[PATCH] docker: Fix CVE-2019-14271 loading of nsswitch based config inside chroot under Glibc

[PATCH] docker: Fix CVE-2019-14271 loading of nsswitch based config inside chroot under Glibc

[Hongxu Jia]

Backport a patch from upstream to fix CVE-2019-14271

Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
---
 recipes-containers/docker/docker_git.bb            |  1 +
 ...nss-libraries-in-Glibc-so-that-the-dynami.patch | 50 ++++++++++++++++++++++
 2 files changed, 51 insertions(+)
 create mode 100644 recipes-containers/docker/files/0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch

diff --git a/recipes-containers/docker/docker_git.bb b/recipes-containers/docker/docker_git.bb
index e45f87e..e993017 100644
--- a/recipes-containers/docker/docker_git.bb
+++ b/recipes-containers/docker/docker_git.bb
@@ -45,6 +45,7 @@ SRC_URI = "\
 	file://docker.init \
 	file://0001-libnetwork-use-GO-instead-of-go.patch \
 	file://0001-imporve-hardcoded-CC-on-cross-compile.patch \
+	file://0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch \
 	"
 
 require docker.inc
diff --git a/recipes-containers/docker/files/0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch b/recipes-containers/docker/files/0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch
new file mode 100644
index 0000000..67ddd49
--- /dev/null
+++ b/recipes-containers/docker/files/0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch
@@ -0,0 +1,50 @@
+From b688546c8e35ce48d02dd5adf156399b37590b26 Mon Sep 17 00:00:00 2001
+From: Justin Cormack <justin.cormack@docker.com>
+Date: Thu, 25 Jul 2019 15:24:39 +0100
+Subject: [PATCH] Initialize nss libraries in Glibc so that the dynamic
+ libraries are loaded in the host environment not in the chroot from untrusted
+ files.
+
+See also OpenVZ https://github.com/kolyshkin/vzctl/blob/a3f732ef751998913fcf0a11b3e05236b51fd7e9/src/enter.c#L227-L234
+
+Signed-off-by: Justin Cormack <justin.cormack@docker.com>
+(cherry picked from commit cea6dca993c2b4cfa99b1e7a19ca134c8ebc236b)
+Signed-off-by: Tibor Vass <tibor@docker.com>
+
+CVE: CVE-2019-14271
+Upstream-Status: Backport [a316b10dab79d9298b02c7930958ed52e0ccf4e4]
+Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
+---
+ src/import/pkg/chrootarchive/archive.go | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/src/import/pkg/chrootarchive/archive.go b/src/import/pkg/chrootarchive/archive.go
+index 6ff61e6..83ed0c6 100644
+--- a/src/import/pkg/chrootarchive/archive.go
++++ b/src/import/pkg/chrootarchive/archive.go
+@@ -4,13 +4,22 @@ import (
+ 	"fmt"
+ 	"io"
+ 	"io/ioutil"
++	"net"
+ 	"os"
++	"os/user"
+ 	"path/filepath"
+ 
+ 	"github.com/docker/docker/pkg/archive"
+ 	"github.com/docker/docker/pkg/idtools"
+ )
+ 
++func init() {
++	// initialize nss libraries in Glibc so that the dynamic libraries are loaded in the host
++	// environment not in the chroot from untrusted files.
++	_, _ = user.Lookup("docker")
++	_, _ = net.LookupHost("localhost")
++}
++
+ // NewArchiver returns a new Archiver which uses chrootarchive.Untar
+ func NewArchiver(idMapping *idtools.IdentityMapping) *archive.Archiver {
+ 	if idMapping == nil {
+-- 
+2.8.1
+
-- 
2.8.1

Re: [PATCH] docker: Fix CVE-2019-14271 loading of nsswitch based config inside chroot under Glibc

[Bruce Ashfield]

On Tue, Sep 3, 2019 at 4:02 AM Hongxu Jia <hongxu.jia@windriver.com> wrote:
>
> Backport a patch from upstream to fix CVE-2019-14271

Given the docker version bumps that Stefan posted earlier, is this
still required ?

