On Tue, Sep 3, 2019 at 4:02 AM Hongxu Jia <[email protected]> wrote: > > Backport a patch from upstream to fix CVE-2019-14271
Given the docker version bumps that Stefan posted earlier, is this still required ? Bruce > > Signed-off-by: Hongxu Jia <[email protected]> > --- > recipes-containers/docker/docker_git.bb | 1 + > ...nss-libraries-in-Glibc-so-that-the-dynami.patch | 50 > ++++++++++++++++++++++ > 2 files changed, 51 insertions(+) > create mode 100644 > recipes-containers/docker/files/0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch > > diff --git a/recipes-containers/docker/docker_git.bb > b/recipes-containers/docker/docker_git.bb > index e45f87e..e993017 100644 > --- a/recipes-containers/docker/docker_git.bb > +++ b/recipes-containers/docker/docker_git.bb > @@ -45,6 +45,7 @@ SRC_URI = "\ > file://docker.init \ > file://0001-libnetwork-use-GO-instead-of-go.patch \ > file://0001-imporve-hardcoded-CC-on-cross-compile.patch \ > + > file://0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch \ > " > > require docker.inc > diff --git > a/recipes-containers/docker/files/0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch > > b/recipes-containers/docker/files/0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch > new file mode 100644 > index 0000000..67ddd49 > --- /dev/null > +++ > b/recipes-containers/docker/files/0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch > @@ -0,0 +1,50 @@ > +From b688546c8e35ce48d02dd5adf156399b37590b26 Mon Sep 17 00:00:00 2001 > +From: Justin Cormack <[email protected]> > +Date: Thu, 25 Jul 2019 15:24:39 +0100 > +Subject: [PATCH] Initialize nss libraries in Glibc so that the dynamic > + libraries are loaded in the host environment not in the chroot from > untrusted > + files. > + > +See also OpenVZ > https://github.com/kolyshkin/vzctl/blob/a3f732ef751998913fcf0a11b3e05236b51fd7e9/src/enter.c#L227-L234 > + > +Signed-off-by: Justin Cormack <[email protected]> > +(cherry picked from commit cea6dca993c2b4cfa99b1e7a19ca134c8ebc236b) > +Signed-off-by: Tibor Vass <[email protected]> > + > +CVE: CVE-2019-14271 > +Upstream-Status: Backport [a316b10dab79d9298b02c7930958ed52e0ccf4e4] > +Signed-off-by: Hongxu Jia <[email protected]> > +--- > + src/import/pkg/chrootarchive/archive.go | 9 +++++++++ > + 1 file changed, 9 insertions(+) > + > +diff --git a/src/import/pkg/chrootarchive/archive.go > b/src/import/pkg/chrootarchive/archive.go > +index 6ff61e6..83ed0c6 100644 > +--- a/src/import/pkg/chrootarchive/archive.go > ++++ b/src/import/pkg/chrootarchive/archive.go > +@@ -4,13 +4,22 @@ import ( > + "fmt" > + "io" > + "io/ioutil" > ++ "net" > + "os" > ++ "os/user" > + "path/filepath" > + > + "github.com/docker/docker/pkg/archive" > + "github.com/docker/docker/pkg/idtools" > + ) > + > ++func init() { > ++ // initialize nss libraries in Glibc so that the dynamic libraries > are loaded in the host > ++ // environment not in the chroot from untrusted files. > ++ _, _ = user.Lookup("docker") > ++ _, _ = net.LookupHost("localhost") > ++} > ++ > + // NewArchiver returns a new Archiver which uses chrootarchive.Untar > + func NewArchiver(idMapping *idtools.IdentityMapping) *archive.Archiver { > + if idMapping == nil { > +-- > +2.8.1 > + > -- > 2.8.1 > -- - Thou shalt not follow the NULL pointer, for chaos and madness await thee at its end - "Use the force Harry" - Gandalf, Star Trek II -- _______________________________________________ meta-virtualization mailing list [email protected] https://lists.yoctoproject.org/listinfo/meta-virtualization
