Accepting request 402450 from Virtualization:containers

Automatic submission by obs-autosubmit OBS-URL: https://build.opensuse.org/request/show/402450 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/docker?expand=0&rev=35
2016-06-19 08:49:28 +00:00 · 2016-06-19 08:49:28 +00:00 · 1645c6d99a
commit 1645c6d99a
parent 2175f52e62 f650820282
6 changed files with 36 additions and 329 deletions
--- a/4
+++ b/4
@ -3,8 +3,8 @@
    <param name="url">https://github.com/docker/docker.git</param>
    <param name="scm">git</param>
    <param name="exclude">.git</param>
-    <param name="versionformat">1.11.1</param>
+    <param name="versionformat">1.11.2</param>
-    <param name="revision">v1.11.1</param>
+    <param name="revision">v1.11.2</param>
  </service>
  <service name="recompress" mode="disabled">
    <param name="file">docker-*.tar</param>
--- a/cve-2016-3697-numeric-uid.patch
+++ b/cve-2016-3697-numeric-uid.patch
@ -1,316 +0,0 @@
 From d67c0bf0caf26358f5345d6c0ac039026c46bd1e Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Fri, 22 Apr 2016 20:36:43 +1000
 Subject: [PATCH] libcontainer: user: always treat numeric ids numerically
 Most shadow-related tools don't treat numeric ids as potential
 usernames, so change our behaviour to match that. Previously, using an
 explicit specification like 111:222 could result in the UID and GID not
 being 111 and 222 respectively (which is confusing).
 Some of the code was quite confusing inside libcontainer/user, so
 refactor and comment it so future maintainers can understand what's
 going and what edge cases we have to deal with.
 This fixes CVE-2016-3697.
 Signed-off-by: Aleksa Sarai <asarai@suse.de>
 ---
 .../runc/libcontainer/user/lookup.go               |   3 +
 .../opencontainers/runc/libcontainer/user/user.go  | 149 ++++++++++++---------
 2 files changed, 89 insertions(+), 63 deletions(-)
 diff --git a/vendor/src/github.com/opencontainers/runc/libcontainer/user/lookup.go b/vendor/src/github.com/opencontainers/runc/libcontainer/user/lookup.go
 index 6f8a982..7062940 100644
 --- a/vendor/src/github.com/opencontainers/runc/libcontainer/user/lookup.go
 +++ b/vendor/src/github.com/opencontainers/runc/libcontainer/user/lookup.go
@@ -9,6 +9,9 @@ import (
 var (
 	// The current operating system does not provide the required data for user lookups.
 	ErrUnsupported = errors.New("user lookup: operating system does not provide passwd-formatted data")
 +	// No matching entries found in file.
 +	ErrNoPasswdEntries = errors.New("no matching entries in passwd file")
 +	ErrNoGroupEntries  = errors.New("no matching entries in group file")
 )
 func lookupUser(filter func(u User) bool) (User, error) {
 diff --git a/vendor/src/github.com/opencontainers/runc/libcontainer/user/user.go b/vendor/src/github.com/opencontainers/runc/libcontainer/user/user.go
 index e6375ea..43fd39e 100644
 --- a/vendor/src/github.com/opencontainers/runc/libcontainer/user/user.go
 +++ b/vendor/src/github.com/opencontainers/runc/libcontainer/user/user.go
@@ -15,7 +15,7 @@ const (
 )
 var (
 -	ErrRange = fmt.Errorf("Uids and gids must be in range %d-%d", minId, maxId)
 +	ErrRange = fmt.Errorf("uids and gids must be in range %d-%d", minId, maxId)
 )
 type User struct {
@@ -42,29 +42,30 @@ func parseLine(line string, v ...interface{}) {
 	parts := strings.Split(line, ":")
 	for i, p := range parts {
 +		// Ignore cases where we don't have enough fields to populate the arguments.
 +		// Some configuration files like to misbehave.
 		if len(v) <= i {
 -			// if we have more "parts" than we have places to put them, bail for great "tolerance" of naughty configuration files
 			break
 		}
 +		// Use the type of the argument to figure out how to parse it, scanf() style.
 +		// This is legit.
 		switch e := v[i].(type) {
 		case *string:
 -			// "root", "adm", "/bin/bash"
 			*e = p
 		case *int:
 -			// "0", "4", "1000"
 -			// ignore string to int conversion errors, for great "tolerance" of naughty configuration files
 +			// "numbers", with conversion errors ignored because of some misbehaving configuration files.