Bruce

>
> Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
> ---
>  recipes-containers/docker/docker_git.bb            |  1 +
>  ...nss-libraries-in-Glibc-so-that-the-dynami.patch | 50 ++++++++++++++++++++++
>  2 files changed, 51 insertions(+)
>  create mode 100644 recipes-containers/docker/files/0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch
>
> diff --git a/recipes-containers/docker/docker_git.bb b/recipes-containers/docker/docker_git.bb
> index e45f87e..e993017 100644
> --- a/recipes-containers/docker/docker_git.bb
> +++ b/recipes-containers/docker/docker_git.bb
> @@ -45,6 +45,7 @@ SRC_URI = "\
>         file://docker.init \
>         file://0001-libnetwork-use-GO-instead-of-go.patch \
>         file://0001-imporve-hardcoded-CC-on-cross-compile.patch \
> +       file://0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch \
>         "
>
>  require docker.inc
> diff --git a/recipes-containers/docker/files/0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch b/recipes-containers/docker/files/0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch
> new file mode 100644
> index 0000000..67ddd49
> --- /dev/null
> +++ b/recipes-containers/docker/files/0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch
> @@ -0,0 +1,50 @@
> +From b688546c8e35ce48d02dd5adf156399b37590b26 Mon Sep 17 00:00:00 2001
> +From: Justin Cormack <justin.cormack@docker.com>
> +Date: Thu, 25 Jul 2019 15:24:39 +0100
> +Subject: [PATCH] Initialize nss libraries in Glibc so that the dynamic
> + libraries are loaded in the host environment not in the chroot from untrusted
> + files.
> +
> +See also OpenVZ https://github.com/kolyshkin/vzctl/blob/a3f732ef751998913fcf0a11b3e05236b51fd7e9/src/enter.c#L227-L234
> +
> +Signed-off-by: Justin Cormack <justin.cormack@docker.com>
> +(cherry picked from commit cea6dca993c2b4cfa99b1e7a19ca134c8ebc236b)
> +Signed-off-by: Tibor Vass <tibor@docker.com>
> +
> +CVE: CVE-2019-14271
> +Upstream-Status: Backport [a316b10dab79d9298b02c7930958ed52e0ccf4e4]
> +Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
> +---
> + src/import/pkg/chrootarchive/archive.go | 9 +++++++++
> + 1 file changed, 9 insertions(+)
> +
> +diff --git a/src/import/pkg/chrootarchive/archive.go b/src/import/pkg/chrootarchive/archive.go
> +index 6ff61e6..83ed0c6 100644
> +--- a/src/import/pkg/chrootarchive/archive.go
> ++++ b/src/import/pkg/chrootarchive/archive.go
> +@@ -4,13 +4,22 @@ import (
> +       "fmt"
> +       "io"
> +       "io/ioutil"
> ++      "net"
> +       "os"
> ++      "os/user"
> +       "path/filepath"
> +
> +       "github.com/docker/docker/pkg/archive"
> +       "github.com/docker/docker/pkg/idtools"
> + )
> +
> ++func init() {
> ++      // initialize nss libraries in Glibc so that the dynamic libraries are loaded in the host
> ++      // environment not in the chroot from untrusted files.
> ++      _, _ = user.Lookup("docker")
> ++      _, _ = net.LookupHost("localhost")
> ++}
> ++
> + // NewArchiver returns a new Archiver which uses chrootarchive.Untar
> + func NewArchiver(idMapping *idtools.IdentityMapping) *archive.Archiver {
> +       if idMapping == nil {
> +--
> +2.8.1
> +
> --
> 2.8.1
>


-- 
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II

Re: [PATCH] docker: Fix CVE-2019-14271 loading of nsswitch based config inside chroot under Glibc

[akuster808]

On 9/3/19 10:40 AM, Bruce Ashfield wrote:
> On Tue, Sep 3, 2019 at 4:02 AM Hongxu Jia <hongxu.jia@windriver.com> wrote:
>> Backport a patch from upstream to fix CVE-2019-14271
> Given the docker version bumps that Stefan posted earlier, is this
> still required ?
What about stable branches? can this be reused for any of them?

