On Tue, Sep 3, 2019 at 10:03 PM Hongxu Jia <[email protected]> wrote:
> On 9/4/19 2:28 AM, akuster808 wrote: > > > > On 9/3/19 10:40 AM, Bruce Ashfield wrote: > >> On Tue, Sep 3, 2019 at 4:02 AM Hongxu Jia <[email protected]> > wrote: > >>> Backport a patch from upstream to fix CVE-2019-14271 > >> Given the docker version bumps that Stefan posted earlier, is this > >> still required ? > In Stefan upgraded patch earlier, it switched from moby:master to > engine:19.03, > > I found the upgraded version contains the patch > > commit fa8dd90ceb7bcb9d554d27e0b9087ab83e54bd2b > Author: Justin Cormack <[email protected]> > Date: Thu Jul 25 15:24:39 2019 +0100 > > Initialize nss libraries in Glibc so that the dynamic libraries are > loaded in the host > environment not in the chroot from untrusted files. > > See also OpenVZ > > https://github.com/kolyshkin/vzctl/blob/a3f732ef751998913fcf0a11b3e05236b51fd7e9/src/enter.c#L227-L234 > > Signed-off-by: Justin Cormack <[email protected]> > (cherry picked from commit cea6dca993c2b4cfa99b1e7a19ca134c8ebc236b) > Signed-off-by: Tibor Vass <[email protected]> > > $ git branch -r --contains fa8dd90ceb7bcb9d554d27e0b9087ab83e54bd2b > origin/19.03 > > If Stefan's patch is accepted, please ignore this one > > //Hongxu > > > What about stable branches? can this be reused for any of them? > > I am afraid it exists on master branch only > > jia@pek-lpg-core1-vm2:/buildarea1/hjia/community/moby$ git branch -r > --contains a316b10dab79d9298b02c7930958ed52e0ccf4e4 > origin/HEAD -> origin/master > origin/master > > > FYI: I just pushed changes to master that should address this (and the other docker uprevs that were pending). Bruce > > > > - armin > >> Bruce > >> > >>> Signed-off-by: Hongxu Jia <[email protected]> > >>> --- > >>> recipes-containers/docker/docker_git.bb | 1 + > >>> ...nss-libraries-in-Glibc-so-that-the-dynami.patch | 50 > ++++++++++++++++++++++ > >>> 2 files changed, 51 insertions(+) > >>> create mode 100644 > recipes-containers/docker/files/0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch > >>> > >>> diff --git a/recipes-containers/docker/docker_git.bb > b/recipes-containers/docker/docker_git.bb > >>> index e45f87e..e993017 100644 > >>> --- a/recipes-containers/docker/docker_git.bb > >>> +++ b/recipes-containers/docker/docker_git.bb > >>> @@ -45,6 +45,7 @@ SRC_URI = "\ > >>> file://docker.init \ > >>> file://0001-libnetwork-use-GO-instead-of-go.patch \ > >>> file://0001-imporve-hardcoded-CC-on-cross-compile.patch \ > >>> + > file://0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch \ > >>> " > >>> > >>> require docker.inc > >>> diff --git > a/recipes-containers/docker/files/0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch > b/recipes-containers/docker/files/0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch > >>> new file mode 100644 > >>> index 0000000..67ddd49 > >>> --- /dev/null > >>> +++ > b/recipes-containers/docker/files/0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch > >>> @@ -0,0 +1,50 @@ > >>> +From b688546c8e35ce48d02dd5adf156399b37590b26 Mon Sep 17 00:00:00 2001 > >>> +From: Justin Cormack <[email protected]> > >>> +Date: Thu, 25 Jul 2019 15:24:39 +0100 > >>> +Subject: [PATCH] Initialize nss libraries in Glibc so that the dynamic > >>> + libraries are loaded in the host environment not in the chroot from > untrusted > >>> + files. > >>> + > >>> +See also OpenVZ > https://github.com/kolyshkin/vzctl/blob/a3f732ef751998913fcf0a11b3e05236b51fd7e9/src/enter.c#L227-L234 > >>> + > >>> +Signed-off-by: Justin Cormack <[email protected]> > >>> +(cherry picked from commit cea6dca993c2b4cfa99b1e7a19ca134c8ebc236b) > >>> +Signed-off-by: Tibor Vass <[email protected]> > >>> + > >>> +CVE: CVE-2019-14271 > >>> +Upstream-Status: Backport [a316b10dab79d9298b02c7930958ed52e0ccf4e4] > >>> +Signed-off-by: Hongxu Jia <[email protected]> > >>> +--- > >>> + src/import/pkg/chrootarchive/archive.go | 9 +++++++++ > >>> + 1 file changed, 9 insertions(+) > >>> + > >>> +diff --git a/src/import/pkg/chrootarchive/archive.go > b/src/import/pkg/chrootarchive/archive.go > >>> +index 6ff61e6..83ed0c6 100644 > >>> +--- a/src/import/pkg/chrootarchive/archive.go > >>> ++++ b/src/import/pkg/chrootarchive/archive.go > >>> +@@ -4,13 +4,22 @@ import ( > >>> + "fmt" > >>> + "io" > >>> + "io/ioutil" > >>> ++ "net" > >>> + "os" > >>> ++ "os/user" > >>> + "path/filepath" > >>> + > >>> + "github.com/docker/docker/pkg/archive" > >>> + "github.com/docker/docker/pkg/idtools" > >>> + ) > >>> + > >>> ++func init() { > >>> ++ // initialize nss libraries in Glibc so that the dynamic > libraries are loaded in the host > >>> ++ // environment not in the chroot from untrusted files. > >>> ++ _, _ = user.Lookup("docker") > >>> ++ _, _ = net.LookupHost("localhost") > >>> ++} > >>> ++ > >>> + // NewArchiver returns a new Archiver which uses chrootarchive.Untar > >>> + func NewArchiver(idMapping *idtools.IdentityMapping) > *archive.Archiver { > >>> + if idMapping == nil { > >>> +-- > >>> +2.8.1 > >>> + > >>> -- > >>> 2.8.1 > >>> > > > > -- - Thou shalt not follow the NULL pointer, for chaos and madness await thee at its end - "Use the force Harry" - Gandalf, Star Trek II
-- _______________________________________________ meta-virtualization mailing list [email protected] https://lists.yoctoproject.org/listinfo/meta-virtualization