 			*e, _ = strconv.Atoi(p)
 		case *[]string:
 -			// "", "root", "root,adm,daemon"
 +			// Comma-separated lists.
 			if p != "" {
 				*e = strings.Split(p, ",")
 			} else {
 				*e = []string{}
 			}
 		default:
 -			// panic, because this is a programming/logic error, not a runtime one
 -			panic("parseLine expects only pointers!  argument " + strconv.Itoa(i) + " is not a pointer!")
 +			// Someone goof'd when writing code using this function. Scream so they can hear us.
 +			panic(fmt.Sprintf("parseLine only accepts {*string, *int, *[]string} as arguments! %#v is not a pointer!", e))
 		}
 	}
 }
@@ -106,8 +107,8 @@ func ParsePasswdFilter(r io.Reader, filter func(User) bool) ([]User, error) {
 			return nil, err
 		}
 -		text := strings.TrimSpace(s.Text())
 -		if text == "" {
 +		line := strings.TrimSpace(s.Text())
 +		if line == "" {
 			continue
 		}
@@ -117,10 +118,7 @@ func ParsePasswdFilter(r io.Reader, filter func(User) bool) ([]User, error) {
 		//  root:x:0:0:root:/root:/bin/bash
 		//  adm:x:3:4:adm:/var/adm:/bin/false
 		p := User{}
 -		parseLine(
 -			text,
 -			&p.Name, &p.Pass, &p.Uid, &p.Gid, &p.Gecos, &p.Home, &p.Shell,
 -		)
 +		parseLine(line, &p.Name, &p.Pass, &p.Uid, &p.Gid, &p.Gecos, &p.Home, &p.Shell)
 		if filter == nil || filter(p) {
 			out = append(out, p)
@@ -135,6 +133,7 @@ func ParseGroupFile(path string) ([]Group, error) {
 	if err != nil {
 		return nil, err
 	}
 +
 	defer group.Close()
 	return ParseGroup(group)
 }
@@ -178,10 +177,7 @@ func ParseGroupFilter(r io.Reader, filter func(Group) bool) ([]Group, error) {
 		//  root:x:0:root
 		//  adm:x:4:root,adm,daemon
 		p := Group{}
 -		parseLine(
 -			text,
 -			&p.Name, &p.Pass, &p.Gid, &p.List,
 -		)
 +		parseLine(text, &p.Name, &p.Pass, &p.Gid, &p.List)
 		if filter == nil || filter(p) {
 			out = append(out, p)
@@ -192,9 +188,10 @@ func ParseGroupFilter(r io.Reader, filter func(Group) bool) ([]Group, error) {
 }
 type ExecUser struct {
 -	Uid, Gid int
 -	Sgids    []int
 -	Home     string
 +	Uid   int
 +	Gid   int
 +	Sgids []int
 +	Home  string
 }
 // GetExecUserPath is a wrapper for GetExecUser. It reads data from each of the
@@ -235,12 +232,12 @@ func GetExecUserPath(userSpec string, defaults *ExecUser, passwdPath, groupPath
 //     * "uid:gid
 //     * "user:gid"
 //     * "uid:group"
 +//
 +// It should be noted that if you specify a numeric user or group id, they will
 +// not be evaluated as usernames (only the metadata will be filled). So attempting
 +// to parse a user with user.Name = "1337" will produce the user with a UID of
 +// 1337.
 func GetExecUser(userSpec string, defaults *ExecUser, passwd, group io.Reader) (*ExecUser, error) {
 -	var (
 -		userArg, groupArg string
 -		name              string
 -	)
 -
 	if defaults == nil {
 		defaults = new(ExecUser)
 	}
@@ -258,87 +255,113 @@ func GetExecUser(userSpec string, defaults *ExecUser, passwd, group io.Reader) (
 		user.Sgids = []int{}
 	}
 -	// allow for userArg to have either "user" syntax, or optionally "user:group" syntax
 +	// Allow for userArg to have either "user" syntax, or optionally "user:group" syntax
 +	var userArg, groupArg string
 	parseLine(userSpec, &userArg, &groupArg)
 +	// Convert userArg and groupArg to be numeric, so we don't have to execute
 +	// Atoi *twice* for each iteration over lines.
