commit docker_1_12_6 for openSUSE:Factory

root Wed, 08 Nov 2017 06:14:39 -0800

Hello community,

here is the log from the commit of package docker_1_12_6 for openSUSE:Factory 
checked in at 2017-11-08 15:11:05
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/docker_1_12_6 (Old)
 and      /work/SRC/openSUSE:Factory/.docker_1_12_6.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Package is "docker_1_12_6"

Wed Nov  8 15:11:05 2017 rev:4 rq:539664 version:1.12.6

Changes:
--------
--- /work/SRC/openSUSE:Factory/docker_1_12_6/docker_1_12_6.changes      
2017-10-19 19:32:25.896048738 +0200
+++ /work/SRC/openSUSE:Factory/.docker_1_12_6.new/docker_1_12_6.changes 
2017-11-08 15:14:12.753113981 +0100
@@ -1,0 +2,17 @@
+Tue Nov  7 16:49:59 UTC 2017 - [email protected]
+
+- Add a backport of https://github.com/moby/moby/pull/35424, which fixes a
+  security issue where a maliciously crafted image could be used to crash a
+  Docker daemon. bsc#1066210 CVE-2017-14992
+  + bsc1066210-0001-vendor-update-to-github.com-vbatts-tar-split-v0.10.2.patch
+
+-------------------------------------------------------------------
+Tue Nov  7 09:09:11 UTC 2017 - [email protected]
+
+- Add a backport of https://github.com/moby/moby/pull/35399, which fixes a
+  security issue where a Docker container (with a disabled AppArmor profile)
+  could write to /proc/scsi/... and subsequently DoS the host. bsc#1066801
+  CVE-2017-16539
+  + bsc1066801-0001-oci-add-proc-scsi-to-masked-paths.patch
+
+-------------------------------------------------------------------

New:
----
  bsc1066210-0001-vendor-update-to-github.com-vbatts-tar-split-v0.10.2.patch
  bsc1066801-0001-oci-add-proc-scsi-to-masked-paths.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ docker_1_12_6.spec ++++++
--- /var/tmp/diff_new_pack.WgXeIB/_old  2017-11-08 15:14:13.893072370 +0100
+++ /var/tmp/diff_new_pack.WgXeIB/_new  2017-11-08 15:14:13.897072224 +0100
@@ -83,6 +83,10 @@
 Patch412:       bsc1037436-0002-client-check-tty-before-creating-exec-job.patch
 # SUSE-BACKPORT: Patches required to make layerdb operations atomic. 
bsc#1031479
 Patch420:       
bsc1031479-0001-Update-layer-store-to-sync-transaction-files-before-.patch
+# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/35399. 
boo#1066801 CVE-2017-16539
+Patch430:       bsc1066801-0001-oci-add-proc-scsi-to-masked-paths.patch
+# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/35424. 
boo#1066210 CVE-2017-14992
+Patch440:       
bsc1066210-0001-vendor-update-to-github.com-vbatts-tar-split-v0.10.2.patch
 # SUSE-BACKPORT: Patch fixing a DoS bug that makes certain operations fail on
 #                a libdm device. bsc#1045628
 Patch500:       
bsc1045628-0001-devicemapper-remove-container-rootfs-mountPath-after.patch
@@ -217,6 +221,10 @@
 %patch412 -p1
 # bsc#1031479
 %patch420 -p1
+# boo#1066801 CVE-2017-16539
+%patch430 -p1
+# boo#1066210 CVE-2017-14992
+%patch440 -p1
 # bsc#1045628
 %patch500 -p1
 %patch600 -p1

++++++ 
bsc1066210-0001-vendor-update-to-github.com-vbatts-tar-split-v0.10.2.patch 
++++++
>From 2d49a7a98c42f25229f2daf25c9bf4846e16be61 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <[email protected]>
Date: Wed, 8 Nov 2017 02:50:52 +1100
Subject: [PATCH] vendor: update to github.com/vbatts/[email protected]

Update to the latest version of tar-split, which includes a change to
fix a memory exhaustion issue where a malformed image could cause the
Docker daemon to crash.

