From f65082028201bf5b9859a6611819a1da58297aa34ff5fd1530269bc6de08e367 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Wed, 8 Jun 2016 14:50:53 +0000 Subject: [PATCH] * Removed patches: - cve-2016-3697-numeric-uid.patch (merged upstream in gh@docker/docker#22998). * Update Docker to 1.11.2. Changelog from upstream: * Networking * Fix a stale endpoint issue on overlay networks during ungraceful restart (#23015) * Fix an issue where the wrong port could be reported by docker inspect/ps/port (#22997) * Runtime * Fix a potential panic when running docker build (#23032) * Fix interpretation of --user parameter (#22998) * Fix a bug preventing container statistics to be correctly reported (#22955) * Fix an issue preventing container to be restarted after daemon restart (#22947) * Fix issues when running 32 bit binaries on Ubuntu 16.04 (#22922) * Fix a possible deadlock on image deletion and container attach (#22918) * Fix an issue where containers fail to start after a daemon restart if they depend on a containerized cluster store (#22561) * Fix an issue causing docker ps to hang on CentOS when using devicemapper (#22168, #23067) * Fix a bug preventing to docker exec into a container when using devicemapper (#22168, #23067) OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=109 --- _service | 4 +- cve-2016-3697-numeric-uid.patch | 316 -------------------------------- docker-1.11.1.tar.xz | 3 - docker-1.11.2.tar.xz | 3 + docker.changes | 30 ++- docker.spec | 9 +- 6 files changed, 36 insertions(+), 329 deletions(-) delete mode 100644 cve-2016-3697-numeric-uid.patch delete mode 100644 docker-1.11.1.tar.xz create mode 100644 docker-1.11.2.tar.xz diff --git a/_service b/_service index 8c8e395..236259a 100644 --- a/_service +++ b/_service @@ -3,8 +3,8 @@ https://github.com/docker/docker.git git .git - 1.11.1 - v1.11.1 + 1.11.2 + v1.11.2 docker-*.tar diff --git a/cve-2016-3697-numeric-uid.patch b/cve-2016-3697-numeric-uid.patch deleted file mode 100644 index 1bf30e4..0000000 --- a/cve-2016-3697-numeric-uid.patch +++ /dev/null @@ -1,316 +0,0 @@ -From d67c0bf0caf26358f5345d6c0ac039026c46bd1e Mon Sep 17 00:00:00 2001 -From: Aleksa Sarai -Date: Fri, 22 Apr 2016 20:36:43 +1000 -Subject: [PATCH] libcontainer: user: always treat numeric ids numerically - -Most shadow-related tools don't treat numeric ids as potential -usernames, so change our behaviour to match that. Previously, using an -explicit specification like 111:222 could result in the UID and GID not -being 111 and 222 respectively (which is confusing). - -Some of the code was quite confusing inside libcontainer/user, so -refactor and comment it so future maintainers can understand what's -going and what edge cases we have to deal with. - -This fixes CVE-2016-3697. - -Signed-off-by: Aleksa Sarai ---- - .../runc/libcontainer/user/lookup.go | 3 + - .../opencontainers/runc/libcontainer/user/user.go | 149 ++++++++++++--------- - 2 files changed, 89 insertions(+), 63 deletions(-) - -diff --git a/vendor/src/github.com/opencontainers/runc/libcontainer/user/lookup.go b/vendor/src/github.com/opencontainers/runc/libcontainer/user/lookup.go -index 6f8a982..7062940 100644 ---- a/vendor/src/github.com/opencontainers/runc/libcontainer/user/lookup.go -+++ b/vendor/src/github.com/opencontainers/runc/libcontainer/user/lookup.go -@@ -9,6 +9,9 @@ import ( - var ( - // The current operating system does not provide the required data for user lookups. - ErrUnsupported = errors.New("user lookup: operating system does not provide passwd-formatted data") -+ // No matching entries found in file. -+ ErrNoPasswdEntries = errors.New("no matching entries in passwd file") -+ ErrNoGroupEntries = errors.New("no matching entries in group file") - ) - - func lookupUser(filter func(u User) bool) (User, error) { -diff --git a/vendor/src/github.com/opencontainers/runc/libcontainer/user/user.go b/vendor/src/github.com/opencontainers/runc/libcontainer/user/user.go -index e6375ea..43fd39e 100644 ---- a/vendor/src/github.com/opencontainers/runc/libcontainer/user/user.go -+++ b/vendor/src/github.com/opencontainers/runc/libcontainer/user/user.go -@@ -15,7 +15,7 @@ const ( - ) - - var ( -- ErrRange = fmt.Errorf("Uids and gids must be in range %d-%d", minId, maxId) -+ ErrRange = fmt.Errorf("uids and gids must be in range %d-%d", minId, maxId) - ) - - type User struct { -@@ -42,29 +42,30 @@ func parseLine(line string, v ...interface{}) { - - parts := strings.Split(line, ":") - for i, p := range parts { -+ // Ignore cases where we don't have enough fields to populate the arguments. -+ // Some configuration files like to misbehave. - if len(v) <= i { -- // if we have more "parts" than we have places to put them, bail for great "tolerance" of naughty configuration files - break - } - -+ // Use the type of the argument to figure out how to parse it, scanf() style. -+ // This is legit. - switch e := v[i].(type) { - case *string: -- // "root", "adm", "/bin/bash" - *e = p - case *int: -- // "0", "4", "1000" -- // ignore string to int conversion errors, for great "tolerance" of naughty configuration files -+ // "numbers", with conversion errors ignored because of some misbehaving configuration files. - *e, _ = strconv.Atoi(p) - case *[]string: -- // "", "root", "root,adm,daemon" -+ // Comma-separated lists. - if p != "" { - *e = strings.Split(p, ",") - } else { - *e = []string{} - } - default: -- // panic, because this is a programming/logic error, not a runtime one -- panic("parseLine expects only pointers! argument " + strconv.Itoa(i) + " is not a pointer!") -+ // Someone goof'd when writing code using this function. Scream so they can hear us. -+ panic(fmt.Sprintf("parseLine only accepts {*string, *int, *[]string} as arguments! %#v is not a pointer!", e)) - } - } - } -@@ -106,8 +107,8 @@ func ParsePasswdFilter(r io.Reader, filter func(User) bool) ([]User, error) { - return nil, err - } - -- text := strings.TrimSpace(s.Text()) -- if text == "" { -+ line := strings.TrimSpace(s.Text()) -+ if line == "" { - continue - } - -@@ -117,10 +118,7 @@ func ParsePasswdFilter(r io.Reader, filter func(User) bool) ([]User, error) { - // root:x:0:0:root:/root:/bin/bash - // adm:x:3:4:adm:/var/adm:/bin/false - p := User{} -- parseLine( -- text, -- &p.Name, &p.Pass, &p.Uid, &p.Gid, &p.Gecos, &p.Home, &p.Shell, -- ) -+ parseLine(line, &p.Name, &p.Pass, &p.Uid, &p.Gid, &p.Gecos, &p.Home, &p.Shell) - - if filter == nil || filter(p) { - out = append(out, p) -@@ -135,6 +133,7 @@ func ParseGroupFile(path string) ([]Group, error) { - if err != nil { - return nil, err - } -+ - defer group.Close() - return ParseGroup(group) - } -@@ -178,10 +177,7 @@ func ParseGroupFilter(r io.Reader, filter func(Group) bool) ([]Group, error) { - // root:x:0:root - // adm:x:4:root,adm,daemon - p := Group{} -- parseLine( -- text, -- &p.Name, &p.Pass, &p.Gid, &p.List, -- ) -+ parseLine(text, &p.Name, &p.Pass, &p.Gid, &p.List) - - if filter == nil || filter(p) { - out = append(out, p) -@@ -192,9 +188,10 @@ func ParseGroupFilter(r io.Reader, filter func(Group) bool) ([]Group, error) { - } - - type ExecUser struct { -- Uid, Gid int -- Sgids []int -- Home string -+ Uid int -+ Gid int -+ Sgids []int -+ Home string - } - - // GetExecUserPath is a wrapper for GetExecUser. It reads data from each of the -@@ -235,12 +232,12 @@ func GetExecUserPath(userSpec string, defaults *ExecUser, passwdPath, groupPath - // * "uid:gid - // * "user:gid" - // * "uid:group" -+// -+// It should be noted that if you specify a numeric user or group id, they will -+// not be evaluated as usernames (only the metadata will be filled). So attempting -+// to parse a user with user.Name = "1337" will produce the user with a UID of -+// 1337. - func GetExecUser(userSpec string, defaults *ExecUser, passwd, group io.Reader) (*ExecUser, error) { -- var ( -- userArg, groupArg string -- name string -- ) -- - if defaults == nil { - defaults = new(ExecUser) - } -@@ -258,87 +255,113 @@ func GetExecUser(userSpec string, defaults *ExecUser, passwd, group io.Reader) ( - user.Sgids = []int{} - } - -- // allow for userArg to have either "user" syntax, or optionally "user:group" syntax -+ // Allow for userArg to have either "user" syntax, or optionally "user:group" syntax -+ var userArg, groupArg