Commit 5bee6ded authored by Felix Geyer's avatar Felix Geyer

Add upstream patch for CVE-2019-14271

parent 62fc646c
From 706204124878a97142be511c0c46bcc16b43b0bd Mon Sep 17 00:00:00 2001
From: Justin Cormack <justin.cormack@docker.com>
Date: Thu, 25 Jul 2019 15:24:39 +0100
Subject: [PATCH] Initialize nss libraries in Glibc so that the dynamic
libraries are loaded in the host environment not in the chroot from untrusted
files.
See also OpenVZ https://github.com/kolyshkin/vzctl/blob/a3f732ef751998913fcf0a11b3e05236b51fd7e9/src/enter.c#L227-L234
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Signed-off-by: Tibor Vass <tibor@docker.com>
(cherry picked from commit a316b10dab79d9298b02c7930958ed52e0ccf4e4)
---
pkg/engine/chrootarchive/archive.go | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/engine/pkg/chrootarchive/archive.go b/engine/pkg/chrootarchive/archive.go
index 6ff61e6a767a..83ed0c6b2feb 100644
--- a/engine/pkg/chrootarchive/archive.go
+++ b/engine/pkg/chrootarchive/archive.go
@@ -4,13 +4,22 @@ import (
"fmt"
"io"
"io/ioutil"
+ "net"
"os"
+ "os/user"
"path/filepath"
"github.com/docker/docker/pkg/archive"
"github.com/docker/docker/pkg/idtools"
)
+func init() {
+ // initialize nss libraries in Glibc so that the dynamic libraries are loaded in the host
+ // environment not in the chroot from untrusted files.
+ _, _ = user.Lookup("docker")
+ _, _ = net.LookupHost("localhost")
+}
+
// NewArchiver returns a new Archiver which uses chrootarchive.Untar
func NewArchiver(idMapping *idtools.IdentityMapping) *archive.Archiver {
if idMapping == nil {
......@@ -20,6 +20,7 @@ cve-2019-13509-01-TestMaskSecretKeys-add-more-test-cases.patch
cve-2019-13509-02-TestMaskSecretKeys-use-subtests.patch
cve-2019-13509-03-DebugRequestMiddleware-unconditionally-scrub-data-field.patch
cve-2019-13509-04-DebugRequestMiddleware-Remove-path-handling.patch
cve-2019-14271-Initialize-nss-libraries-in-Glibc.patch
engine-contrib-debootstrap-curl-follow-location.patch
engine-test-noinstall.patch
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment