diff --git a/bsc1066210-0001-vendor-update-to-github.com-vbatts-tar-split-v0.10.2.patch b/bsc1066210-0001-vendor-update-to-github.com-vbatts-tar-split-v0.10.2.patch new file mode 100644 index 0000000..b3dca29 --- /dev/null +++ b/bsc1066210-0001-vendor-update-to-github.com-vbatts-tar-split-v0.10.2.patch @@ -0,0 +1,118 @@ +From b5cf56bc7f734ed8bfad4119fb817261e541a609 Mon Sep 17 00:00:00 2001 +From: Aleksa Sarai +Date: Wed, 8 Nov 2017 02:50:52 +1100 +Subject: [PATCH] vendor: update to github.com/vbatts/tar-split@v0.10.2 + +Update to the latest version of tar-split, which includes a change to +fix a memory exhaustion issue where a malformed image could cause the +Docker daemon to crash. + + * tar: asm: store padding in chunks to avoid memory exhaustion + +Fixes: CVE-2017-14992 +SUSE-Bug: https://bugzilla.suse.com/show_bug.cgi?id=1066210 +Signed-off-by: Aleksa Sarai +--- + vendor.conf | 2 +- + vendor/github.com/vbatts/tar-split/README.md | 3 +- + .../vbatts/tar-split/tar/asm/disassemble.go | 43 ++++++++++++++-------- + 3 files changed, 31 insertions(+), 17 deletions(-) + +diff --git a/vendor.conf b/vendor.conf +index 535adad38728..ea4f75bbea10 100644 +--- a/vendor.conf ++++ b/vendor.conf +@@ -53,7 +53,7 @@ github.com/miekg/dns 75e6e86cc601825c5dbcd4e0c209eab180997cd7 + + # get graph and distribution packages + github.com/docker/distribution b38e5838b7b2f2ad48e06ec4b500011976080621 +-github.com/vbatts/tar-split v0.10.1 ++github.com/vbatts/tar-split v0.10.2 + github.com/opencontainers/go-digest a6d0ee40d4207ea02364bd3b9e8e77b9159ba1eb + + # get go-zfs packages +diff --git a/vendor/github.com/vbatts/tar-split/README.md b/vendor/github.com/vbatts/tar-split/README.md +index 4c544d823fbc..03e3ec4308b7 100644 +--- a/vendor/github.com/vbatts/tar-split/README.md ++++ b/vendor/github.com/vbatts/tar-split/README.md +@@ -1,6 +1,7 @@ + # tar-split + + [![Build Status](https://travis-ci.org/vbatts/tar-split.svg?branch=master)](https://travis-ci.org/vbatts/tar-split) ++[![Go Report Card](https://goreportcard.com/badge/github.com/vbatts/tar-split)](https://goreportcard.com/report/github.com/vbatts/tar-split) + + Pristinely disassembling a tar archive, and stashing needed raw bytes and offsets to reassemble a validating original archive. + +@@ -50,7 +51,7 @@ For example stored sparse files that have "holes" in them, will be read as a + contiguous file, though the archive contents may be recorded in sparse format. + Therefore when adding the file payload to a reassembled tar, to achieve + identical output, the file payload would need be precisely re-sparsified. This +-is not something I seek to fix imediately, but would rather have an alert that ++is not something I seek to fix immediately, but would rather have an alert that + precise reassembly is not possible. + (see more http://www.gnu.org/software/tar/manual/html_node/Sparse-Formats.html) + +diff --git a/vendor/github.com/vbatts/tar-split/tar/asm/disassemble.go b/vendor/github.com/vbatts/tar-split/tar/asm/disassemble.go +index 54ef23aed366..009b3f5d8124 100644 +--- a/vendor/github.com/vbatts/tar-split/tar/asm/disassemble.go ++++ b/vendor/github.com/vbatts/tar-split/tar/asm/disassemble.go +@@ -2,7 +2,6 @@ package asm + + import ( + "io" +- "io/ioutil" + + "github.com/vbatts/tar-split/archive/tar" + "github.com/vbatts/tar-split/tar/storage" +@@ -119,20 +118,34 @@ func NewInputTarStream(r io.Reader, p storage.Packer, fp storage.FilePutter) (io + } + } + +- // it is allowable, and not uncommon that there is further