string - parseLine(userSpec, &userArg, &groupArg) - -+ // Convert userArg and groupArg to be numeric, so we don't have to execute -+ // Atoi *twice* for each iteration over lines. -+ uidArg, uidErr := strconv.Atoi(userArg) -+ gidArg, gidErr := strconv.Atoi(groupArg) -+ -+ // Find the matching user. - users, err := ParsePasswdFilter(passwd, func(u User) bool { - if userArg == "" { -+ // Default to current state of the user. - return u.Uid == user.Uid - } -- return u.Name == userArg || strconv.Itoa(u.Uid) == userArg -+ -+ if uidErr == nil { -+ // If the userArg is numeric, always treat it as a UID. -+ return uidArg == u.Uid -+ } -+ -+ return u.Name == userArg - }) -+ -+ // If we can't find the user, we have to bail. - if err != nil && passwd != nil { - if userArg == "" { - userArg = strconv.Itoa(user.Uid) - } -- return nil, fmt.Errorf("Unable to find user %v: %v", userArg, err) -+ return nil, fmt.Errorf("unable to find user %s: %v", userArg, err) - } - -- haveUser := users != nil && len(users) > 0 -- if haveUser { -- // if we found any user entries that matched our filter, let's take the first one as "correct" -- name = users[0].Name -+ var matchedUserName string -+ if len(users) > 0 { -+ // First match wins, even if there's more than one matching entry. -+ matchedUserName = users[0].Name - user.Uid = users[0].Uid - user.Gid = users[0].Gid - user.Home = users[0].Home - } else if userArg != "" { -- // we asked for a user but didn't find them... let's check to see if we wanted a numeric user -- user.Uid, err = strconv.Atoi(userArg) -- if err != nil { -- // not numeric - we have to bail -- return nil, fmt.Errorf("Unable to find user %v", userArg) -+ // If we can't find a user with the given username, the only other valid -+ // option is if it's a numeric username with no associated entry in passwd. -+ -+ if uidErr != nil { -+ // Not numeric. -+ return nil, fmt.Errorf("unable to find user %s: %v", userArg, ErrNoPasswdEntries) - } -+ user.Uid = uidArg - - // Must be inside valid uid range. - if user.Uid < minId || user.Uid > maxId { - return nil, ErrRange - } - -- // if userArg couldn't be found in /etc/passwd but is numeric, just roll with it - this is legit -+ // Okay, so it's numeric. We can just roll with this. - } - -- if groupArg != "" || name != "" { -+ // On to the groups. If we matched a username, we need to do this because of -+ // the supplementary group IDs. -+ if groupArg != "" || matchedUserName != "" { - groups, err := ParseGroupFilter(group, func(g Group) bool { -- // Explicit group format takes precedence. -- if groupArg != "" { -- return g.Name == groupArg || strconv.Itoa(g.Gid) == groupArg -+ // If the group argument isn't explicit, we'll just search for it. -+ if groupArg == "" { -+ // Check if user is a member of this group. -+ for _, u := range g.List { -+ if u == matchedUserName { -+ return true -+ } -+ } -+ return false - } - -- // Check if user is a member. -- for _, u := range g.List { -- if u == name { -- return true -- } -+ if gidErr == nil { -+ // If the groupArg is numeric, always treat it as a GID. -+ return gidArg == g.Gid - } - -- return false -+ return g.Name == groupArg - }) - if err != nil && group != nil { -- return nil, fmt.Errorf("Unable to find groups for user %v: %v", users[0].Name, err) -+ return nil, fmt.Errorf("unable to find groups for spec %v: %v", matchedUserName, err) - } - -- haveGroup := groups != nil && len(groups) > 0 -+ // Only start modifying user.Gid if it is in explicit form. - if groupArg != "" { -- if haveGroup { -- // if we found any group entries that matched our filter, let's take the first one as "correct" -+ if len(groups) > 0 { -+ // First match wins, even if there's more than one matching entry. - user.Gid = groups[0].Gid -- } else { -- // we asked for a group but didn't find id... let's check to see if we wanted a numeric group -- user.Gid, err = strconv.Atoi(groupArg) -- if err != nil { -- // not numeric - we have to bail -- return nil, fmt.Errorf("Unable to find group %v", groupArg) -+ } else if groupArg != "" { -+ // If we can't find a group with the given name, the only other valid -+ // option is if it's a numeric group name with no associated entry in group. -+ -+ if gidErr != nil { -+ // Not numeric. -+ return nil, fmt.Errorf("unable to find group %s: %v", groupArg, ErrNoGroupEntries) - } -+ user.Gid = gidArg - -- // Ensure gid is inside gid range. -+ // Must be inside valid gid range. - if user.Gid < minId || user.Gid > maxId { - return nil, ErrRange - } - -- // if groupArg couldn't be found in /etc/group but is numeric, just roll with it - this is legit -+ // Okay, so it's numeric. We can just roll with this. - } -- } else if haveGroup { -- // If implicit group format, fill supplementary gids. -+ } else if len(groups) > 0 { -+ // Supplementary group ids only make sense if in the implicit form. - user.Sgids = make([]int, len(groups)) - for i, group := range groups { - user.Sgids[i] = group.Gid --- -2.8.1 - diff --git a/docker-1.11.1.tar.xz b/docker-1.11.1.tar.xz deleted file mode 100644 index 5aa1f18..0000000 --- a/docker-1.11.1.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:d36c5f677ea5ddb77b25552509217674cd18a526f1e86202befb69fa1f9a242f -size 8794588 diff --git a/docker-1.11.2.tar.xz b/docker-1.11.2.tar.xz new file mode 100644 index 0000000..62254d4 --- /dev/null +++ b/docker-1.11.2.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:279ade8e90c40e4a9b10fe570313aef0672b9ee3858d6ce78295ee448775db34 +size 8797368 diff --git a/docker.changes b/docker.changes index 30154b9..a253dfa 100644 --- a/docker.changes +++ b/docker.changes @@ -1,7 +1,35 @@ +------------------------------------------------------------------- +Wed Jun 8 14:42:08 UTC 2016 - asarai@suse.de + +* Removed patches: + - cve-2016-3697-numeric-uid.patch (merged upstream in gh@docker/docker#22998). +* Update Docker to 1.11.2. Changelog from upstream: + +* Networking + * Fix a stale endpoint issue on overlay networks during ungraceful restart + (#23015) + * Fix an issue where the wrong port could be reported by docker + inspect/ps/port (#22997) + +* Runtime + * Fix a potential panic when running docker build (#23032) + * Fix interpretation of --user parameter (#22998) + * Fix a bug preventing container statistics to be correctly reported (#22955) + * Fix an issue preventing container to be restarted after daemon restart + (#22947) + * Fix issues when running 32 bit binaries on Ubuntu 16.04 (#22922) + * Fix a possible deadlock on image deletion and container attach (#22918) + * Fix an issue where containers fail to start after a daemon restart if they + depend on a containerized cluster store (#22561) + * Fix an issue causing docker ps to hang on CentOS when using devicemapper + (#22168, #23067) + * Fix a bug preventing to docker exec into a container when using + devicemapper (#22168, #23067) + ------------------------------------------------------------------- Fri May 20 10:26:39 UTC 2016 - jmassaguerpla@suse.com -- Fix udev files ownership +- Fix udev files ownership ------------------------------------------------------------------- Wed May 18 14:21:09 UTC 2016 - asarai@suse.de diff --git a/docker.spec b/docker.spec index f101c1e..360bd8c 100644 --- a/docker.spec +++ b/docker.spec @@ -22,10 +22,10 @@ %define git_version 9e83765 %define go_arches %ix86 x86_64 aarch64 -%define version_unconverted 1.11.1 +%define version_unconverted 1.11.2 Name: docker -Version: 1.11.1 +Version: 1.11.2 Release: 0 Summary: The Linux container runtime License: Apache-2.0 @@ -54,9 +54,6 @@ Patch200: docker-mount-secrets.patch Patch101: gcc-go-patches.patch Patch102: netlink_gcc_go.patch Patch103: netlink_netns_powerpc.patch -# This fixes bsc#976777. While the fix is upstream, it isn't in Docker 1.10.3 or -# Docker 1.11.0. This patch was squashed and cherry-picked from runc#708. -Patch301: cve-2016-3697-numeric-uid.patch # This fixes bnc#964673. This fix is in boltdb upstream, but has yet to be # merged into Docker (in a vendor commit). This patch was cherry-picked from # bolt#555. @@ -177,8 +174,6 @@ Test package for docker. It contains the source code and the tests. %patch102 -p1 %patch103 -p1 %endif -# bsc#976777 -%patch301 -p1 # bnc#964673 %patch302 -p1 cp %{SOURCE7} .