Accepting request 402450 from Virtualization:containers
Automatic submission by obs-autosubmit OBS-URL: https://build.opensuse.org/request/show/402450 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/docker?expand=0&rev=35
This commit is contained in:
commit
1645c6d99a
4
_service
4
_service
@ -3,8 +3,8 @@
|
|||||||
<param name="url">https://github.com/docker/docker.git</param>
|
<param name="url">https://github.com/docker/docker.git</param>
|
||||||
<param name="scm">git</param>
|
<param name="scm">git</param>
|
||||||
<param name="exclude">.git</param>
|
<param name="exclude">.git</param>
|
||||||
<param name="versionformat">1.11.1</param>
|
<param name="versionformat">1.11.2</param>
|
||||||
<param name="revision">v1.11.1</param>
|
<param name="revision">v1.11.2</param>
|
||||||
</service>
|
</service>
|
||||||
<service name="recompress" mode="disabled">
|
<service name="recompress" mode="disabled">
|
||||||
<param name="file">docker-*.tar</param>
|
<param name="file">docker-*.tar</param>
|
||||||
|
@ -1,316 +0,0 @@
|
|||||||
From d67c0bf0caf26358f5345d6c0ac039026c46bd1e Mon Sep 17 00:00:00 2001
|
|
||||||
From: Aleksa Sarai <asarai@suse.de>
|
|
||||||
Date: Fri, 22 Apr 2016 20:36:43 +1000
|
|
||||||
Subject: [PATCH] libcontainer: user: always treat numeric ids numerically
|
|
||||||
|
|
||||||
Most shadow-related tools don't treat numeric ids as potential
|
|
||||||
usernames, so change our behaviour to match that. Previously, using an
|
|
||||||
explicit specification like 111:222 could result in the UID and GID not
|
|
||||||
being 111 and 222 respectively (which is confusing).
|
|
||||||
|
|
||||||
Some of the code was quite confusing inside libcontainer/user, so
|
|
||||||
refactor and comment it so future maintainers can understand what's
|
|
||||||
going and what edge cases we have to deal with.
|
|
||||||
|
|
||||||
This fixes CVE-2016-3697.
|
|
||||||
|
|
||||||
Signed-off-by: Aleksa Sarai <asarai@suse.de>
|
|
||||||
---
|
|
||||||
.../runc/libcontainer/user/lookup.go | 3 +
|
|
||||||
.../opencontainers/runc/libcontainer/user/user.go | 149 ++++++++++++---------
|
|
||||||
2 files changed, 89 insertions(+), 63 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/vendor/src/github.com/opencontainers/runc/libcontainer/user/lookup.go b/vendor/src/github.com/opencontainers/runc/libcontainer/user/lookup.go
|
|
||||||
index 6f8a982..7062940 100644
|
|
||||||
--- a/vendor/src/github.com/opencontainers/runc/libcontainer/user/lookup.go
|
|
||||||
+++ b/vendor/src/github.com/opencontainers/runc/libcontainer/user/lookup.go
|
|
||||||
@@ -9,6 +9,9 @@ import (
|
|
||||||
var (
|
|
||||||
// The current operating system does not provide the required data for user lookups.
|
|
||||||
ErrUnsupported = errors.New("user lookup: operating system does not provide passwd-formatted data")
|
|
||||||
+ // No matching entries found in file.