- armin
>
> Bruce
>
>> Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
>> ---
>>  recipes-containers/docker/docker_git.bb            |  1 +
>>  ...nss-libraries-in-Glibc-so-that-the-dynami.patch | 50 ++++++++++++++++++++++
>>  2 files changed, 51 insertions(+)
>>  create mode 100644 recipes-containers/docker/files/0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch
>>
>> diff --git a/recipes-containers/docker/docker_git.bb b/recipes-containers/docker/docker_git.bb
>> index e45f87e..e993017 100644
>> --- a/recipes-containers/docker/docker_git.bb
>> +++ b/recipes-containers/docker/docker_git.bb
>> @@ -45,6 +45,7 @@ SRC_URI = "\
>>         file://docker.init \
>>         file://0001-libnetwork-use-GO-instead-of-go.patch \
>>         file://0001-imporve-hardcoded-CC-on-cross-compile.patch \
>> +       file://0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch \
>>         "
>>
>>  require docker.inc
>> diff --git a/recipes-containers/docker/files/0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch b/recipes-containers/docker/files/0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch
>> new file mode 100644
>> index 0000000..67ddd49
>> --- /dev/null
>> +++ b/recipes-containers/docker/files/0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch
>> @@ -0,0 +1,50 @@
>> +From b688546c8e35ce48d02dd5adf156399b37590b26 Mon Sep 17 00:00:00 2001
>> +From: Justin Cormack <justin.cormack@docker.com>
>> +Date: Thu, 25 Jul 2019 15:24:39 +0100
>> +Subject: [PATCH] Initialize nss libraries in Glibc so that the dynamic
>> + libraries are loaded in the host environment not in the chroot from untrusted
>> + files.
>> +
>> +See also OpenVZ https://github.com/kolyshkin/vzctl/blob/a3f732ef751998913fcf0a11b3e05236b51fd7e9/src/enter.c#L227-L234
>> +
>> +Signed-off-by: Justin Cormack <justin.cormack@docker.com>
>> +(cherry picked from commit cea6dca993c2b4cfa99b1e7a19ca134c8ebc236b)
>> +Signed-off-by: Tibor Vass <tibor@docker.com>
>> +
>> +CVE: CVE-2019-14271
>> +Upstream-Status: Backport [a316b10dab79d9298b02c7930958ed52e0ccf4e4]
>> +Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
>> +---
>> + src/import/pkg/chrootarchive/archive.go | 9 +++++++++
>> + 1 file changed, 9 insertions(+)
>> +
>> +diff --git a/src/import/pkg/chrootarchive/archive.go b/src/import/pkg/chrootarchive/archive.go
>> +index 6ff61e6..83ed0c6 100644
>> +--- a/src/import/pkg/chrootarchive/archive.go
>> ++++ b/src/import/pkg/chrootarchive/archive.go
>> +@@ -4,13 +4,22 @@ import (
>> +       "fmt"
>> +       "io"
>> +       "io/ioutil"
>> ++      "net"
>> +       "os"
>> ++      "os/user"
>> +       "path/filepath"
>> +
>> +       "github.com/docker/docker/pkg/archive"
>> +       "github.com/docker/docker/pkg/idtools"
>> + )
>> +
>> ++func init() {
>> ++      // initialize nss libraries in Glibc so that the dynamic libraries are loaded in the host
>> ++      // environment not in the chroot from untrusted files.
>> ++      _, _ = user.Lookup("docker")
>> ++      _, _ = net.LookupHost("localhost")
>> ++}
>> ++
>> + // NewArchiver returns a new Archiver which uses chrootarchive.Untar
>> + func NewArchiver(idMapping *idtools.IdentityMapping) *archive.Archiver {
>> +       if idMapping == nil {
>> +--
>> +2.8.1
>> +
>> --
>> 2.8.1
>>
>

