On 9/4/19 2:28 AM, akuster808 wrote:
On 9/3/19 10:40 AM, Bruce Ashfield wrote:
On Tue, Sep 3, 2019 at 4:02 AM Hongxu Jia <[email protected]> wrote:
Backport a patch from upstream to fix CVE-2019-14271
Given the docker version bumps that Stefan posted earlier, is this
still required ?
In Stefan upgraded patch earlier, it switched from moby:master to
engine:19.03,
I found the upgraded version contains the patch
commit fa8dd90ceb7bcb9d554d27e0b9087ab83e54bd2b
Author: Justin Cormack <[email protected]>
Date: Thu Jul 25 15:24:39 2019 +0100
Initialize nss libraries in Glibc so that the dynamic libraries are
loaded in the host
environment not in the chroot from untrusted files.
See also OpenVZ
https://github.com/kolyshkin/vzctl/blob/a3f732ef751998913fcf0a11b3e05236b51fd7e9/src/enter.c#L227-L234
Signed-off-by: Justin Cormack <[email protected]>
(cherry picked from commit cea6dca993c2b4cfa99b1e7a19ca134c8ebc236b)
Signed-off-by: Tibor Vass <[email protected]>
$ git branch -r --contains fa8dd90ceb7bcb9d554d27e0b9087ab83e54bd2b
origin/19.03
If Stefan's patch is accepted, please ignore this one
//Hongxu
What about stable branches? can this be reused for any of them?
I am afraid it exists on master branch only
jia@pek-lpg-core1-vm2:/buildarea1/hjia/community/moby$ git branch -r
--contains a316b10dab79d9298b02c7930958ed52e0ccf4e4
origin/HEAD -> origin/master
origin/master
- armin
Bruce
Signed-off-by: Hongxu Jia <[email protected]>
---
recipes-containers/docker/docker_git.bb | 1 +
...nss-libraries-in-Glibc-so-that-the-dynami.patch | 50 ++++++++++++++++++++++
2 files changed, 51 insertions(+)
create mode 100644
recipes-containers/docker/files/0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch
diff --git a/recipes-containers/docker/docker_git.bb
b/recipes-containers/docker/docker_git.bb
index e45f87e..e993017 100644
--- a/recipes-containers/docker/docker_git.bb
+++ b/recipes-containers/docker/docker_git.bb
@@ -45,6 +45,7 @@ SRC_URI = "\
file://docker.init \
file://0001-libnetwork-use-GO-instead-of-go.patch \
file://0001-imporve-hardcoded-CC-on-cross-compile.patch \
+ file://0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch \
"
require docker.inc
diff --git
a/recipes-containers/docker/files/0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch
b/recipes-containers/docker/files/0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch
new file mode 100644
index 0000000..67ddd49
--- /dev/null
+++
b/recipes-containers/docker/files/0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch
@@ -0,0 +1,50 @@
+From b688546c8e35ce48d02dd5adf156399b37590b26 Mon Sep 17 00:00:00 2001
+From: Justin Cormack <[email protected]>
+Date: Thu, 25 Jul 2019 15:24:39 +0100
+Subject: [PATCH] Initialize nss libraries in Glibc so that the dynamic
+ libraries are loaded in the host environment not in the chroot from untrusted
+ files.
+
+See also OpenVZ
https://github.com/kolyshkin/vzctl/blob/a3f732ef751998913fcf0a11b3e05236b51fd7e9/src/enter.c#L227-L234
+
+Signed-off-by: Justin Cormack <[email protected]>
+(cherry picked from commit cea6dca993c2b4cfa99b1e7a19ca134c8ebc236b)
+Signed-off-by: Tibor Vass <[email protected]>
+
+CVE: CVE-2019-14271
+Upstream-Status: Backport [a316b10dab79d9298b02c7930958ed52e0ccf4e4]
+Signed-off-by: Hongxu Jia <[email protected]>
+---
+ src/import/pkg/chrootarchive/archive.go | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/src/import/pkg/chrootarchive/archive.go
b/src/import/pkg/chrootarchive/archive.go
+index 6ff61e6..83ed0c6 100644
+--- a/src/import/pkg/chrootarchive/archive.go
++++ b/src/import/pkg/chrootarchive/archive.go
+@@ -4,13 +4,22 @@ import (
+ "fmt"
+ "io"
+ "io/ioutil"
++ "net"
+ "os"
++ "os/user"
+ "path/filepath"
+
+ "github.com/docker/docker/pkg/archive"
+ "github.com/docker/docker/pkg/idtools"
+ )
+
++func init() {
++ // initialize nss libraries in Glibc so that the dynamic libraries are
loaded in the host
++ // environment not in the chroot from untrusted files.
++ _, _ = user.Lookup("docker")
++ _, _ = net.LookupHost("localhost")
++}
++
+ // NewArchiver returns a new Archiver which uses chrootarchive.Untar
+ func NewArchiver(idMapping *idtools.IdentityMapping) *archive.Archiver {
+ if idMapping == nil {
+--
+2.8.1
+
--
2.8.1
--
_______________________________________________
meta-virtualization mailing list
[email protected]
https://lists.yoctoproject.org/listinfo/meta-virtualization