|
|
||||||
+ ErrNoPasswdEntries = errors.New("no matching entries in passwd file")
|
|
||||||
+ ErrNoGroupEntries = errors.New("no matching entries in group file")
|
|
||||||
)
|
|
||||||
|
|
||||||
func lookupUser(filter func(u User) bool) (User, error) {
|
|
||||||
diff --git a/vendor/src/github.com/opencontainers/runc/libcontainer/user/user.go b/vendor/src/github.com/opencontainers/runc/libcontainer/user/user.go
|
|
||||||
index e6375ea..43fd39e 100644
|
|
||||||
--- a/vendor/src/github.com/opencontainers/runc/libcontainer/user/user.go
|
|
||||||
+++ b/vendor/src/github.com/opencontainers/runc/libcontainer/user/user.go
|
|
||||||
@@ -15,7 +15,7 @@ const (
|
|
||||||
)
|
|
||||||
|
|
||||||
var (
|
|
||||||
- ErrRange = fmt.Errorf("Uids and gids must be in range %d-%d", minId, maxId)
|
|
||||||
+ ErrRange = fmt.Errorf("uids and gids must be in range %d-%d", minId, maxId)
|
|
||||||
)
|
|
||||||
|
|
||||||
type User struct {
|
|
||||||
@@ -42,29 +42,30 @@ func parseLine(line string, v ...interface{}) {
|
|
||||||
|
|
||||||
parts := strings.Split(line, ":")
|
|
||||||
for i, p := range parts {
|
|
||||||
+ // Ignore cases where we don't have enough fields to populate the arguments.
|
|
||||||
+ // Some configuration files like to misbehave.
|
|
||||||
if len(v) <= i {
|
|
||||||
- // if we have more "parts" than we have places to put them, bail for great "tolerance" of naughty configuration files
|
|
||||||
break
|
|
||||||
}
|
|
||||||
|
|
||||||
+ // Use the type of the argument to figure out how to parse it, scanf() style.
|
|
||||||
+ // This is legit.
|
|
||||||
switch e := v[i].(type) {
|
|
||||||
case *string:
|
|
||||||
- // "root", "adm", "/bin/bash"
|
|
||||||
*e = p
|
|
||||||
case *int:
|
|
||||||
- // "0", "4", "1000"
|
|
||||||
- // ignore string to int conversion errors, for great "tolerance" of naughty configuration files
|
|
||||||
+ // "numbers", with conversion errors ignored because of some misbehaving configuration files.
|
|
||||||
*e, _ = strconv.Atoi(p)
|
|
||||||
case *[]string:
|
|
||||||
- // "", "root", "root,adm,daemon"
|
|
||||||
+ // Comma-separated lists.
|
|
||||||
if p != "" {
|
|
||||||
*e = strings.Split(p, ",")
|
|
||||||
} else {
|
|
||||||
*e = []string{}
|
|
||||||
}
|
|
||||||
default:
|
|
||||||
- // panic, because this is a programming/logic error, not a runtime one
|
|
||||||
- panic("parseLine expects only pointers! argument " + strconv.Itoa(i) + " is not a pointer!")
|
|
||||||
+ // Someone goof'd when writing code using this function. Scream so they can hear us.
|
|
||||||
+ panic(fmt.Sprintf("parseLine only accepts {*string, *int, *[]string} as arguments! %#v is not a pointer!", e))
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -106,8 +107,8 @@ func ParsePasswdFilter(r io.Reader, filter func(User) bool) ([]User, error) {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
|
|
||||||
- text := strings.TrimSpace(s.Text())
|
|
||||||
- if text == "" {
|
|
||||||
+ line := strings.TrimSpace(s.Text())
|
|
||||||
+ if line == "" {
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -117,10 +118,7 @@ func ParsePasswdFilter(r io.Reader, filter func(User) bool) ([]User, error) {
|
|
||||||
// root:x:0:0:root:/root:/bin/bash
|
|
||||||
// adm:x:3:4:adm:/var/adm:/bin/false
|
|
||||||
p := User{}
|
|
||||||
- parseLine(
|
|
||||||
- text,
|
|
||||||
- &p.Name, &p.Pass, &p.Uid, &p.Gid, &p.Gecos, &p.Home, &p.Shell,
|
|
||||||
- )
|
|
||||||
+ parseLine(line, &p.Name, &p.Pass, &p.Uid, &p.Gid, &p.Gecos, &p.Home, &p.Shell)
|
|
||||||
|
|
||||||
if filter == nil || filter(p) {
|
|
||||||
out = append(out, p)
|
|
||||||
@@ -135,6 +133,7 @@ func ParseGroupFile(path string) ([]Group, error) {
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
+
|
|
||||||
defer group.Close()
|
|
||||||
return ParseGroup(group)
|
|
||||||
}
|
|
||||||
@@ -178,10 +177,7 @@ func ParseGroupFilter(r io.Reader, filter func(Group) bool) ([]Group, error) {
|
|
||||||
// root:x:0:root
|
|
||||||
// adm:x:4:root,adm,daemon
|
|
||||||
p := Group{}
|
|
||||||
- parseLine(
|
|
||||||
- text,
|
|
||||||
- &p.Name, &p.Pass, &p.Gid, &p.List,
|
|
||||||
- )
|
|
||||||
+ parseLine(text, &p.Name, &p.Pass, &p.Gid, &p.List)
|
|
||||||
|
|
||||||
if filter == nil || filter(p) {
|
|
||||||
out = append(out, p)
|
|
||||||
@@ -192,9 +188,10 @@ func ParseGroupFilter(r io.Reader, filter func(Group) bool) ([]Group, error) {
|
|
||||||
}
|
|
||||||
|
|
||||||
type ExecUser struct {
|
|
||||||
- Uid, Gid int
|
|
||||||
- Sgids []int
|
|
||||||
- Home string
|
|
||||||
+ Uid int
|
|
||||||
+ Gid int
|
|
||||||
+ Sgids []int
|
|
||||||
+ Home string
|
|
||||||
}
|
|
||||||
|
|
||||||
// GetExecUserPath is a wrapper for GetExecUser. It reads data from each of the
|
|
||||||
@@ -235,12 +232,12 @@ func GetExecUserPath(userSpec string, defaults *ExecUser, passwdPath, groupPath
|
|
||||||
// * "uid:gid
|
|
||||||
// * "user:gid"
|
|
||||||
// * "uid:group"
|
|
||||||
+//
|
|
||||||
+// It should be noted that if you specify a numeric user or group id, they will
|
|
||||||
+// not be evaluated as usernames (only the metadata will be filled). So attempting
|
|
||||||
+// to parse a user with user.Name = "1337" will produce the user with a UID of
|
|
||||||
+// 1337.
|
|
||||||
func GetExecUser(userSpec string, defaults *ExecUser, passwd, group io.Reader) (*ExecUser, error) {
|
|
||||||
- var (
|
|
||||||
- userArg, groupArg string
|
|
||||||
- name string
|
|
||||||
- )
|
|
||||||
-
|
|
||||||
if defaults == nil {
|
|
||||||
defaults = new(ExecUser)
|
|
||||||
}
|
|
||||||
@@ -258,87 +255,113 @@ func GetExecUser(userSpec string, defaults *ExecUser, passwd, group io.Reader) (
|
|
||||||
user.Sgids = []int{}
|
|
||||||
}
|
|
||||||
|
|
||||||
- // allow for userArg to have either "user" syntax, or optionally "user:group" syntax
|
|
||||||
+ // Allow for userArg to have either "user" syntax, or optionally "user:group" syntax
|
|
||||||
+ var userArg, groupArg string
|
|
||||||
parseLine(userSpec, &userArg, &groupArg)
|
|
||||||
|
|
||||||
+ // Convert userArg and groupArg to be numeric, so we don't have to execute
|
|
||||||
+ // Atoi *twice* for each iteration over lines.
|
|
||||||
+ uidArg, uidErr := strconv.Atoi(userArg)
|
|
||||||
+ gidArg, gidErr := strconv.Atoi(groupArg)
|
|
||||||
+
|
|
||||||
+ // Find the matching user.
|
|
||||||
users, err := ParsePasswdFilter(passwd, func(u User) bool {
|
|
||||||
if userArg == "" {
|
|
||||||
+ // Default to current state of the user.
|
|
||||||
return u.Uid == user.Uid
|
|
||||||
}
|
|
||||||
- return u.Name == userArg || strconv.Itoa(u.Uid) == userArg
|
|
||||||
+
|
|
||||||
+ if uidErr == nil {
|
|
||||||
+ // If the userArg is numeric, always treat it as a UID.