Re: [PATCH] docker: Fix CVE-2019-14271 loading of nsswitch based config inside chroot under Glibc

[Hongxu Jia]

On 9/4/19 2:28 AM, akuster808 wrote:
>
> On 9/3/19 10:40 AM, Bruce Ashfield wrote:
>> On Tue, Sep 3, 2019 at 4:02 AM Hongxu Jia <hongxu.jia@windriver.com> wrote:
>>> Backport a patch from upstream to fix CVE-2019-14271
>> Given the docker version bumps that Stefan posted earlier, is this
>> still required ?
In Stefan upgraded patch earlier, it switched from moby:master to 
engine:19.03,

I found the upgraded version contains the patch

commit fa8dd90ceb7bcb9d554d27e0b9087ab83e54bd2b
Author: Justin Cormack <justin.cormack@docker.com>
Date:   Thu Jul 25 15:24:39 2019 +0100

     Initialize nss libraries in Glibc so that the dynamic libraries are 
loaded in the host
     environment not in the chroot from untrusted files.

     See also OpenVZ 
https://github.com/kolyshkin/vzctl/blob/a3f732ef751998913fcf0a11b3e05236b51fd7e9/src/enter.c#L227-L234

     Signed-off-by: Justin Cormack <justin.cormack@docker.com>
     (cherry picked from commit cea6dca993c2b4cfa99b1e7a19ca134c8ebc236b)
     Signed-off-by: Tibor Vass <tibor@docker.com>

$ git branch -r --contains fa8dd90ceb7bcb9d554d27e0b9087ab83e54bd2b
   origin/19.03

If Stefan's patch is accepted, please ignore this one

//Hongxu

> What about stable branches? can this be reused for any of them?

I am afraid it exists on master branch only

jia@pek-lpg-core1-vm2:/buildarea1/hjia/community/moby$ git branch -r 
--contains a316b10dab79d9298b02c7930958ed52e0ccf4e4
   origin/HEAD -> origin/master
   origin/master




