diff --git a/bsc1066210-0001-vendor-update-to-github.com-vbatts-tar-split-v0.10.2.patch b/bsc1066210-0001-vendor-update-to-github.com-vbatts-tar-split-v0.10.2.patch new file mode 100644 index 0000000..b3dca29 --- /dev/null +++ b/bsc1066210-0001-vendor-update-to-github.com-vbatts-tar-split-v0.10.2.patch @@ -0,0 +1,118 @@ +From b5cf56bc7f734ed8bfad4119fb817261e541a609 Mon Sep 17 00:00:00 2001 +From: Aleksa Sarai +Date: Wed, 8 Nov 2017 02:50:52 +1100 +Subject: [PATCH] vendor: update to github.com/vbatts/tar-split@v0.10.2 + +Update to the latest version of tar-split, which includes a change to +fix a memory exhaustion issue where a malformed image could cause the +Docker daemon to crash. + + * tar: asm: store padding in chunks to avoid memory exhaustion + +Fixes: CVE-2017-14992 +SUSE-Bug: https://bugzilla.suse.com/show_bug.cgi?id=1066210 +Signed-off-by: Aleksa Sarai +--- + vendor.conf | 2 +- + vendor/github.com/vbatts/tar-split/README.md | 3 +- + .../vbatts/tar-split/tar/asm/disassemble.go | 43 ++++++++++++++-------- + 3 files changed, 31 insertions(+), 17 deletions(-) + +diff --git a/vendor.conf b/vendor.conf +index 535adad38728..ea4f75bbea10 100644 +--- a/vendor.conf ++++ b/vendor.conf +@@ -53,7 +53,7 @@ github.com/miekg/dns 75e6e86cc601825c5dbcd4e0c209eab180997cd7 + + # get graph and distribution packages + github.com/docker/distribution b38e5838b7b2f2ad48e06ec4b500011976080621 +-github.com/vbatts/tar-split v0.10.1 ++github.com/vbatts/tar-split v0.10.2 + github.com/opencontainers/go-digest a6d0ee40d4207ea02364bd3b9e8e77b9159ba1eb + + # get go-zfs packages +diff --git a/vendor/github.com/vbatts/tar-split/README.md b/vendor/github.com/vbatts/tar-split/README.md +index 4c544d823fbc..03e3ec4308b7 100644 +--- a/vendor/github.com/vbatts/tar-split/README.md ++++ b/vendor/github.com/vbatts/tar-split/README.md +@@ -1,6 +1,7 @@ + # tar-split + + [![Build Status](https://travis-ci.org/vbatts/tar-split.svg?branch=master)](https://travis-ci.org/vbatts/tar-split) ++[![Go Report Card](https://goreportcard.com/badge/github.com/vbatts/tar-split)](https://goreportcard.com/report/github.com/vbatts/tar-split) + + Pristinely disassembling a tar archive, and stashing needed raw bytes and offsets to reassemble a validating original archive. + +@@ -50,7 +51,7 @@ For example stored sparse files that have "holes" in them, will be read as a + contiguous file, though the archive contents may be recorded in sparse format. + Therefore when adding the file payload to a reassembled tar, to achieve + identical output, the file payload would need be precisely re-sparsified. This +-is not something I seek to fix imediately, but would rather have an alert that ++is not something I seek to fix immediately, but would rather have an alert that + precise reassembly is not possible. + (see more http://www.gnu.org/software/tar/manual/html_node/Sparse-Formats.html) + +diff --git a/vendor/github.com/vbatts/tar-split/tar/asm/disassemble.go b/vendor/github.com/vbatts/tar-split/tar/asm/disassemble.go +index 54ef23aed366..009b3f5d8124 100644 +--- a/vendor/github.com/vbatts/tar-split/tar/asm/disassemble.go ++++ b/vendor/github.com/vbatts/tar-split/tar/asm/disassemble.go +@@ -2,7 +2,6 @@ package asm + + import ( + "io" +- "io/ioutil" + + "github.com/vbatts/tar-split/archive/tar" + "github.com/vbatts/tar-split/tar/storage" +@@ -119,20 +118,34 @@ func NewInputTarStream(r io.Reader, p storage.Packer, fp storage.FilePutter) (io + } + } + +- // it is allowable, and not uncommon that there is further padding on the +- // end of an archive, apart from the expected 1024 null bytes. +- remainder, err := ioutil.ReadAll(outputRdr) +- if err != nil && err != io.EOF { +- pW.CloseWithError(err) +- return +- } +- _, err = p.AddEntry(storage.Entry{ +- Type: storage.SegmentType, +- Payload: remainder, +- }) +- if err != nil { +- pW.CloseWithError(err) +- return ++ // It is allowable, and not uncommon that there is further padding on ++ // the end of an archive, apart from the expected 1024 null bytes. We ++ // do this in chunks rather than in one go to avoid cases where a ++ // maliciously crafted tar file tries to trick us into reading many GBs ++ // into memory. ++ const paddingChunkSize = 1024 * 1024 ++ var paddingChunk [paddingChunkSize]byte ++ for { ++ var isEOF bool ++ n, err := outputRdr.Read(paddingChunk[:]) ++ if err != nil { ++ if err != io.EOF { ++ pW.CloseWithError(err) ++ return ++ } ++ isEOF = true ++ } ++ _, err = p.AddEntry(storage.Entry{ ++ Type: storage.SegmentType, ++ Payload: paddingChunk[:n], ++ }) ++ if err != nil { ++ pW.CloseWithError(err) ++ return ++ } ++ if isEOF { ++ break ++ } + } + pW.Close() + }() +-- +2.14.3 + diff --git a/docker.changes b/docker.changes index 894ea65..29ba17a 100644 --- a/docker.changes +++ b/docker.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Tue Nov 7 16:47:01 UTC 2017 - asarai@suse.com + +- Add a backport of https://github.com/moby/moby/pull/35424, which fixes a + security issue where a maliciously crafted image could be used to crash a + Docker daemon. bsc#1066210 CVE-2017-14992 + + bsc1066210-0001-vendor-update-to-github.com-vbatts-tar-split-v0.10.2.patch + ------------------------------------------------------------------- Tue Nov 7 09:00:31 UTC 2017 - asarai@suse.com diff --git a/docker.spec b/docker.spec index 61173fa..4ef0b21 100644 --- a/docker.spec +++ b/docker.spec @@ -70,6 +70,8 @@ Patch402: bsc1045628-0001-devicemapper-remove-container-rootfs-mountPath-a Patch403: bsc1064781-0001-Allow-to-override-build-date.patch # SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/35399. boo#1066801 CVE-2017-16539 Patch404: bsc1066801-0001-oci-add-proc-scsi-to-masked-paths.patch +# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/35424. boo#1066210 CVE-2017-14992 +Patch405: bsc1066210-0001-vendor-update-to-github.com-vbatts-tar-split-v0.10.2.patch BuildRequires: audit BuildRequires: bash-completion BuildRequires: ca-certificates @@ -195,6 +197,8 @@ Test package for docker. It contains the source code and the tests. %patch403 -p1 -d components/engine # boo#1066801 CVE-2017-16539 %patch404 -p1 -d components/engine +# boo#1066210 CVE-2017-14992 +%patch405 -p1 -d components/engine cp %{SOURCE7} . cp %{SOURCE9} .