|
|
||||||
+ return uidArg == u.Uid
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return u.Name == userArg
|
|
||||||
})
|
|
||||||
+
|
|
||||||
+ // If we can't find the user, we have to bail.
|
|
||||||
if err != nil && passwd != nil {
|
|
||||||
if userArg == "" {
|
|
||||||
userArg = strconv.Itoa(user.Uid)
|
|
||||||
}
|
|
||||||
- return nil, fmt.Errorf("Unable to find user %v: %v", userArg, err)
|
|
||||||
+ return nil, fmt.Errorf("unable to find user %s: %v", userArg, err)
|
|
||||||
}
|
|
||||||
|
|
||||||
- haveUser := users != nil && len(users) > 0
|
|
||||||
- if haveUser {
|
|
||||||
- // if we found any user entries that matched our filter, let's take the first one as "correct"
|
|
||||||
- name = users[0].Name
|
|
||||||
+ var matchedUserName string
|
|
||||||
+ if len(users) > 0 {
|
|
||||||
+ // First match wins, even if there's more than one matching entry.
|
|
||||||
+ matchedUserName = users[0].Name
|
|
||||||
user.Uid = users[0].Uid
|
|
||||||
user.Gid = users[0].Gid
|
|
||||||
user.Home = users[0].Home
|
|
||||||
} else if userArg != "" {
|
|
||||||
- // we asked for a user but didn't find them... let's check to see if we wanted a numeric user
|
|
||||||
- user.Uid, err = strconv.Atoi(userArg)
|
|
||||||
- if err != nil {
|
|
||||||
- // not numeric - we have to bail
|
|
||||||
- return nil, fmt.Errorf("Unable to find user %v", userArg)
|
|
||||||
+ // If we can't find a user with the given username, the only other valid
|
|
||||||
+ // option is if it's a numeric username with no associated entry in passwd.
|
|
||||||
+
|
|
||||||
+ if uidErr != nil {
|
|
||||||
+ // Not numeric.
|
|
||||||
+ return nil, fmt.Errorf("unable to find user %s: %v", userArg, ErrNoPasswdEntries)
|
|
||||||
}
|
|
||||||
+ user.Uid = uidArg
|
|
||||||
|
|
||||||
// Must be inside valid uid range.
|
|
||||||
if user.Uid < minId || user.Uid > maxId {
|
|
||||||
return nil, ErrRange
|
|
||||||
}
|
|
||||||
|
|
||||||
- // if userArg couldn't be found in /etc/passwd but is numeric, just roll with it - this is legit
|
|
||||||
+ // Okay, so it's numeric. We can just roll with this.
|
|
||||||
}
|
|
||||||
|
|
||||||
- if groupArg != "" || name != "" {
|
|
||||||
+ // On to the groups. If we matched a username, we need to do this because of
|
|
||||||
+ // the supplementary group IDs.
|
|
||||||
+ if groupArg != "" || matchedUserName != "" {
|
|
||||||
groups, err := ParseGroupFilter(group, func(g Group) bool {
|
|
||||||
- // Explicit group format takes precedence.
|
|
||||||
- if groupArg != "" {
|
|
||||||
- return g.Name == groupArg || strconv.Itoa(g.Gid) == groupArg
|
|
||||||
+ // If the group argument isn't explicit, we'll just search for it.
|
|
||||||
+ if groupArg == "" {
|
|
||||||
+ // Check if user is a member of this group.
|
|
||||||
+ for _, u := range g.List {
|
|
||||||
+ if u == matchedUserName {
|
|
||||||
+ return true
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ return false
|
|
||||||
}
|
|
||||||
|
|
||||||
- // Check if user is a member.
|
|
||||||
- for _, u := range g.List {
|
|
||||||
- if u == name {
|
|
||||||
- return true
|
|
||||||
- }
|
|
||||||
+ if gidErr == nil {
|
|
||||||
+ // If the groupArg is numeric, always treat it as a GID.