> - armin
>> Bruce
>>
>>> Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
>>> ---
>>>   recipes-containers/docker/docker_git.bb            |  1 +
>>>   ...nss-libraries-in-Glibc-so-that-the-dynami.patch | 50 ++++++++++++++++++++++
>>>   2 files changed, 51 insertions(+)
>>>   create mode 100644 recipes-containers/docker/files/0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch
>>>
>>> diff --git a/recipes-containers/docker/docker_git.bb b/recipes-containers/docker/docker_git.bb
>>> index e45f87e..e993017 100644
>>> --- a/recipes-containers/docker/docker_git.bb
>>> +++ b/recipes-containers/docker/docker_git.bb
>>> @@ -45,6 +45,7 @@ SRC_URI = "\
>>>          file://docker.init \
>>>          file://0001-libnetwork-use-GO-instead-of-go.patch \
>>>          file://0001-imporve-hardcoded-CC-on-cross-compile.patch \
>>> +       file://0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch \
>>>          "
>>>
>>>   require docker.inc
>>> diff --git a/recipes-containers/docker/files/0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch b/recipes-containers/docker/files/0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch
>>> new file mode 100644
>>> index 0000000..67ddd49
>>> --- /dev/null
>>> +++ b/recipes-containers/docker/files/0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch
>>> @@ -0,0 +1,50 @@
>>> +From b688546c8e35ce48d02dd5adf156399b37590b26 Mon Sep 17 00:00:00 2001
>>> +From: Justin Cormack <justin.cormack@docker.com>
>>> +Date: Thu, 25 Jul 2019 15:24:39 +0100
>>> +Subject: [PATCH] Initialize nss libraries in Glibc so that the dynamic
>>> + libraries are loaded in the host environment not in the chroot from untrusted
>>> + files.
>>> +
>>> +See also OpenVZ https://github.com/kolyshkin/vzctl/blob/a3f732ef751998913fcf0a11b3e05236b51fd7e9/src/enter.c#L227-L234
>>> +
>>> +Signed-off-by: Justin Cormack <justin.cormack@docker.com>
>>> +(cherry picked from commit cea6dca993c2b4cfa99b1e7a19ca134c8ebc236b)
>>> +Signed-off-by: Tibor Vass <tibor@docker.com>
>>> +
>>> +CVE: CVE-2019-14271
>>> +Upstream-Status: Backport [a316b10dab79d9298b02c7930958ed52e0ccf4e4]
>>> +Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
>>> +---
>>> + src/import/pkg/chrootarchive/archive.go | 9 +++++++++
>>> + 1 file changed, 9 insertions(+)
>>> +
>>> +diff --git a/src/import/pkg/chrootarchive/archive.go b/src/import/pkg/chrootarchive/archive.go
>>> +index 6ff61e6..83ed0c6 100644
>>> +--- a/src/import/pkg/chrootarchive/archive.go
>>> ++++ b/src/import/pkg/chrootarchive/archive.go
>>> +@@ -4,13 +4,22 @@ import (
>>> +       "fmt"
>>> +       "io"
>>> +       "io/ioutil"
>>> ++      "net"
>>> +       "os"
>>> ++      "os/user"
>>> +       "path/filepath"
>>> +
>>> +       "github.com/docker/docker/pkg/archive"
>>> +       "github.com/docker/docker/pkg/idtools"
>>> + )
>>> +
>>> ++func init() {
>>> ++      // initialize nss libraries in Glibc so that the dynamic libraries are loaded in the host
>>> ++      // environment not in the chroot from untrusted files.
>>> ++      _, _ = user.Lookup("docker")
>>> ++      _, _ = net.LookupHost("localhost")
>>> ++}
>>> ++
>>> + // NewArchiver returns a new Archiver which uses chrootarchive.Untar
>>> + func NewArchiver(idMapping *idtools.IdentityMapping) *archive.Archiver {
>>> +       if idMapping == nil {
>>> +--
>>> +2.8.1
>>> +
>>> --
>>> 2.8.1
>>>
>

Re: [PATCH] docker: Fix CVE-2019-14271 loading of nsswitch based config inside chroot under Glibc

[akuster808]

On 9/3/19 7:02 PM, Hongxu Jia wrote:
> On 9/4/19 2:28 AM, akuster808 wrote:
>>
>> On 9/3/19 10:40 AM, Bruce Ashfield wrote:
>>> On Tue, Sep 3, 2019 at 4:02 AM Hongxu Jia <hongxu.jia@windriver.com>
>>> wrote:
>>>> Backport a patch from upstream to fix CVE-2019-14271
>>> Given the docker version bumps that Stefan posted earlier, is this
>>> still required ?
> In Stefan upgraded patch earlier, it switched from moby:master to
> engine:19.03,
>
> I found the upgraded version contains the patch
>
> commit fa8dd90ceb7bcb9d554d27e0b9087ab83e54bd2b
> Author: Justin Cormack <justin.cormack@docker.com>
> Date:   Thu Jul 25 15:24:39 2019 +0100
>
>     Initialize nss libraries in Glibc so that the dynamic libraries
> are loaded in the host
>     environment not in the chroot from untrusted files.
>
>     See also OpenVZ
> https://github.com/kolyshkin/vzctl/blob/a3f732ef751998913fcf0a11b3e05236b51fd7e9/src/enter.c#L227-L234
>
>     Signed-off-by: Justin Cormack <justin.cormack@docker.com>
>     (cherry picked from commit cea6dca993c2b4cfa99b1e7a19ca134c8ebc236b)
>     Signed-off-by: Tibor Vass <tibor@docker.com>
>
> $ git branch -r --contains fa8dd90ceb7bcb9d554d27e0b9087ab83e54bd2b
>   origin/19.03
>
> If Stefan's patch is accepted, please ignore this one
>
> //Hongxu
>
>> What about stable branches? can this be reused for any of them?
>
> I am afraid it exists on master branch only
ok. Thanks for checking.

