Hello community, here is the log from the commit of package docker for openSUSE:Factory checked in at 2017-11-10 14:42:49 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/docker (Old) and /work/SRC/openSUSE:Factory/.docker.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "docker" Fri Nov 10 14:42:49 2017 rev:63 rq:540195 version:17.07.0_ce Changes: -------- --- /work/SRC/openSUSE:Factory/docker/docker.changes 2017-10-25 17:45:19.361606531 +0200 +++ /work/SRC/openSUSE:Factory/.docker.new/docker.changes 2017-11-10 14:42:50.823646548 +0100 @@ -1,0 +2,17 @@ +Tue Nov 7 16:47:01 UTC 2017 - [email protected] + +- Add a backport of https://github.com/moby/moby/pull/35424, which fixes a + security issue where a maliciously crafted image could be used to crash a + Docker daemon. bsc#1066210 CVE-2017-14992 + + bsc1066210-0001-vendor-update-to-github.com-vbatts-tar-split-v0.10.2.patch + +------------------------------------------------------------------- +Tue Nov 7 09:00:31 UTC 2017 - [email protected] + +- Add a backport of https://github.com/moby/moby/pull/35399, which fixes a + security issue where a Docker container (with a disabled AppArmor profile) + could write to /proc/scsi/... and subsequently DoS the host. bsc#1066801 + CVE-2017-16539 + + bsc1066801-0001-oci-add-proc-scsi-to-masked-paths.patch + +------------------------------------------------------------------- @@ -32,0 +50,17 @@ + +------------------------------------------------------------------- +Mon Oct 2 08:12:17 UTC 2017 - [email protected] + +- Fix bsc#1059011 + + The systemd service helper script used a timeout of 60 seconds to + start the daemon, which is insufficient in cases where the daemon + takes longer to start. Instead, set the service type from 'simple' to + 'notify' and remove the now superfluous helper script. + +------------------------------------------------------------------- +Wed Sep 27 15:04:19 UTC 2017 - [email protected] + +- fix bsc#1057743: Add a Requires: fix_bsc_1057743 which is provided by the + newer version of docker-libnetwork. This is necessary because of a versioning + bug we found in bsc#1057743. New: ---- bsc1066210-0001-vendor-update-to-github.com-vbatts-tar-split-v0.10.2.patch bsc1066801-0001-oci-add-proc-scsi-to-masked-paths.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ docker.spec ++++++ --- /var/tmp/diff_new_pack.DiGkc2/_old 2017-11-10 14:42:51.927606642 +0100 +++ /var/tmp/diff_new_pack.DiGkc2/_new 2017-11-10 14:42:51.931606496 +0100 @@ -68,6 +68,10 @@ Patch402: bsc1045628-0001-devicemapper-remove-container-rootfs-mountPath-after.patch # SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/34176. boo#1064781 Patch403: bsc1064781-0001-Allow-to-override-build-date.patch +# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/35399. boo#1066801 CVE-2017-16539 +Patch404: bsc1066801-0001-oci-add-proc-scsi-to-masked-paths.patch +# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/35424. boo#1066210 CVE-2017-14992 +Patch405: bsc1066210-0001-vendor-update-to-github.com-vbatts-tar-split-v0.10.2.patch BuildRequires: audit BuildRequires: bash-completion BuildRequires: ca-certificates @@ -98,7 +102,11 @@ Requires: apparmor-parser Requires: bridge-utils Requires: ca-certificates-mozilla +# Required in order for networking to work. fix_bsc_1057743 is a work-around +# for some old packaging issues (where rpm would delete a binary that was +# installed by docker-libnetwork). See bsc#1057743 for more details. Requires: docker-libnetwork = 0.7.0+gitr2322_4a242dba7739 +Requires: fix_bsc_1057743 # Containerd and runC are required as they are the only currently supported # execdrivers of Docker. NOTE: The version pinning here matches upstream's # vendor.conf to ensure that we don't use a slightly incompatible version of @@ -191,6 +199,10 @@ %patch402 -p1 -d components/engine # boo#1064781 %patch403 -p1 -d components/engine +# boo#1066801 CVE-2017-16539 +%patch404 -p1 -d components/engine +# boo#1066210 CVE-2017-14992 +%patch405 -p1 -d components/engine cp %{SOURCE7} . cp %{SOURCE9} . @@ -435,7 +447,6 @@ %{_bindir}/docker %{_bindir}/dockerd %{_sbindir}/rcdocker -%{_libexecdir}/docker/ %{_unitdir}/%{name}.service %config %{_sysconfdir}/audit/rules.d/%{name}.rules %{_udevrulesdir}/80-%{name}.rules ++++++ bsc1066210-0001-vendor-update-to-github.com-vbatts-tar-split-v0.10.2.patch ++++++ >From b5cf56bc7f734ed8bfad4119fb817261e541a609 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai <[email protected]> Date: Wed, 8 Nov 2017 02:50:52 +1100 Subject: [PATCH] vendor: update to github.com/vbatts/[email protected] Update to the latest version of tar-split, which includes a change to fix a memory exhaustion issue where a malformed image could cause the Docker daemon to crash. * tar: asm: store padding in chunks to avoid memory exhaustion Fixes: CVE-2017-14992 SUSE-Bug: https://bugzilla.suse.com/show_bug.cgi?id=1066210 Signed-off-by: Aleksa Sarai <[email protected]> --- vendor.conf | 2 +- vendor/github.com/vbatts/tar-split/README.md | 3 +- .../vbatts/tar-split/tar/asm/disassemble.go | 43 ++++++++++++++-------- 3 files changed, 31 insertions(+), 17 deletions(-) diff --git a/vendor.conf b/vendor.conf index 535adad38728..ea4f75bbea10 100644 --- a/vendor.conf +++ b/vendor.conf @@ -53,7 +53,7 @@ github.com/miekg/dns 75e6e86cc601825c5dbcd4e0c209eab180997cd7 # get graph and distribution packages github.com/docker/distribution b38e5838b7b2f2ad48e06ec4b500011976080621 -github.com/vbatts/tar-split v0.10.1 +github.com/vbatts/tar-split v0.10.2 github.com/opencontainers/go-digest a6d0ee40d4207ea02364bd3b9e8e77b9159ba1eb # get go-zfs packages diff --git a/vendor/github.com/vbatts/tar-split/README.md b/vendor/github.com/vbatts/tar-split/README.md index 4c544d823fbc..03e3ec4308b7 100644 --- a/vendor/github.com/vbatts/tar-split/README.md +++ b/vendor/github.com/vbatts/tar-split/README.md @@ -1,6 +1,7 @@ # tar-split [](https://travis-ci.org/vbatts/tar-split) +[](https://goreportcard.com/report/github.com/vbatts/tar-split) Pristinely disassembling a tar archive, and stashing needed raw bytes and offsets to reassemble a validating original archive. @@ -50,7 +51,7 @@ For example stored sparse files that have "holes" in them, will be read as a contiguous file, though the archive contents may be recorded in sparse format. Therefore when adding the file payload to a reassembled tar, to achieve identical output, the file payload would need be precisely re-sparsified. This -is not something I seek to fix imediately, but would rather have an alert that +is not something I seek to fix immediately, but would rather have an alert that precise reassembly is not possible. (see more http://www.gnu.org/software/tar/manual/html_node/Sparse-Formats.html) diff --git a/vendor/github.com/vbatts/tar-split/tar/asm/disassemble.go b/vendor/github.com/vbatts/tar-split/tar/asm/disassemble.go index 54ef23aed366..009b3f5d8124 100644 --- a/vendor/github.com/vbatts/tar-split/tar/asm/disassemble.go +++ b/vendor/github.com/vbatts/tar-split/tar/asm/disassemble.go @@ -2,7 +2,6 @@ package asm import ( "io" - "io/ioutil" "github.com/vbatts/tar-split/archive/tar" "github.com/vbatts/tar-split/tar/storage" @@ -119,20 +118,34 @@ func NewInputTarStream(r io.Reader, p storage.Packer, fp storage.FilePutter) (io } } - // it is allowable, and not uncommon that there is further padding on the - // end of an archive, apart from the expected 1024 null bytes. - remainder, err := ioutil.ReadAll(outputRdr) - if err != nil && err != io.EOF { - pW.CloseWithError(err) - return - } - _, err = p.AddEntry(storage.Entry{ - Type: storage.SegmentType, - Payload: remainder, - }) - if err != nil { - pW.CloseWithError(err) - return + // It is allowable, and not uncommon that there is further padding on + // the end of an archive, apart from the expected 1024 null bytes. We + // do this in chunks rather than in one go to avoid cases where a + // maliciously crafted tar file tries to trick us into reading many GBs + // into memory. + const paddingChunkSize = 1024 * 1024 + var paddingChunk [paddingChunkSize]byte + for { + var isEOF bool + n, err := outputRdr.Read(paddingChunk[:]) + if err != nil { + if err != io.EOF { + pW.CloseWithError(err) + return + } + isEOF = true + } + _, err = p.AddEntry(storage.Entry{ + Type: storage.SegmentType, + Payload: paddingChunk[:n], + }) + if err != nil { + pW.CloseWithError(err) + return + } + if isEOF { + break + } } pW.Close() }() -- 2.14.3 ++++++ bsc1066801-0001-oci-add-proc-scsi-to-masked-paths.patch ++++++ >From d0194d04255e8121d67c1f55d7dce8f5ba67fccc Mon Sep 17 00:00:00 2001 From: Aleksa Sarai <[email protected]> Date: Tue, 7 Nov 2017 18:32:41 +1100 Subject: [PATCH] oci: add /proc/scsi to masked paths This is writeable, and can be used to remove devices. Containers do not need to know about scsi devices. Fixes: CVE-2017-16539 SUSE-Bug: https://bugzilla.suse.com/show_bug.cgi?id=1066801 Signed-off-by: Justin Cormack <[email protected]> Signed-off-by: Aleksa Sarai <[email protected]> --- oci/defaults.go | 1 + 1 file changed, 1 insertion(+) diff --git a/oci/defaults.go b/oci/defaults.go index d706fafcc021..a7fd285060c2 100644 --- a/oci/defaults.go +++ b/oci/defaults.go @@ -132,6 +132,7 @@ func DefaultLinuxSpec() specs.Spec { "/proc/timer_list", "/proc/timer_stats", "/proc/sched_debug", + "/proc/scsi", }, ReadonlyPaths: []string{ "/proc/asound", -- 2.14.3 ++++++ docker.service ++++++ --- /var/tmp/diff_new_pack.DiGkc2/_old 2017-11-10 14:42:52.091600713 +0100 +++ /var/tmp/diff_new_pack.DiGkc2/_new 2017-11-10 14:42:52.091600713 +0100 @@ -10,7 +10,7 @@ # While Docker has support for socket activation (-H fd://), this is not # enabled by default because enabling socket activation means that on boot your # containers won't start until someone tries to administer the Docker daemon. -Type=simple +Type=notify ExecStart=/usr/bin/dockerd --containerd /run/containerd/containerd.sock --add-runtime oci=/usr/sbin/docker-runc $DOCKER_NETWORK_OPTIONS $DOCKER_OPTS ExecReload=/bin/kill -s HUP $MAINPID
