forked from pool/docker
Accepting request 539622 from home:cyphar:containers:docker_CVE-2017-14992
- Add a backport of https://github.com/moby/moby/pull/35424, which fixes a security issue where a maliciously crafted image could be used to crash a Docker daemon. bsc#1066210 CVE-2017-14992 + bsc1066210-0001-vendor-update-to-github.com-vbatts-tar-split-v0.10.2.patch OBS-URL: https://build.opensuse.org/request/show/539622 OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=212
This commit is contained in:
parent
2c5d57165f
commit
ca68434d79
@ -0,0 +1,118 @@
|
|||||||
|
From b5cf56bc7f734ed8bfad4119fb817261e541a609 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Aleksa Sarai <asarai@suse.de>
|
||||||
|
Date: Wed, 8 Nov 2017 02:50:52 +1100
|
||||||
|
Subject: [PATCH] vendor: update to github.com/vbatts/tar-split@v0.10.2
|
||||||
|
|
||||||
|
Update to the latest version of tar-split, which includes a change to
|
||||||
|
fix a memory exhaustion issue where a malformed image could cause the
|
||||||
|
Docker daemon to crash.
|
||||||
|
|
||||||
|
* tar: asm: store padding in chunks to avoid memory exhaustion
|
||||||
|
|
||||||
|
Fixes: CVE-2017-14992
|
||||||
|
SUSE-Bug: https://bugzilla.suse.com/show_bug.cgi?id=1066210
|
||||||
|
Signed-off-by: Aleksa Sarai <asarai@suse.de>
|
||||||
|
---
|
||||||
|
vendor.conf | 2 +-
|
||||||
|
vendor/github.com/vbatts/tar-split/README.md | 3 +-
|
||||||
|
.../vbatts/tar-split/tar/asm/disassemble.go | 43 ++++++++++++++--------
|
||||||
|
3 files changed, 31 insertions(+), 17 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/vendor.conf b/vendor.conf
|
||||||
|
index 535adad38728..ea4f75bbea10 100644
|
||||||
|
--- a/vendor.conf
|
||||||
|
+++ b/vendor.conf
|
||||||
|
@@ -53,7 +53,7 @@ github.com/miekg/dns 75e6e86cc601825c5dbcd4e0c209eab180997cd7
|
||||||
|
|
||||||
|
# get graph and distribution packages
|
||||||
|
github.com/docker/distribution b38e5838b7b2f2ad48e06ec4b500011976080621
|
||||||
|
-github.com/vbatts/tar-split v0.10.1
|
||||||
|
+github.com/vbatts/tar-split v0.10.2
|
||||||
|
github.com/opencontainers/go-digest a6d0ee40d4207ea02364bd3b9e8e77b9159ba1eb
|
||||||
|
|
||||||
|
# get go-zfs packages
|
||||||
|
diff --git a/vendor/github.com/vbatts/tar-split/README.md b/vendor/github.com/vbatts/tar-split/README.md
|
||||||
|
index 4c544d823fbc..03e3ec4308b7 100644
|
||||||
|
--- a/vendor/github.com/vbatts/tar-split/README.md
|
||||||
|
+++ b/vendor/github.com/vbatts/tar-split/README.md
|
||||||
|
@@ -1,6 +1,7 @@
|
||||||
|
# tar-split
|
||||||
|
|
||||||
|
[![Build Status](https://travis-ci.org/vbatts/tar-split.svg?branch=master)](https://travis-ci.org/vbatts/tar-split)
|
||||||
|
+[![Go Report Card](https://goreportcard.com/badge/github.com/vbatts/tar-split)](https://goreportcard.com/report/github.com/vbatts/tar-split)
|
||||||
|
|
||||||
|
Pristinely disassembling a tar archive, and stashing needed raw bytes and offsets to reassemble a validating original archive.
|
||||||
|
|
||||||
|
@@ -50,7 +51,7 @@ For example stored sparse files that have "holes" in them, will be read as a
|
||||||
|
contiguous file, though the archive contents may be recorded in sparse format.
|
||||||
|
Therefore when adding the file payload to a reassembled tar, to achieve
|
||||||
|
identical output, the file payload would need be precisely re-sparsified. This
|
||||||
|
-is not something I seek to fix imediately, but would rather have an alert that
|
||||||
|
+is not something I seek to fix immediately, but would rather have an alert that
|
||||||
|
precise reassembly is not possible.
|
||||||
|
(see more http://www.gnu.org/software/tar/manual/html_node/Sparse-Formats.html)
|
||||||
|
|
||||||
|
diff --git a/vendor/github.com/vbatts/tar-split/tar/asm/disassemble.go b/vendor/github.com/vbatts/tar-split/tar/asm/disassemble.go
|
||||||
|
index 54ef23aed366..009b3f5d8124 100644
|
||||||
|
--- a/vendor/github.com/vbatts/tar-split/tar/asm/disassemble.go
|
||||||
|
+++ b/vendor/github.com/vbatts/tar-split/tar/asm/disassemble.go
|
||||||
|
@@ -2,7 +2,6 @@ package asm
|
||||||
|
|
||||||
|
import (
|
||||||
|
"io"
|
||||||
|
- "io/ioutil"
|
||||||
|
|
||||||
|
"github.com/vbatts/tar-split/archive/tar"
|
||||||
|
"github.com/vbatts/tar-split/tar/storage"
|
||||||
|
@@ -119,20 +118,34 @@ func NewInputTarStream(r io.Reader, p storage.Packer, fp storage.FilePutter) (io
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
- // it is allowable, and not uncommon that there is further padding on the
|
||||||
|
- // end of an archive, apart from the expected 1024 null bytes.