|
|
||||||
+ return gidArg == g.Gid
|
|
||||||
}
|
|
||||||
|
|
||||||
- return false
|
|
||||||
+ return g.Name == groupArg
|
|
||||||
})
|
|
||||||
if err != nil && group != nil {
|
|
||||||
- return nil, fmt.Errorf("Unable to find groups for user %v: %v", users[0].Name, err)
|
|
||||||
+ return nil, fmt.Errorf("unable to find groups for spec %v: %v", matchedUserName, err)
|
|
||||||
}
|
|
||||||
|
|
||||||
- haveGroup := groups != nil && len(groups) > 0
|
|
||||||
+ // Only start modifying user.Gid if it is in explicit form.
|
|
||||||
if groupArg != "" {
|
|
||||||
- if haveGroup {
|
|
||||||
- // if we found any group entries that matched our filter, let's take the first one as "correct"
|
|
||||||
+ if len(groups) > 0 {
|
|
||||||
+ // First match wins, even if there's more than one matching entry.
|
|
||||||
user.Gid = groups[0].Gid
|
|
||||||
- } else {
|
|
||||||
- // we asked for a group but didn't find id... let's check to see if we wanted a numeric group
|
|
||||||
- user.Gid, err = strconv.Atoi(groupArg)
|
|
||||||
- if err != nil {
|
|
||||||
- // not numeric - we have to bail
|
|
||||||
- return nil, fmt.Errorf("Unable to find group %v", groupArg)
|
|
||||||
+ } else if groupArg != "" {
|
|
||||||
+ // If we can't find a group with the given name, the only other valid
|
|
||||||
+ // option is if it's a numeric group name with no associated entry in group.
|
|
||||||
+
|
|
||||||
+ if gidErr != nil {
|
|
||||||
+ // Not numeric.
|
|
||||||
+ return nil, fmt.Errorf("unable to find group %s: %v", groupArg, ErrNoGroupEntries)
|
|
||||||
}
|
|
||||||
+ user.Gid = gidArg
|
|
||||||
|
|
||||||
- // Ensure gid is inside gid range.
|
|
||||||
+ // Must be inside valid gid range.
|
|
||||||
if user.Gid < minId || user.Gid > maxId {
|
|
||||||
return nil, ErrRange
|
|
||||||
}
|
|
||||||
|
|
||||||
- // if groupArg couldn't be found in /etc/group but is numeric, just roll with it - this is legit
|
|
||||||
+ // Okay, so it's numeric. We can just roll with this.
|
|
||||||
}
|
|
||||||
- } else if haveGroup {
|
|
||||||
- // If implicit group format, fill supplementary gids.
|
|
||||||
+ } else if len(groups) > 0 {
|
|
||||||
+ // Supplementary group ids only make sense if in the implicit form.
|
|
||||||
user.Sgids = make([]int, len(groups))
|
|
||||||
for i, group := range groups {
|
|
||||||
user.Sgids[i] = group.Gid
|
|
||||||
--
|
|
||||||
2.8.1
|
|
||||||
|
|
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:d36c5f677ea5ddb77b25552509217674cd18a526f1e86202befb69fa1f9a242f
|
|
||||||
size 8794588
|
|
3
docker-1.11.2.tar.xz
Normal file
3
docker-1.11.2.tar.xz
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:279ade8e90c40e4a9b10fe570313aef0672b9ee3858d6ce78295ee448775db34
|
||||||
|
size 8797368
|
@ -1,7 +1,35 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Jun 8 14:42:08 UTC 2016 - asarai@suse.de
|
||||||
|
|
||||||
|
* Removed patches:
|
||||||
|
- cve-2016-3697-numeric-uid.patch (merged upstream in gh@docker/docker#22998).
