Files
docker-stable/0026-CVE-2026-41567-daemon-Decompress-archives-before-ent.patch
dirkmueller b4f2cbcbf8 - grpc: enforce strict path checking for incoming requests on the server
Backport of <grpc/grpc-go@72186f1>
  (bsc#1260279, CVE-2026-33186)
  * 0023-CVE-2026-33186-grpc-enforce-strict-path-checking-for.patch
- http2: prevent hanging Transport due to bad SETTINGS
  Backport of <golang/net@1e71bd8>
  (bsc#1265782, CVE-2026-33814)
  * 0024-CVE-2026-33814-http2-prevent-hanging-Transport-due-t.patch
- idna: update from x/text, fix ToUnicode and all-ASCII xn-- labels
  Backport of <golang/net@8c4c965#diff-6b95b04ab0c83612198e99ffb2f4411f899daf14b618d907bcff2196a9af8e6b>
  * 0025-CVE-2026-39821-idna-update-from-x-text-fix-ToUnicode.patch
- daemon: Decompress archives before entering container filesystem
  Backport of <<moby@2022313>
  (bsc#1267827, CVE-2026-41567)
  * 0026-CVE-2026-41567-daemon-Decompress-archives-before-ent.patch

- fix for Privilege validation bypass during plugin
  Backport of <https://github.com/moby/moby/commit/99a095ecf04e8849318f2811bb3f687905eab09b>
  (bsc#1265907, CVE-2026-33997)
  * 0021-CVE-2026-33997-fix-for-Privilege-validation-bypass-d.patch
- fix for Authz zero length regression
  Backport of <https://github.com/moby/moby/commit/e89edb19ad7de0407a5d31e3111cb01aa10b5a38>
  (bsc#1265929, CVE-2026-34040)
  * 0022-CVE-2026-34040-fix-for-Authz-zero-length-regression.patch 

- executor: validate container IDs centrally
  Backport of <https://github.com/moby/buildkit/commit/45b038cd0b2ec2d34013ce0f085522276f7ee0d8>. 
  (bsc#1261078, CVE-2026-33748)
  * 0019-CVE-2026-33748-Fix-git-normalize-and-validate-subdir.patch
- git: normalize and validate subdir paths

OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker-stable?expand=0&rev=44
2026-06-20 15:43:44 +00:00

90 lines
3.5 KiB
Diff

From 7a43405a79537f803ce747551fee457fbda11475 Mon Sep 17 00:00:00 2001
From: rcmadhankumar <madhankumar.chellamuthu@suse.com>
Date: Tue, 9 Jun 2026 15:40:00 +0530
Subject: [PATCH 4/4] CVE-2026-41567: daemon: Decompress archives before
entering container filesystem --
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
CVE-2026-41567
Moby is an open source container framework. In versions prior to 29.5.1
and in moby/moby v2 prior to v2.0.0-beta.14, when a compressed archive
is uploaded to a container via `PUT /containers/{id}/archive` or piped
through `docker cp -`, the daemon resolves decompression binaries
(such as `xz` or `unpigz`) from the container's filesystem rather than
the host's due to incorrect ordering of operations. A malicious
container image containing a trojanized decompression binary can
achieve arbitrary code execution with full daemon privileges, including
host root UID and unrestricted capabilities, when a user uploads a
compressed (xz or gzip) archive into that container. This issue is
fixed in Docker Engine 29.5.1 and moby/moby v2.0.0-beta.14. Workarounds
include only running containers from trusted images, using
authorization plugins to restrict access to the
`PUT /containers/{id}/archive` endpoint, and avoiding piping compressed
archives into containers created from untrusted images
Fix: daemon: Decompress archives before entering container filesystem
Move decompression outside RunInFS to prevent executing
attacker-controlled binaries from within the container filesystem.
When dockerd handles `PUT /containers/{id}/archive`, it switches root
into the container's filesystem before extracting the archive.
Previously, archive.Untar was called inside RunInFS, which meant
decompression binaries (xz, unpigz) were resolved via PATH inside the
container's filesystem. A malicious binary at /usr/bin/xz in the
container would be executed as host root.
Fix by calling decompressing the archive before entering the container
filesystem, then using unpacking the uncompressed tar stream inside
RunInFS.
This ensures decompression binaries are always resolved from the host
filesystem.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
Fixes bsc#1267827
Fixes CVE-2026-41567
Backport of
<https://github.com/moby/moby/commit/2022313ffe5a8c04890b5295bc52670ee6df8070?
Ref: https://github.com/moby/moby/commit/06224f7ad000fda8de7939ea08aa61ad9814ee63
Ref: https://github.com/advisories/GHSA-x86f-5xw2-fm2r
---
daemon/archive_unix.go | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/daemon/archive_unix.go b/daemon/archive_unix.go
index 3098dbeadf..155a7d2968 100644
--- a/daemon/archive_unix.go
+++ b/daemon/archive_unix.go
@@ -101,6 +101,15 @@ func (daemon *Daemon) containerExtractToDir(container *container.Container, path
container.Lock()
defer container.Unlock()
+ // Decompress the archive before switching into the container's
+ // filesystem to avoid executing decompression binaries (xz, unpigz)
+ // that may have been placed inside the container image.
+ decompressed, err := archive.DecompressStream(content)
+ if err != nil {
+ return err
+ }
+ defer decompressed.Close()
+
cfs, err := daemon.openContainerFS(container)
if err != nil {
return err
@@ -150,7 +159,7 @@ func (daemon *Daemon) containerExtractToDir(container *container.Container, path
}
}
- return archive.Untar(content, absPath, options)
+ return archive.UntarUncompressed(decompressed, absPath, options)
})
if err != nil {
return err
--
2.54.0