|
||||||
|
- remainder, err := ioutil.ReadAll(outputRdr)
|
||||||
|
- if err != nil && err != io.EOF {
|
||||||
|
- pW.CloseWithError(err)
|
||||||
|
- return
|
||||||
|
- }
|
||||||
|
- _, err = p.AddEntry(storage.Entry{
|
||||||
|
- Type: storage.SegmentType,
|
||||||
|
- Payload: remainder,
|
||||||
|
- })
|
||||||
|
- if err != nil {
|
||||||
|
- pW.CloseWithError(err)
|
||||||
|
- return
|
||||||
|
+ // It is allowable, and not uncommon that there is further padding on
|
||||||
|
+ // the end of an archive, apart from the expected 1024 null bytes. We
|
||||||
|
+ // do this in chunks rather than in one go to avoid cases where a
|
||||||
|
+ // maliciously crafted tar file tries to trick us into reading many GBs
|
||||||
|
+ // into memory.
|
||||||
|
+ const paddingChunkSize = 1024 * 1024
|
||||||
|
+ var paddingChunk [paddingChunkSize]byte
|
||||||
|
+ for {
|
||||||
|
+ var isEOF bool
|
||||||
|
+ n, err := outputRdr.Read(paddingChunk[:])
|
||||||
|
+ if err != nil {
|
||||||
|
+ if err != io.EOF {
|
||||||
|
+ pW.CloseWithError(err)
|
||||||
|
+ return
|
||||||
|
+ }
|
||||||
|
+ isEOF = true
|
||||||
|
+ }
|
||||||
|
+ _, err = p.AddEntry(storage.Entry{
|
||||||
|
+ Type: storage.SegmentType,
|
||||||
|
+ Payload: paddingChunk[:n],
|
||||||
|
+ })
|
||||||
|
+ if err != nil {
|
||||||
|
+ pW.CloseWithError(err)
|
||||||
|
+ return
|
||||||
|
+ }
|
||||||
|
+ if isEOF {
|
||||||
|
+ break
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
pW.Close()
|
||||||
|
}()
|
||||||
|
--
|
||||||
|
2.14.3
|
||||||
|
|
@ -1,3 +1,11 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Nov 7 16:47:01 UTC 2017 - asarai@suse.com
|
||||||
|
|
||||||
|
- Add a backport of https://github.com/moby/moby/pull/35424, which fixes a
|
||||||
|
security issue where a maliciously crafted image could be used to crash a
|
||||||
|
Docker daemon. bsc#1066210 CVE-2017-14992
|
||||||
|
+ bsc1066210-0001-vendor-update-to-github.com-vbatts-tar-split-v0.10.2.patch
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Tue Nov 7 09:00:31 UTC 2017 - asarai@suse.com
|
Tue Nov 7 09:00:31 UTC 2017 - asarai@suse.com
|
||||||
|
|
||||||
|
@ -70,6 +70,8 @@ Patch402: bsc1045628-0001-devicemapper-remove-container-rootfs-mountPath-a
|
|||||||
Patch403: bsc1064781-0001-Allow-to-override-build-date.patch
|
Patch403: bsc1064781-0001-Allow-to-override-build-date.patch
|
||||||
# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/35399. boo#1066801 CVE-2017-16539
|
# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/35399. boo#1066801 CVE-2017-16539
|
||||||
Patch404: bsc1066801-0001-oci-add-proc-scsi-to-masked-paths.patch
|
Patch404: bsc1066801-0001-oci-add-proc-scsi-to-masked-paths.patch
|
||||||
|
# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/35424. boo#1066210 CVE-2017-14992
|
||||||
|
Patch405: bsc1066210-0001-vendor-update-to-github.com-vbatts-tar-split-v0.10.2.patch
|
||||||
BuildRequires: audit
|
BuildRequires: audit
|
||||||
BuildRequires: bash-completion
|
BuildRequires: bash-completion
|
||||||
BuildRequires: ca-certificates
|
BuildRequires: ca-certificates
|
||||||
@ -195,6 +197,8 @@ Test package for docker. It contains the source code and the tests.
|
|||||||
%patch403 -p1 -d components/engine
|
%patch403 -p1 -d components/engine
|
||||||
# boo#1066801 CVE-2017-16539
|
# boo#1066801 CVE-2017-16539
|
||||||
%patch404 -p1 -d components/engine
|
%patch404 -p1 -d components/engine
|
||||||
|
# boo#1066210 CVE-2017-14992
|
||||||
|
%patch405 -p1 -d components/engine
|
||||||
|
|
||||||
cp %{SOURCE7} .
|
cp %{SOURCE7} .
|
||||||
cp %{SOURCE9} .
|
cp %{SOURCE9} .
|
||||||
|
Loading…
Reference in New Issue
Block a user