|
||||||
|
* Update Docker to 1.11.2. Changelog from upstream:
|
||||||
|
|
||||||
|
* Networking
|
||||||
|
* Fix a stale endpoint issue on overlay networks during ungraceful restart
|
||||||
|
(#23015)
|
||||||
|
* Fix an issue where the wrong port could be reported by docker
|
||||||
|
inspect/ps/port (#22997)
|
||||||
|
|
||||||
|
* Runtime
|
||||||
|
* Fix a potential panic when running docker build (#23032)
|
||||||
|
* Fix interpretation of --user parameter (#22998)
|
||||||
|
* Fix a bug preventing container statistics to be correctly reported (#22955)
|
||||||
|
* Fix an issue preventing container to be restarted after daemon restart
|
||||||
|
(#22947)
|
||||||
|
* Fix issues when running 32 bit binaries on Ubuntu 16.04 (#22922)
|
||||||
|
* Fix a possible deadlock on image deletion and container attach (#22918)
|
||||||
|
* Fix an issue where containers fail to start after a daemon restart if they
|
||||||
|
depend on a containerized cluster store (#22561)
|
||||||
|
* Fix an issue causing docker ps to hang on CentOS when using devicemapper
|
||||||
|
(#22168, #23067)
|
||||||
|
* Fix a bug preventing to docker exec into a container when using
|
||||||
|
devicemapper (#22168, #23067)
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Fri May 20 10:26:39 UTC 2016 - jmassaguerpla@suse.com
|
Fri May 20 10:26:39 UTC 2016 - jmassaguerpla@suse.com
|
||||||
|
|
||||||
- Fix udev files ownership
|
- Fix udev files ownership
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Wed May 18 14:21:09 UTC 2016 - asarai@suse.de
|
Wed May 18 14:21:09 UTC 2016 - asarai@suse.de
|
||||||
|
@ -22,10 +22,10 @@
|
|||||||
|
|
||||||
%define git_version 9e83765
|
%define git_version 9e83765
|
||||||
%define go_arches %ix86 x86_64 aarch64
|
%define go_arches %ix86 x86_64 aarch64
|
||||||
%define version_unconverted 1.11.1
|
%define version_unconverted 1.11.2
|
||||||
|
|
||||||
Name: docker
|
Name: docker
|
||||||
Version: 1.11.1
|
Version: 1.11.2
|
||||||
Release: 0
|
Release: 0
|
||||||
Summary: The Linux container runtime
|
Summary: The Linux container runtime
|
||||||
License: Apache-2.0
|
License: Apache-2.0
|
||||||
@ -54,9 +54,6 @@ Patch200: docker-mount-secrets.patch
|
|||||||
Patch101: gcc-go-patches.patch
|
Patch101: gcc-go-patches.patch
|
||||||
Patch102: netlink_gcc_go.patch
|
Patch102: netlink_gcc_go.patch
|
||||||
Patch103: netlink_netns_powerpc.patch
|
Patch103: netlink_netns_powerpc.patch
|
||||||
# This fixes bsc#976777. While the fix is upstream, it isn't in Docker 1.10.3 or
|
|
||||||
# Docker 1.11.0. This patch was squashed and cherry-picked from runc#708.
|
|
||||||
Patch301: cve-2016-3697-numeric-uid.patch
|
|
||||||
# This fixes bnc#964673. This fix is in boltdb upstream, but has yet to be
|
# This fixes bnc#964673. This fix is in boltdb upstream, but has yet to be
|
||||||
# merged into Docker (in a vendor commit). This patch was cherry-picked from
|
# merged into Docker (in a vendor commit). This patch was cherry-picked from
|
||||||
# bolt#555.
|
# bolt#555.
|
||||||
@ -177,8 +174,6 @@ Test package for docker. It contains the source code and the tests.
|
|||||||
%patch102 -p1
|
%patch102 -p1
|
||||||
%patch103 -p1
|
%patch103 -p1
|
||||||
%endif
|
%endif
|
||||||
# bsc#976777
|
|
||||||
%patch301 -p1
|
|
||||||
# bnc#964673
|
# bnc#964673
|
||||||
%patch302 -p1
|
%patch302 -p1
|
||||||
cp %{SOURCE7} .
|
cp %{SOURCE7} .
|
||||||
|
Loading…
Reference in New Issue
Block a user