 +	uidArg, uidErr := strconv.Atoi(userArg)
 +	gidArg, gidErr := strconv.Atoi(groupArg)
 +
 +	// Find the matching user.
 	users, err := ParsePasswdFilter(passwd, func(u User) bool {
 		if userArg == "" {
 +			// Default to current state of the user.
 			return u.Uid == user.Uid
 		}
 -		return u.Name == userArg || strconv.Itoa(u.Uid) == userArg
 +
 +		if uidErr == nil {
 +			// If the userArg is numeric, always treat it as a UID.
 +			return uidArg == u.Uid
 +		}
 +
 +		return u.Name == userArg
 	})
 +
 +	// If we can't find the user, we have to bail.
 	if err != nil && passwd != nil {
 		if userArg == "" {
 			userArg = strconv.Itoa(user.Uid)
 		}
 -		return nil, fmt.Errorf("Unable to find user %v: %v", userArg, err)
 +		return nil, fmt.Errorf("unable to find user %s: %v", userArg, err)
 	}
 -	haveUser := users != nil && len(users) > 0
 -	if haveUser {
 -		// if we found any user entries that matched our filter, let's take the first one as "correct"
 -		name = users[0].Name
 +	var matchedUserName string
 +	if len(users) > 0 {
 +		// First match wins, even if there's more than one matching entry.
 +		matchedUserName = users[0].Name
 		user.Uid = users[0].Uid
 		user.Gid = users[0].Gid
 		user.Home = users[0].Home
 	} else if userArg != "" {
 -		// we asked for a user but didn't find them...  let's check to see if we wanted a numeric user
 -		user.Uid, err = strconv.Atoi(userArg)
 -		if err != nil {
 -			// not numeric - we have to bail
 -			return nil, fmt.Errorf("Unable to find user %v", userArg)
 +		// If we can't find a user with the given username, the only other valid
 +		// option is if it's a numeric username with no associated entry in passwd.
 +
 +		if uidErr != nil {
 +			// Not numeric.
 +			return nil, fmt.Errorf("unable to find user %s: %v", userArg, ErrNoPasswdEntries)
 		}
 +		user.Uid = uidArg
 		// Must be inside valid uid range.
 		if user.Uid < minId || user.Uid > maxId {
 			return nil, ErrRange
 		}
 -		// if userArg couldn't be found in /etc/passwd but is numeric, just roll with it - this is legit
 +		// Okay, so it's numeric. We can just roll with this.
 	}
 -	if groupArg != "" || name != "" {
 +	// On to the groups. If we matched a username, we need to do this because of
 +	// the supplementary group IDs.
 +	if groupArg != "" || matchedUserName != "" {
 		groups, err := ParseGroupFilter(group, func(g Group) bool {
 -			// Explicit group format takes precedence.
 -			if groupArg != "" {
 -				return g.Name == groupArg || strconv.Itoa(g.Gid) == groupArg
 +			// If the group argument isn't explicit, we'll just search for it.
 +			if groupArg == "" {
 +				// Check if user is a member of this group.
 +				for _, u := range g.List {
 +					if u == matchedUserName {
 +						return true
 +					}
 +				}
 +				return false
 			}
 -			// Check if user is a member.
 -			for _, u := range g.List {
 -				if u == name {
 -					return true
 -				}
 +			if gidErr == nil {
 +				// If the groupArg is numeric, always treat it as a GID.
 +				return gidArg == g.Gid
 			}
 -			return false
 +			return g.Name == groupArg
 		})
 		if err != nil && group != nil {
 -			return nil, fmt.Errorf("Unable to find groups for user %v: %v", users[0].Name, err)
 +			return nil, fmt.Errorf("unable to find groups for spec %v: %v", matchedUserName, err)
 		}
 -		haveGroup := groups != nil && len(groups) > 0
 +		// Only start modifying user.Gid if it is in explicit form.
 		if groupArg != "" {
 -			if haveGroup {
 -				// if we found any group entries that matched our filter, let's take the first one as "correct"
 +			if len(groups) > 0 {
 +				// First match wins, even if there's more than one matching entry.
 				user.Gid = groups[0].Gid
 -			} else {
 -				// we asked for a group but didn't find id...  let's check to see if we wanted a numeric group
 -				user.Gid, err = strconv.Atoi(groupArg)
 -				if err != nil {
 -					// not numeric - we have to bail
 -					return nil, fmt.Errorf("Unable to find group %v", groupArg)
 +			} else if groupArg != "" {
 +				// If we can't find a group with the given name, the only other valid
 +				// option is if it's a numeric group name with no associated entry in group.