- armin
>
> jia@pek-lpg-core1-vm2:/buildarea1/hjia/community/moby$ git branch -r
> --contains a316b10dab79d9298b02c7930958ed52e0ccf4e4
>   origin/HEAD -> origin/master
>   origin/master
>
>
>
>
>> - armin
>>> Bruce
>>>
>>>> Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
>>>> ---
>>>>   recipes-containers/docker/docker_git.bb            |  1 +
>>>>   ...nss-libraries-in-Glibc-so-that-the-dynami.patch | 50
>>>> ++++++++++++++++++++++
>>>>   2 files changed, 51 insertions(+)
>>>>   create mode 100644
>>>> recipes-containers/docker/files/0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch
>>>>
>>>> diff --git a/recipes-containers/docker/docker_git.bb
>>>> b/recipes-containers/docker/docker_git.bb
>>>> index e45f87e..e993017 100644
>>>> --- a/recipes-containers/docker/docker_git.bb
>>>> +++ b/recipes-containers/docker/docker_git.bb
>>>> @@ -45,6 +45,7 @@ SRC_URI = "\
>>>>          file://docker.init \
>>>>          file://0001-libnetwork-use-GO-instead-of-go.patch \
>>>>          file://0001-imporve-hardcoded-CC-on-cross-compile.patch \
>>>> +      
>>>> file://0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch
>>>> \
>>>>          "
>>>>
>>>>   require docker.inc
>>>> diff --git
>>>> a/recipes-containers/docker/files/0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch
>>>> b/recipes-containers/docker/files/0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch
>>>>
>>>> new file mode 100644
>>>> index 0000000..67ddd49
>>>> --- /dev/null
>>>> +++
>>>> b/recipes-containers/docker/files/0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch
>>>> @@ -0,0 +1,50 @@
>>>> +From b688546c8e35ce48d02dd5adf156399b37590b26 Mon Sep 17 00:00:00
>>>> 2001
>>>> +From: Justin Cormack <justin.cormack@docker.com>
>>>> +Date: Thu, 25 Jul 2019 15:24:39 +0100
>>>> +Subject: [PATCH] Initialize nss libraries in Glibc so that the
>>>> dynamic
>>>> + libraries are loaded in the host environment not in the chroot
>>>> from untrusted
>>>> + files.
>>>> +
>>>> +See also OpenVZ
>>>> https://github.com/kolyshkin/vzctl/blob/a3f732ef751998913fcf0a11b3e05236b51fd7e9/src/enter.c#L227-L234
>>>> +
>>>> +Signed-off-by: Justin Cormack <justin.cormack@docker.com>
>>>> +(cherry picked from commit cea6dca993c2b4cfa99b1e7a19ca134c8ebc236b)
>>>> +Signed-off-by: Tibor Vass <tibor@docker.com>
>>>> +
>>>> +CVE: CVE-2019-14271
>>>> +Upstream-Status: Backport [a316b10dab79d9298b02c7930958ed52e0ccf4e4]
>>>> +Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
>>>> +---
>>>> + src/import/pkg/chrootarchive/archive.go | 9 +++++++++
>>>> + 1 file changed, 9 insertions(+)
>>>> +
>>>> +diff --git a/src/import/pkg/chrootarchive/archive.go
>>>> b/src/import/pkg/chrootarchive/archive.go
>>>> +index 6ff61e6..83ed0c6 100644
>>>> +--- a/src/import/pkg/chrootarchive/archive.go
>>>> ++++ b/src/import/pkg/chrootarchive/archive.go
>>>> +@@ -4,13 +4,22 @@ import (
>>>> +       "fmt"
>>>> +       "io"
>>>> +       "io/ioutil"
>>>> ++      "net"
>>>> +       "os"
>>>> ++      "os/user"
>>>> +       "path/filepath"
>>>> +
>>>> +       "github.com/docker/docker/pkg/archive"
>>>> +       "github.com/docker/docker/pkg/idtools"
>>>> + )
>>>> +
>>>> ++func init() {
>>>> ++      // initialize nss libraries in Glibc so that the dynamic
>>>> libraries are loaded in the host
>>>> ++      // environment not in the chroot from untrusted files.
>>>> ++      _, _ = user.Lookup("docker")
>>>> ++      _, _ = net.LookupHost("localhost")
>>>> ++}
>>>> ++
>>>> + // NewArchiver returns a new Archiver which uses chrootarchive.Untar
>>>> + func NewArchiver(idMapping *idtools.IdentityMapping)
>>>> *archive.Archiver {
>>>> +       if idMapping == nil {
>>>> +--
>>>> +2.8.1
>>>> +
>>>> -- 
>>>> 2.8.1
>>>>
>>
>

