Accepting request 539622 from home:cyphar:containers:docker_CVE-2017-14992

- Add a backport of https://github.com/moby/moby/pull/35424, which fixes a security issue where a maliciously crafted image could be used to crash a Docker daemon. bsc#1066210 CVE-2017-14992 + bsc1066210-0001-vendor-update-to-github.com-vbatts-tar-split-v0.10.2.patch OBS-URL: https://build.opensuse.org/request/show/539622 OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=212
2017-11-07 17:23:31 +00:00 · 2017-11-07 17:23:31 +00:00 · ca68434d79
commit ca68434d79
parent 2c5d57165f
3 changed files with 130 additions and 0 deletions
--- a/bsc1066210-0001-vendor-update-to-github.com-vbatts-tar-split-v0.10.2.patch
+++ b/bsc1066210-0001-vendor-update-to-github.com-vbatts-tar-split-v0.10.2.patch
@ -0,0 +1,118 @@
+From b5cf56bc7f734ed8bfad4119fb817261e541a609 Mon Sep 17 00:00:00 2001
+From: Aleksa Sarai <asarai@suse.de>
+Date: Wed, 8 Nov 2017 02:50:52 +1100
+Subject: [PATCH] vendor: update to github.com/vbatts/tar-split@v0.10.2
+
+Update to the latest version of tar-split, which includes a change to
+fix a memory exhaustion issue where a malformed image could cause the
+Docker daemon to crash.
+
+  * tar: asm: store padding in chunks to avoid memory exhaustion
+
+Fixes: CVE-2017-14992
+SUSE-Bug: https://bugzilla.suse.com/show_bug.cgi?id=1066210
+Signed-off-by: Aleksa Sarai <asarai@suse.de>
+---
+ vendor.conf                                        |  2 +-
+ vendor/github.com/vbatts/tar-split/README.md       |  3 +-
+ .../vbatts/tar-split/tar/asm/disassemble.go        | 43 ++++++++++++++--------
+ 3 files changed, 31 insertions(+), 17 deletions(-)
+
+diff --git a/vendor.conf b/vendor.conf
+index 535adad38728..ea4f75bbea10 100644
+--- a/vendor.conf
+++ b/vendor.conf
+@@ -53,7 +53,7 @@ github.com/miekg/dns 75e6e86cc601825c5dbcd4e0c209eab180997cd7
+ 
+ # get graph and distribution packages
+ github.com/docker/distribution b38e5838b7b2f2ad48e06ec4b500011976080621
+-github.com/vbatts/tar-split v0.10.1
+github.com/vbatts/tar-split v0.10.2
+ github.com/opencontainers/go-digest a6d0ee40d4207ea02364bd3b9e8e77b9159ba1eb
+ 
+ # get go-zfs packages
+diff --git a/vendor/github.com/vbatts/tar-split/README.md b/vendor/github.com/vbatts/tar-split/README.md
+index 4c544d823fbc..03e3ec4308b7 100644
+--- a/vendor/github.com/vbatts/tar-split/README.md
+++ b/vendor/github.com/vbatts/tar-split/README.md
+@@ -1,6 +1,7 @@
+ # tar-split
+ 
+ [![Build Status](https://travis-ci.org/vbatts/tar-split.svg?branch=master)](https://travis-ci.org/vbatts/tar-split)
+[![Go Report Card](https://goreportcard.com/badge/github.com/vbatts/tar-split)](https://goreportcard.com/report/github.com/vbatts/tar-split)
+ 
+ Pristinely disassembling a tar archive, and stashing needed raw bytes and offsets to reassemble a validating original archive.
+ 
+@@ -50,7 +51,7 @@ For example stored sparse files that have "holes" in them, will be read as a
+ contiguous file, though the archive contents may be recorded in sparse format.
+ Therefore when adding the file payload to a reassembled tar, to achieve
+ identical output, the file payload would need be precisely re-sparsified. This
+-is not something I seek to fix imediately, but would rather have an alert that
+is not something I seek to fix immediately, but would rather have an alert that
+ precise reassembly is not possible.