 +
 +				if gidErr != nil {
 +					// Not numeric.
 +					return nil, fmt.Errorf("unable to find group %s: %v", groupArg, ErrNoGroupEntries)
 				}
 +				user.Gid = gidArg
 -				// Ensure gid is inside gid range.
 +				// Must be inside valid gid range.
 				if user.Gid < minId || user.Gid > maxId {
 					return nil, ErrRange
 				}
 -				// if groupArg couldn't be found in /etc/group but is numeric, just roll with it - this is legit
 +				// Okay, so it's numeric. We can just roll with this.
 			}
 -		} else if haveGroup {
 -			// If implicit group format, fill supplementary gids.
 +		} else if len(groups) > 0 {
 +			// Supplementary group ids only make sense if in the implicit form.
 			user.Sgids = make([]int, len(groups))
 			for i, group := range groups {
 				user.Sgids[i] = group.Gid
 -- 
 2.8.1
--- a/docker-1.11.1.tar.xz
+++ b/docker-1.11.1.tar.xz
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:d36c5f677ea5ddb77b25552509217674cd18a526f1e86202befb69fa1f9a242f
 size 8794588
--- a/docker-1.11.2.tar.xz
+++ b/docker-1.11.2.tar.xz
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:279ade8e90c40e4a9b10fe570313aef0672b9ee3858d6ce78295ee448775db34
 size 8797368
--- a/docker.changes
+++ b/docker.changes
@ -1,3 +1,31 @@
 -------------------------------------------------------------------
 Wed Jun  8 14:42:08 UTC 2016 - asarai@suse.de
 * Removed patches:
  - cve-2016-3697-numeric-uid.patch (merged upstream in gh@docker/docker#22998).
 * Update Docker to 1.11.2. Changelog from upstream:
 * Networking
  * Fix a stale endpoint issue on overlay networks during ungraceful restart
    (#23015)
  * Fix an issue where the wrong port could be reported by docker
    inspect/ps/port (#22997)
 * Runtime
  * Fix a potential panic when running docker build (#23032)
  * Fix interpretation of --user parameter (#22998)
  * Fix a bug preventing container statistics to be correctly reported (#22955)
  * Fix an issue preventing container to be restarted after daemon restart
    (#22947)
  * Fix issues when running 32 bit binaries on Ubuntu 16.04 (#22922)
  * Fix a possible deadlock on image deletion and container attach (#22918)
  * Fix an issue where containers fail to start after a daemon restart if they
    depend on a containerized cluster store (#22561)
  * Fix an issue causing docker ps to hang on CentOS when using devicemapper
    (#22168, #23067)
  * Fix a bug preventing to docker exec into a container when using
    devicemapper (#22168, #23067)
 -------------------------------------------------------------------
 Fri May 20 10:26:39 UTC 2016 - jmassaguerpla@suse.com
--- a/docker.spec
+++ b/docker.spec
@ -22,10 +22,10 @@
 %define git_version 9e83765
 %define go_arches %ix86 x86_64 aarch64
-%define version_unconverted 1.11.1
+%define version_unconverted 1.11.2
 Name:           docker
-Version:        1.11.1
+Version:        1.11.2
 Release:        0
 Summary:        The Linux container runtime
 License:        Apache-2.0
@ -54,9 +54,6 @@ Patch200:       docker-mount-secrets.patch
 Patch101:       gcc-go-patches.patch
 Patch102:       netlink_gcc_go.patch
 Patch103:       netlink_netns_powerpc.patch
 # This fixes bsc#976777. While the fix is upstream, it isn't in Docker 1.10.3 or
 # Docker 1.11.0. This patch was squashed and cherry-picked from runc#708.
 Patch301:       cve-2016-3697-numeric-uid.patch
 # This fixes bnc#964673. This fix is in boltdb upstream, but has yet to be
 # merged into Docker (in a vendor commit). This patch was cherry-picked from
 # bolt#555.
@ -177,8 +174,6 @@ Test package for docker. It contains the source code and the tests.
 %patch102 -p1
 %patch103 -p1
 %endif
 # bsc#976777
 %patch301 -p1
 # bnc#964673
 %patch302 -p1
 cp %{SOURCE7} .