Re: [PATCH] docker: Fix CVE-2019-14271 loading of nsswitch based config inside chroot under Glibc

[Bruce Ashfield]

[-- Attachment #1: Type: text/plain, Size: 5628 bytes --]

On Tue, Sep 3, 2019 at 10:03 PM Hongxu Jia <hongxu.jia@windriver.com> wrote:

> On 9/4/19 2:28 AM, akuster808 wrote:
> >
> > On 9/3/19 10:40 AM, Bruce Ashfield wrote:
> >> On Tue, Sep 3, 2019 at 4:02 AM Hongxu Jia <hongxu.jia@windriver.com>
> wrote:
> >>> Backport a patch from upstream to fix CVE-2019-14271
> >> Given the docker version bumps that Stefan posted earlier, is this
> >> still required ?
> In Stefan upgraded patch earlier, it switched from moby:master to
> engine:19.03,
>
> I found the upgraded version contains the patch
>
> commit fa8dd90ceb7bcb9d554d27e0b9087ab83e54bd2b
> Author: Justin Cormack <justin.cormack@docker.com>
> Date:   Thu Jul 25 15:24:39 2019 +0100
>
>      Initialize nss libraries in Glibc so that the dynamic libraries are
> loaded in the host
>      environment not in the chroot from untrusted files.
>
>      See also OpenVZ
>
> https://github.com/kolyshkin/vzctl/blob/a3f732ef751998913fcf0a11b3e05236b51fd7e9/src/enter.c#L227-L234
>
>      Signed-off-by: Justin Cormack <justin.cormack@docker.com>
>      (cherry picked from commit cea6dca993c2b4cfa99b1e7a19ca134c8ebc236b)
>      Signed-off-by: Tibor Vass <tibor@docker.com>
>
> $ git branch -r --contains fa8dd90ceb7bcb9d554d27e0b9087ab83e54bd2b
>    origin/19.03
>
> If Stefan's patch is accepted, please ignore this one
>
> //Hongxu
>
> > What about stable branches? can this be reused for any of them?
>
> I am afraid it exists on master branch only
>
> jia@pek-lpg-core1-vm2:/buildarea1/hjia/community/moby$ git branch -r
> --contains a316b10dab79d9298b02c7930958ed52e0ccf4e4
>    origin/HEAD -> origin/master
>    origin/master
>
>
>
FYI: I just pushed changes to master that should address this (and the
other docker uprevs that were pending).

