From 9d4f69f055a540281ea64153056be6c8628d09d5 Mon Sep 17 00:00:00 2001 From: zjw Date: Wed, 29 Jun 2022 09:54:58 +0800 Subject: [PATCH] fix CVE-2021-41089 fix #I5CA8X --- VERSION-openeuler | 2 +- docker.spec | 8 ++- git-commit | 2 +- ...n-t-create-parent-dirs-outside-of-ch.patch | 53 +++++++++++++++++++ series.conf | 1 + 5 files changed, 63 insertions(+), 3 deletions(-) create mode 100644 patch/0226-docker-chrootarchive-don-t-create-parent-dirs-outside-of-ch.patch diff --git a/VERSION-openeuler b/VERSION-openeuler index 744e840..b31b25a 100644 --- a/VERSION-openeuler +++ b/VERSION-openeuler @@ -1 +1 @@ -18.09.0.303 +18.09.0.304 diff --git a/docker.spec b/docker.spec index 29524e3..aee4ee7 100644 --- a/docker.spec +++ b/docker.spec @@ -1,6 +1,6 @@ Name: docker-engine Version: 18.09.0 -Release: 303 +Release: 304 Summary: The open-source application container engine Group: Tools/Docker @@ -212,6 +212,12 @@ fi %endif %changelog +* Wed Jun 29 2022 zjw - 18.09.0-304 +- Type:CVE +- CVE:CVE-2021-41089 +- SUG:NA +- DESC:fix CVE-2021-41089 + * Wed Jun 29 2022 zjw - 18.09.0-303 - Type:bugfix - CVE:NA diff --git a/git-commit b/git-commit index 8a3eaa5..c1a3099 100644 --- a/git-commit +++ b/git-commit @@ -1 +1 @@ -7e7815ae0b96872d235f46c6624cc4b695d04dfa +3dc987a07f741fc5043f8bc5ee3dc326418e9437 diff --git a/patch/0226-docker-chrootarchive-don-t-create-parent-dirs-outside-of-ch.patch b/patch/0226-docker-chrootarchive-don-t-create-parent-dirs-outside-of-ch.patch new file mode 100644 index 0000000..8987975 --- /dev/null +++ b/patch/0226-docker-chrootarchive-don-t-create-parent-dirs-outside-of-ch.patch @@ -0,0 +1,53 @@ +From 80f1169eca587305759829e626cebd2a434664f6 Mon Sep 17 00:00:00 2001 +From: Tonis Tiigi +Date: Wed, 19 May 2021 16:51:35 -0700 +Subject: [PATCH] chrootarchive: don't create parent dirsoutside of chroot + +If chroot is used with a special root directory then create +destination directory within chroot. This works automatically +already due to extractor creating parent paths and is only +used currently with cp where parent paths are actually required +and error will be shown to user before reaching this point. + +Signed-off-by: Tonis Tiigi +(cherry picked from commit 52d285184068998c22632bfb869f6294b5613a58) +Signed-off-by: Brian Goff + +Conflict:NA +Reference:https://github.com/moby/moby/commit/bce32e5c93be4caf1a592582155b9cb837fc129a + +--- + components/engine/pkg/chrootarchive/archive.go | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/components/engine/pkg/chrootarchive/archive.go b/components/engine/pkg/chrootarchive/archive.go +index 6ff61e6a7..9926b63b8 100644 +--- a/components/engine/pkg/chrootarchive/archive.go ++++ b/components/engine/pkg/chrootarchive/archive.go +@@ -65,13 +65,17 @@ func untarHandler(tarArchive io.Reader, dest string, options *archive.TarOptions + options.ExcludePatterns = []string{} + } + +- idMapping := idtools.NewIDMappingsFromMaps(options.UIDMaps, options.GIDMaps) +- rootIDs := idMapping.RootPair() ++ // If dest is inside a root then directory is created within chroot by extractor. ++ // This case is only currently used by cp. ++ if dest == root { ++ idMapping := idtools.NewIDMappingsFromMaps(options.UIDMaps, options.GIDMaps) ++ rootIDs := idMapping.RootPair() + +- dest = filepath.Clean(dest) +- if _, err := os.Stat(dest); os.IsNotExist(err) { +- if err := idtools.MkdirAllAndChownNew(dest, 0755, rootIDs); err != nil { +- return err ++ dest = filepath.Clean(dest) ++ if _, err := os.Stat(dest); os.IsNotExist(err) { ++ if err := idtools.MkdirAllAndChownNew(dest, 0755, rootIDs); err != nil { ++ return err ++ } + } + } + +-- +2.30.0 + diff --git a/series.conf b/series.conf index cda2c9a..f2ccdfd 100644 --- a/series.conf +++ b/series.conf @@ -223,4 +223,5 @@ patch/0222-docker-Use-original-process-spec-for-execs.patch patch/0223-docker-fix-CVE-2022-24769.patch patch/0224-fix-rwlayer-umountd-after-container-restart.patch patch/0225-docker-close-channel-in-write-side-to-avoid-panic-in.patch +patch/0226-docker-chrootarchive-don-t-create-parent-dirs-outside-of-ch.patch #end