Accepting request 540195 from Virtualization:containers

- Add a backport of https://github.com/moby/moby/pull/35424, which fixes a security issue where a maliciously crafted image could be used to crash a Docker daemon. bsc#1066210 CVE-2017-14992 + bsc1066210-0001-vendor-update-to-github.com-vbatts-tar-split-v0.10.2.patch - Add a backport of https://github.com/moby/moby/pull/35399, which fixes a security issue where a Docker container (with a disabled AppArmor profile) could write to /proc/scsi/... and subsequently DoS the host. bsc#1066801 CVE-2017-16539 + bsc1066801-0001-oci-add-proc-scsi-to-masked-paths.patch - Fix bsc#1059011 The systemd service helper script used a timeout of 60 seconds to start the daemon, which is insufficient in cases where the daemon takes longer to start. Instead, set the service type from 'simple' to 'notify' and remove the now superfluous helper script. - fix bsc#1057743: Add a Requires: fix_bsc_1057743 which is provided by the newer version of docker-libnetwork. This is necessary because of a versioning bug we found in bsc#1057743. OBS-URL: https://build.opensuse.org/request/show/540195 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/docker?expand=0&rev=63
2017-11-10 13:42:49 +00:00 · 2017-11-10 13:42:49 +00:00 · 41554f0a6c
commit 41554f0a6c
parent c9664c6805 6a6c6aa170
5 changed files with 196 additions and 2 deletions
--- a/bsc1066210-0001-vendor-update-to-github.com-vbatts-tar-split-v0.10.2.patch
+++ b/bsc1066210-0001-vendor-update-to-github.com-vbatts-tar-split-v0.10.2.patch
@ -0,0 +1,118 @@
+From b5cf56bc7f734ed8bfad4119fb817261e541a609 Mon Sep 17 00:00:00 2001
+From: Aleksa Sarai <asarai@suse.de>
+Date: Wed, 8 Nov 2017 02:50:52 +1100
+Subject: [PATCH] vendor: update to github.com/vbatts/tar-split@v0.10.2
+
+Update to the latest version of tar-split, which includes a change to
+fix a memory exhaustion issue where a malformed image could cause the
+Docker daemon to crash.
+
+  * tar: asm: store padding in chunks to avoid memory exhaustion
+
+Fixes: CVE-2017-14992
+SUSE-Bug: https://bugzilla.suse.com/show_bug.cgi?id=1066210
+Signed-off-by: Aleksa Sarai <asarai@suse.de>
+---
+ vendor.conf                                        |  2 +-
+ vendor/github.com/vbatts/tar-split/README.md       |  3 +-
+ .../vbatts/tar-split/tar/asm/disassemble.go        | 43 ++++++++++++++--------
+ 3 files changed, 31 insertions(+), 17 deletions(-)
+
+diff --git a/vendor.conf b/vendor.conf
+index 535adad38728..ea4f75bbea10 100644
+--- a/vendor.conf
+++ b/vendor.conf
+@@ -53,7 +53,7 @@ github.com/miekg/dns 75e6e86cc601825c5dbcd4e0c209eab180997cd7
+ 
+ # get graph and distribution packages
+ github.com/docker/distribution b38e5838b7b2f2ad48e06ec4b500011976080621
+-github.com/vbatts/tar-split v0.10.1
+github.com/vbatts/tar-split v0.10.2
+ github.com/opencontainers/go-digest a6d0ee40d4207ea02364bd3b9e8e77b9159ba1eb
+ 
+ # get go-zfs packages
+diff --git a/vendor/github.com/vbatts/tar-split/README.md b/vendor/github.com/vbatts/tar-split/README.md
+index 4c544d823fbc..03e3ec4308b7 100644
+--- a/vendor/github.com/vbatts/tar-split/README.md
+++ b/vendor/github.com/vbatts/tar-split/README.md
+@@ -1,6 +1,7 @@
+ # tar-split
+ 
+ [![Build Status](https://travis-ci.org/vbatts/tar-split.svg?branch=master)](https://travis-ci.org/vbatts/tar-split)
+[![Go Report Card](https://goreportcard.com/badge/github.com/vbatts/tar-split)](https://goreportcard.com/report/github.com/vbatts/tar-split)
+ 
+ Pristinely disassembling a tar archive, and stashing needed raw bytes and offsets to reassemble a validating original archive.
+ 
+@@ -50,7 +51,7 @@ For example stored sparse files that have "holes" in them, will be read as a
+ contiguous file, though the archive contents may be recorded in sparse format.
+ Therefore when adding the file payload to a reassembled tar, to achieve
+ identical output, the file payload would need be precisely re-sparsified. This
+-is not something I seek to fix imediately, but would rather have an alert that
+is not something I seek to fix immediately, but would rather have an alert that