Bruce



>
>
> > - armin
> >> Bruce
> >>
> >>> Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
> >>> ---
> >>>   recipes-containers/docker/docker_git.bb            |  1 +
> >>>   ...nss-libraries-in-Glibc-so-that-the-dynami.patch | 50
> ++++++++++++++++++++++
> >>>   2 files changed, 51 insertions(+)
> >>>   create mode 100644
> recipes-containers/docker/files/0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch
> >>>
> >>> diff --git a/recipes-containers/docker/docker_git.bb
> b/recipes-containers/docker/docker_git.bb
> >>> index e45f87e..e993017 100644
> >>> --- a/recipes-containers/docker/docker_git.bb
> >>> +++ b/recipes-containers/docker/docker_git.bb
> >>> @@ -45,6 +45,7 @@ SRC_URI = "\
> >>>          file://docker.init \
> >>>          file://0001-libnetwork-use-GO-instead-of-go.patch \
> >>>          file://0001-imporve-hardcoded-CC-on-cross-compile.patch \
> >>> +
>  file://0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch \
> >>>          "
> >>>
> >>>   require docker.inc
> >>> diff --git
> a/recipes-containers/docker/files/0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch
> b/recipes-containers/docker/files/0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch
> >>> new file mode 100644
> >>> index 0000000..67ddd49
> >>> --- /dev/null
> >>> +++
> b/recipes-containers/docker/files/0001-Initialize-nss-libraries-in-Glibc-so-that-the-dynami.patch
> >>> @@ -0,0 +1,50 @@
> >>> +From b688546c8e35ce48d02dd5adf156399b37590b26 Mon Sep 17 00:00:00 2001
> >>> +From: Justin Cormack <justin.cormack@docker.com>
> >>> +Date: Thu, 25 Jul 2019 15:24:39 +0100
> >>> +Subject: [PATCH] Initialize nss libraries in Glibc so that the dynamic
> >>> + libraries are loaded in the host environment not in the chroot from
> untrusted
> >>> + files.
> >>> +
> >>> +See also OpenVZ
> https://github.com/kolyshkin/vzctl/blob/a3f732ef751998913fcf0a11b3e05236b51fd7e9/src/enter.c#L227-L234
> >>> +
> >>> +Signed-off-by: Justin Cormack <justin.cormack@docker.com>
> >>> +(cherry picked from commit cea6dca993c2b4cfa99b1e7a19ca134c8ebc236b)
> >>> +Signed-off-by: Tibor Vass <tibor@docker.com>
> >>> +
> >>> +CVE: CVE-2019-14271
> >>> +Upstream-Status: Backport [a316b10dab79d9298b02c7930958ed52e0ccf4e4]
> >>> +Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
> >>> +---
> >>> + src/import/pkg/chrootarchive/archive.go | 9 +++++++++
> >>> + 1 file changed, 9 insertions(+)
> >>> +
> >>> +diff --git a/src/import/pkg/chrootarchive/archive.go
> b/src/import/pkg/chrootarchive/archive.go
> >>> +index 6ff61e6..83ed0c6 100644
> >>> +--- a/src/import/pkg/chrootarchive/archive.go
> >>> ++++ b/src/import/pkg/chrootarchive/archive.go
> >>> +@@ -4,13 +4,22 @@ import (
> >>> +       "fmt"
> >>> +       "io"
> >>> +       "io/ioutil"
> >>> ++      "net"
> >>> +       "os"
> >>> ++      "os/user"
> >>> +       "path/filepath"
> >>> +
> >>> +       "github.com/docker/docker/pkg/archive"
> >>> +       "github.com/docker/docker/pkg/idtools"
> >>> + )
> >>> +
> >>> ++func init() {
> >>> ++      // initialize nss libraries in Glibc so that the dynamic
> libraries are loaded in the host
> >>> ++      // environment not in the chroot from untrusted files.
> >>> ++      _, _ = user.Lookup("docker")
> >>> ++      _, _ = net.LookupHost("localhost")
> >>> ++}
> >>> ++
> >>> + // NewArchiver returns a new Archiver which uses chrootarchive.Untar
> >>> + func NewArchiver(idMapping *idtools.IdentityMapping)
> *archive.Archiver {
> >>> +       if idMapping == nil {
> >>> +--
> >>> +2.8.1
> >>> +
> >>> --
> >>> 2.8.1
> >>>
> >
>
>

-- 
- Thou shalt not follow the NULL pointer, for chaos and madness await thee
at its end
- "Use the force Harry" - Gandalf, Star Trek II

[-- Attachment #2: Type: text/html, Size: 9089 bytes --]