padding on the +- // end of an archive, apart from the expected 1024 null bytes. +- remainder, err := ioutil.ReadAll(outputRdr) +- if err != nil && err != io.EOF { +- pW.CloseWithError(err) +- return +- } +- _, err = p.AddEntry(storage.Entry{ +- Type: storage.SegmentType, +- Payload: remainder, +- }) +- if err != nil { +- pW.CloseWithError(err) +- return ++ // It is allowable, and not uncommon that there is further padding on ++ // the end of an archive, apart from the expected 1024 null bytes. We ++ // do this in chunks rather than in one go to avoid cases where a ++ // maliciously crafted tar file tries to trick us into reading many GBs ++ // into memory. ++ const paddingChunkSize = 1024 * 1024 ++ var paddingChunk [paddingChunkSize]byte ++ for { ++ var isEOF bool ++ n, err := outputRdr.Read(paddingChunk[:]) ++ if err != nil { ++ if err != io.EOF { ++ pW.CloseWithError(err) ++ return ++ } ++ isEOF = true ++ } ++ _, err = p.AddEntry(storage.Entry{ ++ Type: storage.SegmentType, ++ Payload: paddingChunk[:n], ++ }) ++ if err != nil { ++ pW.CloseWithError(err) ++ return ++ } ++ if isEOF { ++ break ++ } + } + pW.Close() + }() +-- +2.14.3 + diff --git a/bsc1066801-0001-oci-add-proc-scsi-to-masked-paths.patch b/bsc1066801-0001-oci-add-proc-scsi-to-masked-paths.patch new file mode 100644 index 0000000..315cd5b --- /dev/null +++ b/bsc1066801-0001-oci-add-proc-scsi-to-masked-paths.patch @@ -0,0 +1,31 @@ +From d0194d04255e8121d67c1f55d7dce8f5ba67fccc Mon Sep 17 00:00:00 2001 +From: Aleksa Sarai +Date: Tue, 7 Nov 2017 18:32:41 +1100 +Subject: [PATCH] oci: add /proc/scsi to masked paths + +This is writeable, and can be used to remove devices. Containers do +not need to know about scsi devices. + +Fixes: CVE-2017-16539 +SUSE-Bug: https://bugzilla.suse.com/show_bug.cgi?id=1066801 +Signed-off-by: Justin Cormack +Signed-off-by: Aleksa Sarai +--- + oci/defaults.go | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/oci/defaults.go b/oci/defaults.go +index d706fafcc021..a7fd285060c2 100644 +--- a/oci/defaults.go ++++ b/oci/defaults.go +@@ -132,6 +132,7 @@ func DefaultLinuxSpec() specs.Spec { + "/proc/timer_list", + "/proc/timer_stats", + "/proc/sched_debug", ++ "/proc/scsi", + }, + ReadonlyPaths: []string{ + "/proc/asound", +-- +2.14.3 + diff --git a/docker.changes b/docker.changes index 1826677..581c0a8 100644 --- a/docker.changes +++ b/docker.changes @@ -1,3 +1,20 @@ +------------------------------------------------------------------- +Tue Nov 7 16:47:01 UTC 2017 - asarai@suse.com + +- Add a backport of https://github.com/moby/moby/pull/35424, which fixes a + security issue where a maliciously crafted image could be used to crash a + Docker daemon. bsc#1066210 CVE-2017-14992 + + bsc1066210-0001-vendor-update-to-github.com-vbatts-tar-split-v0.10.2.patch + +------------------------------------------------------------------- +Tue Nov 7 09:00:31 UTC 2017 - asarai@suse.com + +- Add a backport of https://github.com/moby/moby/pull/35399, which fixes a + security issue where a Docker container (with a disabled AppArmor profile) + could write to /proc/scsi/... and subsequently DoS the host. bsc#1066801 + CVE-2017-16539 + + bsc1066801-0001-oci-add-proc-scsi-to-masked-paths.patch + ------------------------------------------------------------------- Tue Oct 24 06:50:29 UTC 2017 - asarai@suse.com @@ -31,6 +48,23 @@ Mon Oct 9 11:36:59 UTC 2017 - asarai@suse.com * secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch * secrets-0002-SUSE-implement-SUSE-container-secrets.patch +------------------------------------------------------------------- +Mon Oct 2 08:12:17 UTC 2017 - vrothberg@suse.com + +- Fix bsc#1059011 + + The systemd service helper script used a timeout of 60 seconds to + start the daemon, which is insufficient in cases where the daemon + takes longer to start. Instead, set the service type from 'simple' to + 'notify' and remove the now superfluous helper script. + +------------------------------------------------------------------- +Wed Sep 27 15:04:19 UTC 2017 - jmassaguerpla@suse.com + +- fix bsc#1057743: Add a Requires: fix_bsc_1057743 which is provided by the + newer version of docker-libnetwork. This is necessary because of a versioning + bug we found in bsc#1057743. + ------------------------------------------------------------------- Fri Sep 15 15:32:49 UTC 2017 - jmassaguerpla@suse.com diff --git a/docker.service b/docker.service index ea5d855..ead1d5f 100644 --- a/docker.service +++ b/docker.service @@ -10,7 +10,7 @@ EnvironmentFile=/etc/sysconfig/docker # While Docker has support for socket activation (-H fd://), this is not # enabled by default because enabling socket activation means that on boot your # containers won't start until someone tries to administer the Docker daemon. -Type=simple +Type=notify ExecStart=/usr/bin/dockerd --containerd /run/containerd/containerd.sock --add-runtime oci=/usr/sbin/docker-runc $DOCKER_NETWORK_OPTIONS $DOCKER_OPTS ExecReload=/bin/kill -s HUP $MAINPID diff --git a/docker.spec b/docker.spec index 658c455..1cfe948 100644 --- a/docker.spec +++ b/docker.spec @@ -68,6 +68,10 @@ Patch401: bsc1055676-0001-daemon-oci-obey-CL_UNPRIVILEGED-for-user-namespa Patch402: bsc1045628-0001-devicemapper-remove-container-rootfs-mountPath-after.patch # SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/34176. boo#1064781 Patch403: bsc1064781-0001-Allow-to-override-build-date.patch +# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/35399. boo#1066801 CVE-2017-16539 +Patch404: bsc1066801-0001-oci-add-proc-scsi-to-masked-paths.patch +# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/35424. boo#1066210 CVE-2017-14992 +Patch405: bsc1066210-0001-vendor-update-to-github.com-vbatts-tar-split-v0.10.2.patch BuildRequires: audit BuildRequires: bash-completion BuildRequires: ca-certificates @@ -98,7 +102,11 @@ BuildRequires: zsh Requires: apparmor-parser Requires: bridge-utils Requires: ca-certificates-mozilla +# Required in order for networking to work. fix_bsc_1057743 is a work-around +# for some old packaging issues (where rpm would delete a binary that was +# installed by docker-libnetwork). See bsc#1057743 for more details. Requires: docker-libnetwork = 0.7.0+gitr2322_4a242dba7739 +Requires: fix_bsc_1057743 # Containerd and runC are required as they are the only currently supported # execdrivers of Docker. NOTE: The version pinning here matches upstream's # vendor.conf to ensure that we don't use a slightly incompatible version of @@ -191,6 +199,10 @@ Test package for docker. It contains the source code and the tests. %patch402 -p1 -d components/engine # boo#1064781 %patch403 -p1 -d components/engine +# boo#1066801 CVE-2017-16539 +%patch404 -p1 -d components/engine +# boo#1066210 CVE-2017-14992 +%patch405 -p1 -d components/engine cp %{SOURCE7} . cp %{SOURCE9} . @@ -435,7 +447,6 @@ fi %{_bindir}/docker %{_bindir}/dockerd %{_sbindir}/rcdocker -%{_libexecdir}/docker/ %{_unitdir}/%{name}.service %config %{_sysconfdir}/audit/rules.d/%{name}.rules %{_udevrulesdir}/80-%{name}.rules