+ precise reassembly is not possible.
+ (see more http://www.gnu.org/software/tar/manual/html_node/Sparse-Formats.html)
+ 
+diff --git a/vendor/github.com/vbatts/tar-split/tar/asm/disassemble.go b/vendor/github.com/vbatts/tar-split/tar/asm/disassemble.go
+index 54ef23aed366..009b3f5d8124 100644
+--- a/vendor/github.com/vbatts/tar-split/tar/asm/disassemble.go
+++ b/vendor/github.com/vbatts/tar-split/tar/asm/disassemble.go
+@@ -2,7 +2,6 @@ package asm
+ 
+ import (
+ 	"io"
+-	"io/ioutil"
+ 
+ 	"github.com/vbatts/tar-split/archive/tar"
+ 	"github.com/vbatts/tar-split/tar/storage"
+@@ -119,20 +118,34 @@ func NewInputTarStream(r io.Reader, p storage.Packer, fp storage.FilePutter) (io
+ 			}
+ 		}
+ 
+-		// it is allowable, and not uncommon that there is further padding on the
+-		// end of an archive, apart from the expected 1024 null bytes.
+-		remainder, err := ioutil.ReadAll(outputRdr)
+-		if err != nil && err != io.EOF {
+-			pW.CloseWithError(err)
+-			return
+-		}
+-		_, err = p.AddEntry(storage.Entry{
+-			Type:    storage.SegmentType,
+-			Payload: remainder,
+-		})
+-		if err != nil {
+-			pW.CloseWithError(err)
+-			return
+		// It is allowable, and not uncommon that there is further padding on
+		// the end of an archive, apart from the expected 1024 null bytes. We
+		// do this in chunks rather than in one go to avoid cases where a
+		// maliciously crafted tar file tries to trick us into reading many GBs
+		// into memory.
+		const paddingChunkSize = 1024 * 1024
+		var paddingChunk [paddingChunkSize]byte
+		for {
+			var isEOF bool
+			n, err := outputRdr.Read(paddingChunk[:])
+			if err != nil {
+				if err != io.EOF {
+					pW.CloseWithError(err)
+					return
+				}
+				isEOF = true
+			}
+			_, err = p.AddEntry(storage.Entry{
+				Type:    storage.SegmentType,
+				Payload: paddingChunk[:n],
+			})
+			if err != nil {
+				pW.CloseWithError(err)
+				return
+			}
+			if isEOF {
+				break
+			}
+ 		}
+ 		pW.Close()
+ 	}()
+-- 
+2.14.3
+
--- a/bsc1066801-0001-oci-add-proc-scsi-to-masked-paths.patch
+++ b/bsc1066801-0001-oci-add-proc-scsi-to-masked-paths.patch
@ -0,0 +1,31 @@
+From d0194d04255e8121d67c1f55d7dce8f5ba67fccc Mon Sep 17 00:00:00 2001
+From: Aleksa Sarai <asarai@suse.de>
+Date: Tue, 7 Nov 2017 18:32:41 +1100
+Subject: [PATCH] oci: add /proc/scsi to masked paths
+
+This is writeable, and can be used to remove devices. Containers do
+not need to know about scsi devices.
+
+Fixes: CVE-2017-16539
+SUSE-Bug: https://bugzilla.suse.com/show_bug.cgi?id=1066801
+Signed-off-by: Justin Cormack <justin.cormack@docker.com>
+Signed-off-by: Aleksa Sarai <asarai@suse.de>
+---
+ oci/defaults.go | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/oci/defaults.go b/oci/defaults.go
+index d706fafcc021..a7fd285060c2 100644
+--- a/oci/defaults.go
+++ b/oci/defaults.go
+@@ -132,6 +132,7 @@ func DefaultLinuxSpec() specs.Spec {
+ 			"/proc/timer_list",
+ 			"/proc/timer_stats",
+ 			"/proc/sched_debug",
+			"/proc/scsi",
+ 		},
+ 		ReadonlyPaths: []string{
+ 			"/proc/asound",
+-- 
+2.14.3
+
--- a/docker.changes
+++ b/docker.changes
@ -1,3 +1,20 @@
+-------------------------------------------------------------------
+Tue Nov  7 16:47:01 UTC 2017 - asarai@suse.com
+
+- Add a backport of https://github.com/moby/moby/pull/35424, which fixes a
+  security issue where a maliciously crafted image could be used to crash a
+  Docker daemon. bsc#1066210 CVE-2017-14992
+  + bsc1066210-0001-vendor-update-to-github.com-vbatts-tar-split-v0.10.2.patch
+
+-------------------------------------------------------------------
+Tue Nov  7 09:00:31 UTC 2017 - asarai@suse.com
+
+- Add a backport of https://github.com/moby/moby/pull/35399, which fixes a
+  security issue where a Docker container (with a disabled AppArmor profile)
+  could write to /proc/scsi/... and subsequently DoS the host. bsc#1066801
+  CVE-2017-16539
+  + bsc1066801-0001-oci-add-proc-scsi-to-masked-paths.patch
+
 -------------------------------------------------------------------
 Tue Oct 24 06:50:29 UTC 2017 - asarai@suse.com