  * tar: asm: store padding in chunks to avoid memory exhaustion

Fixes: CVE-2017-14992
Signed-off-by: Aleksa Sarai <[email protected]>
---
 .../vbatts/tar-split/tar/asm/disassemble.go        | 43 ++++++++++++++--------
 1 file changed, 28 insertions(+), 15 deletions(-)

diff --git a/vendor/src/github.com/vbatts/tar-split/tar/asm/disassemble.go 
b/vendor/src/github.com/vbatts/tar-split/tar/asm/disassemble.go
index 54ef23aed366..009b3f5d8124 100644
--- a/vendor/src/github.com/vbatts/tar-split/tar/asm/disassemble.go
+++ b/vendor/src/github.com/vbatts/tar-split/tar/asm/disassemble.go
@@ -2,7 +2,6 @@ package asm
 
 import (
        "io"
-       "io/ioutil"
 
        "github.com/vbatts/tar-split/archive/tar"
        "github.com/vbatts/tar-split/tar/storage"
@@ -119,20 +118,34 @@ func NewInputTarStream(r io.Reader, p storage.Packer, fp 
storage.FilePutter) (io
                        }
                }
 
-               // it is allowable, and not uncommon that there is further 
padding on the
-               // end of an archive, apart from the expected 1024 null bytes.
-               remainder, err := ioutil.ReadAll(outputRdr)
-               if err != nil && err != io.EOF {
-                       pW.CloseWithError(err)
-                       return
-               }
-               _, err = p.AddEntry(storage.Entry{
-                       Type:    storage.SegmentType,
-                       Payload: remainder,
-               })
-               if err != nil {
-                       pW.CloseWithError(err)
-                       return
+               // It is allowable, and not uncommon that there is further 
padding on
+               // the end of an archive, apart from the expected 1024 null 
bytes. We
+               // do this in chunks rather than in one go to avoid cases where 
a
+               // maliciously crafted tar file tries to trick us into reading 
many GBs
+               // into memory.
+               const paddingChunkSize = 1024 * 1024
+               var paddingChunk [paddingChunkSize]byte
+               for {
+                       var isEOF bool
+                       n, err := outputRdr.Read(paddingChunk[:])
+                       if err != nil {
+                               if err != io.EOF {
+                                       pW.CloseWithError(err)
+                                       return
+                               }
+                               isEOF = true
+                       }
+                       _, err = p.AddEntry(storage.Entry{
+                               Type:    storage.SegmentType,
+                               Payload: paddingChunk[:n],
+                       })
+                       if err != nil {
+                               pW.CloseWithError(err)
+                               return
+                       }
+                       if isEOF {
+                               break
+                       }
                }
                pW.Close()
        }()
-- 
2.14.3

++++++ bsc1066801-0001-oci-add-proc-scsi-to-masked-paths.patch ++++++
>From 85af369116436c401838ca16771c91a26626e8f7 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <[email protected]>
Date: Tue, 7 Nov 2017 18:25:42 +1100
Subject: [PATCH] oci: add /proc/scsi to masked paths

This is writeable, and can be used to remove devices. Containers do
not need to know about scsi devices.

Fixes: CVE-2017-16539
SUSE-Bug: https://bugzilla.suse.com/show_bug.cgi?id=1066801
Signed-off-by: Justin Cormack <[email protected]>
Signed-off-by: Aleksa Sarai <[email protected]>
---
 oci/defaults_linux.go | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/oci/defaults_linux.go b/oci/defaults_linux.go
index e8c410aa54cf..633deebc5301 100644
--- a/oci/defaults_linux.go
+++ b/oci/defaults_linux.go
@@ -84,6 +84,8 @@ func DefaultSpec() specs.Spec {
                        "/proc/timer_list",
                        "/proc/timer_stats",
                        "/proc/sched_debug",
+                       "/sys/firmware",
+                       "/proc/scsi",
                },
                ReadonlyPaths: []string{
                        "/proc/asound",
-- 
2.14.3

commit docker_1_12_6 for openSUSE:Factory

Reply via email to