Accepting request 539455 from home:cyphar:containers:docker_CVE-2017-16539
- Add a backport of https://github.com/moby/moby/pull/35399, which fixes a security issue where a Docker container (with a disabled AppArmor profile) could write to /proc/scsi/... and subsequently DoS the host. bsc#1066801 CVE-2017-16539 + bsc1066801-0001-oci-add-proc-scsi-to-masked-paths.patch OBS-URL: https://build.opensuse.org/request/show/539455 OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=210
This commit is contained in:
Aleksa Sarai
Git OBS Bridge
parent
91fa19e925
commit
9102c78185
32
bsc1066801-0001-oci-add-proc-scsi-to-masked-paths.patch
Normal file
32
bsc1066801-0001-oci-add-proc-scsi-to-masked-paths.patch
Normal file
@ -0,0 +1,32 @@
|
||||
From 48dad93f2bfc6ac5a201e98d6029fcff9cfbba80 Mon Sep 17 00:00:00 2001
|
||||
From: Aleksa Sarai <asarai@suse.de>
|
||||
Date: Tue, 7 Nov 2017 18:32:41 +1100
|
||||
Subject: [PATCH] oci: add /proc/scsi to masked paths
|
||||
|
||||
This is writeable, and can be used to remove devices. Containers do
|
||||
not need to know about scsi devices.
|
||||
|
||||
Fixes: CVE-2017-16539
|
||||
SUSE-Bug: https://bugzilla.suse.com/show_bug.cgi?id=1066801
|
||||
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
|
||||
Signed-off-by: Aleksa Sarai <asarai@suse.de>
|
||||
---
|
||||
oci/defaults.go | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/oci/defaults.go b/oci/defaults.go
|
||||
index d706fafcc021..188ec3149659 100644
|
||||
--- a/oci/defaults.go
|
||||
+++ b/oci/defaults.go
|
||||
@@ -132,6 +132,8 @@ func DefaultLinuxSpec() specs.Spec {
|
||||
"/proc/timer_list",
|
||||
"/proc/timer_stats",
|
||||
"/proc/sched_debug",
|
||||
+ "/sys/firmware",
|
||||
+ "/proc/scsi",
|
||||
},
|
||||
ReadonlyPaths: []string{
|
||||
"/proc/asound",
|
||||
--
|
||||
2.14.3
|
||||
|
||||
@ -1,3 +1,12 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue Nov 7 09:00:31 UTC 2017 - asarai@suse.com
|
||||
|
||||
- Add a backport of https://github.com/moby/moby/pull/35399, which fixes a
|
||||
security issue where a Docker container (with a disabled AppArmor profile)
|
||||
could write to /proc/scsi/... and subsequently DoS the host. bsc#1066801
|
||||
CVE-2017-16539
|
||||
+ bsc1066801-0001-oci-add-proc-scsi-to-masked-paths.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Oct 24 06:50:29 UTC 2017 - asarai@suse.com
|
||||
|
||||
|
||||
@ -68,6 +68,8 @@ Patch401: bsc1055676-0001-daemon-oci-obey-CL_UNPRIVILEGED-for-user-namespa
|
||||
Patch402: bsc1045628-0001-devicemapper-remove-container-rootfs-mountPath-after.patch
|
||||
# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/34176. boo#1064781
|
||||
Patch403: bsc1064781-0001-Allow-to-override-build-date.patch
|
||||
# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/35399. boo#1066801 CVE-2017-16539
|
||||
Patch404: bsc1066801-0001-oci-add-proc-scsi-to-masked-paths.patch
|
||||
BuildRequires: audit
|
||||
BuildRequires: bash-completion
|
||||
BuildRequires: ca-certificates
|
||||
@ -191,6 +193,8 @@ Test package for docker. It contains the source code and the tests.
|
||||
%patch402 -p1 -d components/engine
|
||||
# boo#1064781
|
||||
%patch403 -p1 -d components/engine
|
||||
# boo#1066801 CVE-2017-16539
|
||||
%patch404 -p1 -d components/engine
|
||||
|
||||
cp %{SOURCE7} .
|
||||
cp %{SOURCE9} .
|
||||
|
||||
Loading…
Reference in New Issue
Block a user