+ (see more http://www.gnu.org/software/tar/manual/html_node/Sparse-Formats.html)
+ 
+diff --git a/vendor/github.com/vbatts/tar-split/tar/asm/disassemble.go b/vendor/github.com/vbatts/tar-split/tar/asm/disassemble.go
+index 54ef23aed366..009b3f5d8124 100644
+--- a/vendor/github.com/vbatts/tar-split/tar/asm/disassemble.go
+++ b/vendor/github.com/vbatts/tar-split/tar/asm/disassemble.go
+@@ -2,7 +2,6 @@ package asm
+ 
+ import (
+ 	"io"
+-	"io/ioutil"
+ 
+ 	"github.com/vbatts/tar-split/archive/tar"
+ 	"github.com/vbatts/tar-split/tar/storage"
+@@ -119,20 +118,34 @@ func NewInputTarStream(r io.Reader, p storage.Packer, fp storage.FilePutter) (io
+ 			}
+ 		}
+ 
+-		// it is allowable, and not uncommon that there is further padding on the
+-		// end of an archive, apart from the expected 1024 null bytes.
+-		remainder, err := ioutil.ReadAll(outputRdr)
+-		if err != nil && err != io.EOF {
+-			pW.CloseWithError(err)
+-			return
+-		}
+-		_, err = p.AddEntry(storage.Entry{
+-			Type:    storage.SegmentType,
+-			Payload: remainder,
+-		})
+-		if err != nil {
+-			pW.CloseWithError(err)
+-			return
+		// It is allowable, and not uncommon that there is further padding on
+		// the end of an archive, apart from the expected 1024 null bytes. We
+		// do this in chunks rather than in one go to avoid cases where a
+		// maliciously crafted tar file tries to trick us into reading many GBs
+		// into memory.
+		const paddingChunkSize = 1024 * 1024
+		var paddingChunk [paddingChunkSize]byte
+		for {
+			var isEOF bool
+			n, err := outputRdr.Read(paddingChunk[:])
+			if err != nil {
+				if err != io.EOF {
+					pW.CloseWithError(err)
+					return
+				}
+				isEOF = true
+			}
+			_, err = p.AddEntry(storage.Entry{
+				Type:    storage.SegmentType,
+				Payload: paddingChunk[:n],
+			})
+			if err != nil {
+				pW.CloseWithError(err)
+				return
+			}
+			if isEOF {
+				break
+			}
+ 		}
+ 		pW.Close()
+ 	}()
+-- 
+2.14.3
+
--- a/docker.changes
+++ b/docker.changes
@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Tue Nov  7 16:47:01 UTC 2017 - asarai@suse.com
+
+- Add a backport of https://github.com/moby/moby/pull/35424, which fixes a
+  security issue where a maliciously crafted image could be used to crash a
+  Docker daemon. bsc#1066210 CVE-2017-14992
+  + bsc1066210-0001-vendor-update-to-github.com-vbatts-tar-split-v0.10.2.patch
+
 -------------------------------------------------------------------
 Tue Nov  7 09:00:31 UTC 2017 - asarai@suse.com

--- a/docker.spec
+++ b/docker.spec
@ -70,6 +70,8 @@ Patch402:       bsc1045628-0001-devicemapper-remove-container-rootfs-mountPath-a
 Patch403:       bsc1064781-0001-Allow-to-override-build-date.patch
 # SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/35399. boo#1066801 CVE-2017-16539
 Patch404:       bsc1066801-0001-oci-add-proc-scsi-to-masked-paths.patch
+# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/35424. boo#1066210 CVE-2017-14992
+Patch405:       bsc1066210-0001-vendor-update-to-github.com-vbatts-tar-split-v0.10.2.patch
 BuildRequires:  audit
 BuildRequires:  bash-completion
 BuildRequires:  ca-certificates
@ -195,6 +197,8 @@ Test package for docker. It contains the source code and the tests.
 %patch403 -p1 -d components/engine
 # boo#1066801 CVE-2017-16539
 %patch404 -p1 -d components/engine
+# boo#1066210 CVE-2017-14992
+%patch405 -p1 -d components/engine

 cp %{SOURCE7} .
 cp %{SOURCE9} .