@ -31,6 +48,23 @@ Mon Oct  9 11:36:59 UTC 2017 - asarai@suse.com
  * secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch
  * secrets-0002-SUSE-implement-SUSE-container-secrets.patch

+-------------------------------------------------------------------
+Mon Oct  2 08:12:17 UTC 2017 - vrothberg@suse.com
+
+- Fix bsc#1059011
+
+  The systemd service helper script used a timeout of 60 seconds to
+  start the daemon, which is insufficient in cases where the daemon
+  takes longer to start. Instead, set the service type from 'simple' to
+  'notify' and remove the now superfluous helper script.
+
+-------------------------------------------------------------------
+Wed Sep 27 15:04:19 UTC 2017 - jmassaguerpla@suse.com
+
+- fix bsc#1057743: Add a Requires: fix_bsc_1057743 which is provided by the
+  newer version of docker-libnetwork. This is necessary because of a versioning
+  bug we found in bsc#1057743.
+
 -------------------------------------------------------------------
 Fri Sep 15 15:32:49 UTC 2017 - jmassaguerpla@suse.com

--- a/docker.service
+++ b/docker.service
@ -10,7 +10,7 @@ EnvironmentFile=/etc/sysconfig/docker
 # While Docker has support for socket activation (-H fd://), this is not
 # enabled by default because enabling socket activation means that on boot your
 # containers won't start until someone tries to administer the Docker daemon.
-Type=simple
+Type=notify
 ExecStart=/usr/bin/dockerd --containerd /run/containerd/containerd.sock --add-runtime oci=/usr/sbin/docker-runc $DOCKER_NETWORK_OPTIONS $DOCKER_OPTS
 ExecReload=/bin/kill -s HUP $MAINPID

--- a/docker.spec
+++ b/docker.spec
@ -68,6 +68,10 @@ Patch401:       bsc1055676-0001-daemon-oci-obey-CL_UNPRIVILEGED-for-user-namespa
 Patch402:       bsc1045628-0001-devicemapper-remove-container-rootfs-mountPath-after.patch
 # SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/34176. boo#1064781
 Patch403:       bsc1064781-0001-Allow-to-override-build-date.patch
+# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/35399. boo#1066801 CVE-2017-16539
+Patch404:       bsc1066801-0001-oci-add-proc-scsi-to-masked-paths.patch
+# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/35424. boo#1066210 CVE-2017-14992
+Patch405:       bsc1066210-0001-vendor-update-to-github.com-vbatts-tar-split-v0.10.2.patch
 BuildRequires:  audit
 BuildRequires:  bash-completion
 BuildRequires:  ca-certificates
@ -98,7 +102,11 @@ BuildRequires:  zsh
 Requires:       apparmor-parser
 Requires:       bridge-utils
 Requires:       ca-certificates-mozilla
+# Required in order for networking to work. fix_bsc_1057743 is a work-around
+# for some old packaging issues (where rpm would delete a binary that was
+# installed by docker-libnetwork). See bsc#1057743 for more details.
 Requires:       docker-libnetwork = 0.7.0+gitr2322_4a242dba7739
+Requires:       fix_bsc_1057743
 # Containerd and runC are required as they are the only currently supported
 # execdrivers of Docker. NOTE: The version pinning here matches upstream's
 # vendor.conf to ensure that we don't use a slightly incompatible version of
@ -191,6 +199,10 @@ Test package for docker. It contains the source code and the tests.
 %patch402 -p1 -d components/engine
 # boo#1064781
 %patch403 -p1 -d components/engine
+# boo#1066801 CVE-2017-16539
+%patch404 -p1 -d components/engine
+# boo#1066210 CVE-2017-14992
+%patch405 -p1 -d components/engine

 cp %{SOURCE7} .
 cp %{SOURCE9} .
@ -435,7 +447,6 @@ fi
 %{_bindir}/docker
 %{_bindir}/dockerd
 %{_sbindir}/rcdocker
-%{_libexecdir}/docker/
 %{_unitdir}/%{name}.service
 %config %{_sysconfdir}/audit/rules.d/%{name}.rules
 %{_udevrulesdir}/80-%{name}.rules