0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch
> >>>
> >>> diff --git a/recipes-containers/docker/docker_git.bb
> b/recipes-containers/docker/docker_git.bb
> >>> index e45f87e..e993017 100644
> >>> --- a/recipes-containers/docker/docker_git.bb
> >>> +++ b/recipes-containers/docker/docker_git.bb
> >>> @@ -45,6 +45,7 @@ SRC_URI = "\
> >>> file://docker.init \
> >>> file://0001-libnetwork-use-GO-instead-of-go.patch \
> >>> file://0001-imporve-hardcoded-CC-on-cross-compile.patch \
> >>> +
> file://0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch \
> >>> "
> >>>
> >>> require docker.inc
> >>> diff --git
> a/recipes-containers/docker/files/0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch
> b/recipes-containers/docker/files/0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch
> >>> new file mode 100644
> >>> index 0000000..67ddd49
> >>> --- /dev/null
> >>> +++
> b/recipes-containers/docker/files/0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch
> >>> @@ -0,0 +1,50 @@
> >>> +From b688546c8e35ce48d02dd5adf156399b37590b26 Mon Sep 17 00:00:00 2001
> >>> +From: Justin Cormack <justin.cormack at docker.com>
> >>> +Date: Thu, 25 Jul 2019 15:24:39 +0100
> >>> +Subject: [PATCH] Initialize nss libraries in Glibc so that the dynamic
> >>> + libraries are loaded in the host environment not in the chroot from
> untrusted
> >>> + files.
> >>> +
> >>> +See also OpenVZ
> https://github.com/kolyshkin/vzctl/blob/a3f732ef751998913fcf0a11b3e05236b51fd7e9/src/enter.c#L227-L234
> >>> +
> >>> +Signed-off-by: Justin Cormack <justin.cormack at docker.com>
> >>> +(cherry picked from commit cea6dca993c2b4cfa99b1e7a19ca134c8ebc236b)
> >>> +Signed-off-by: Tibor Vass <tibor at docker.com>
> >>> +
> >>> +CVE: CVE-2019-14271
> >>> +Upstream-Status: Backport [a316b10dab79d9298b02c7930958ed52e0ccf4e4]
> >>> +Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
> >>> +---
> >>> + src/import/pkg/chrootarchive/archive.go | 9 +++++++++
> >>> + 1 file changed, 9 insertions(+)
> >>> +
> >>> +diff --git a/src/import/pkg/chrootarchive/archive.go
> b/src/import/pkg/chrootarchive/archive.go
> >>> +index 6ff61e6..83ed0c6 100644
> >>> +--- a/src/import/pkg/chrootarchive/archive.go
> >>> ++++ b/src/import/pkg/chrootarchive/archive.go
> >>> +@@ -4,13 +4,22 @@ import (
> >>> + "fmt"
> >>> + "io"
> >>> + "io/ioutil"
> >>> ++ "net"
> >>> + "os"
> >>> ++ "os/user"
> >>> + "path/filepath"
> >>> +
> >>> + "github.com/docker/docker/pkg/archive"
> >>> + "github.com/docker/docker/pkg/idtools"
> >>> + )
> >>> +
> >>> ++func init() {
> >>> ++ // initialize nss libraries in Glibc so that the dynamic
> libraries are loaded in the host
> >>> ++ // environment not in the chroot from untrusted files.
> >>> ++ _, _ = user.Lookup("docker")
> >>> ++ _, _ = net.LookupHost("localhost")
> >>> ++}
> >>> ++
> >>> + // NewArchiver returns a new Archiver which uses chrootarchive.Untar
> >>> + func NewArchiver(idMapping *idtools.IdentityMapping)
> *archive.Archiver {
> >>> + if idMapping == nil {
> >>> +--
> >>> +2.8.1
> >>> +
> >>> --
> >>> 2.8.1
> >>>
> >
>
>
--
- Thou shalt not follow the NULL pointer, for chaos and madness await thee
at its end
- "Use the force Harry" - Gandalf, Star Trek II
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.yoctoproject.org/pipermail/meta-virtualization/attachments/20190926/cf40a966/attachment.html>
More information about the meta-virtualization
mailing list