b4f2cbcbf8
Backport of <grpc/grpc-go@72186f1> (bsc#1260279, CVE-2026-33186) * 0023-CVE-2026-33186-grpc-enforce-strict-path-checking-for.patch - http2: prevent hanging Transport due to bad SETTINGS Backport of <golang/net@1e71bd8> (bsc#1265782, CVE-2026-33814) * 0024-CVE-2026-33814-http2-prevent-hanging-Transport-due-t.patch - idna: update from x/text, fix ToUnicode and all-ASCII xn-- labels Backport of <golang/net@8c4c965#diff-6b95b04ab0c83612198e99ffb2f4411f899daf14b618d907bcff2196a9af8e6b> * 0025-CVE-2026-39821-idna-update-from-x-text-fix-ToUnicode.patch - daemon: Decompress archives before entering container filesystem Backport of <<moby@2022313> (bsc#1267827, CVE-2026-41567) * 0026-CVE-2026-41567-daemon-Decompress-archives-before-ent.patch - fix for Privilege validation bypass during plugin Backport of <https://github.com/moby/moby/commit/99a095ecf04e8849318f2811bb3f687905eab09b> (bsc#1265907, CVE-2026-33997) * 0021-CVE-2026-33997-fix-for-Privilege-validation-bypass-d.patch - fix for Authz zero length regression Backport of <https://github.com/moby/moby/commit/e89edb19ad7de0407a5d31e3111cb01aa10b5a38> (bsc#1265929, CVE-2026-34040) * 0022-CVE-2026-34040-fix-for-Authz-zero-length-regression.patch - executor: validate container IDs centrally Backport of <https://github.com/moby/buildkit/commit/45b038cd0b2ec2d34013ce0f085522276f7ee0d8>. (bsc#1261078, CVE-2026-33748) * 0019-CVE-2026-33748-Fix-git-normalize-and-validate-subdir.patch - git: normalize and validate subdir paths OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker-stable?expand=0&rev=44
90 lines
3.5 KiB
Diff
90 lines
3.5 KiB
Diff
From 7a43405a79537f803ce747551fee457fbda11475 Mon Sep 17 00:00:00 2001
|
|
From: rcmadhankumar <madhankumar.chellamuthu@suse.com>
|
|
Date: Tue, 9 Jun 2026 15:40:00 +0530
|
|
Subject: [PATCH 4/4] CVE-2026-41567: daemon: Decompress archives before
|
|
entering container filesystem --
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
CVE-2026-41567
|
|
|
|
Moby is an open source container framework. In versions prior to 29.5.1
|
|
and in moby/moby v2 prior to v2.0.0-beta.14, when a compressed archive
|
|
is uploaded to a container via `PUT /containers/{id}/archive` or piped
|
|
through `docker cp -`, the daemon resolves decompression binaries
|
|
(such as `xz` or `unpigz`) from the container's filesystem rather than
|
|
the host's due to incorrect ordering of operations. A malicious
|
|
container image containing a trojanized decompression binary can
|
|
achieve arbitrary code execution with full daemon privileges, including
|
|
host root UID and unrestricted capabilities, when a user uploads a
|
|
compressed (xz or gzip) archive into that container. This issue is
|
|
fixed in Docker Engine 29.5.1 and moby/moby v2.0.0-beta.14. Workarounds
|
|
include only running containers from trusted images, using
|
|
authorization plugins to restrict access to the
|
|
`PUT /containers/{id}/archive` endpoint, and avoiding piping compressed
|
|
archives into containers created from untrusted images
|
|
|
|
Fix: daemon: Decompress archives before entering container filesystem
|
|
Move decompression outside RunInFS to prevent executing
|
|
attacker-controlled binaries from within the container filesystem.
|
|
|
|
When dockerd handles `PUT /containers/{id}/archive`, it switches root
|
|
into the container's filesystem before extracting the archive.
|
|
Previously, archive.Untar was called inside RunInFS, which meant
|
|
decompression binaries (xz, unpigz) were resolved via PATH inside the
|
|
container's filesystem. A malicious binary at /usr/bin/xz in the
|
|
container would be executed as host root.
|
|
|
|
Fix by calling decompressing the archive before entering the container
|
|
filesystem, then using unpacking the uncompressed tar stream inside
|
|
RunInFS.
|
|
This ensures decompression binaries are always resolved from the host
|
|
filesystem.
|
|
|
|
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
|
|
|
|
Fixes bsc#1267827
|
|
Fixes CVE-2026-41567
|
|
Backport of
|
|
<https://github.com/moby/moby/commit/2022313ffe5a8c04890b5295bc52670ee6df8070?
|
|
|
|
Ref: https://github.com/moby/moby/commit/06224f7ad000fda8de7939ea08aa61ad9814ee63
|
|
Ref: https://github.com/advisories/GHSA-x86f-5xw2-fm2r
|
|
---
|
|
daemon/archive_unix.go | 11 ++++++++++-
|
|
1 file changed, 10 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/daemon/archive_unix.go b/daemon/archive_unix.go
|
|
index 3098dbeadf..155a7d2968 100644
|
|
--- a/daemon/archive_unix.go
|
|
+++ b/daemon/archive_unix.go
|
|
@@ -101,6 +101,15 @@ func (daemon *Daemon) containerExtractToDir(container *container.Container, path
|
|
container.Lock()
|
|
defer container.Unlock()
|
|
|
|
+ // Decompress the archive before switching into the container's
|
|
+ // filesystem to avoid executing decompression binaries (xz, unpigz)
|
|
+ // that may have been placed inside the container image.
|
|
+ decompressed, err := archive.DecompressStream(content)
|
|
+ if err != nil {
|
|
+ return err
|
|
+ }
|
|
+ defer decompressed.Close()
|
|
+
|
|
cfs, err := daemon.openContainerFS(container)
|
|
if err != nil {
|
|
return err
|
|
@@ -150,7 +159,7 @@ func (daemon *Daemon) containerExtractToDir(container *container.Container, path
|
|
}
|
|
}
|
|
|
|
- return archive.Untar(content, absPath, options)
|
|
+ return archive.UntarUncompressed(decompressed, absPath, options)
|
|
})
|
|
if err != nil {
|
|
return err
|
|
--
|
|
2.54.0
|
|
|