From fc3bc485d1abefc8df06e58b4f337d576e361a64 Mon Sep 17 00:00:00 2001 From: chenjiankun Date: Thu, 15 Sep 2022 10:48:15 +0800 Subject: [PATCH] docker: fix CVE-2022-36109 fix #I5QLCS --- VERSION-openeuler | 2 +- docker.spec | 8 ++++- git-commit | 2 +- ...lGids-must-include-effective-group-I.patch | 32 +++++++++++++++++++ series.conf | 1 + 5 files changed, 42 insertions(+), 3 deletions(-) create mode 100644 patch/0231-docker-AdditionalGids-must-include-effective-group-I.patch diff --git a/VERSION-openeuler b/VERSION-openeuler index b612bc0..5ee9620 100644 --- a/VERSION-openeuler +++ b/VERSION-openeuler @@ -1 +1 @@ -18.09.0.308 +18.09.0.309 diff --git a/docker.spec b/docker.spec index 856dacc..957d0a3 100644 --- a/docker.spec +++ b/docker.spec @@ -1,6 +1,6 @@ Name: docker-engine Version: 18.09.0 -Release: 308 +Release: 309 Summary: The open-source application container engine Group: Tools/Docker @@ -212,6 +212,12 @@ fi %endif %changelog +* Thu Sep 15 2022 chenjiankun - 18.09.0-309 +- Type:CVE +- CVE:CVE-2022-36109 +- SUG:NA +- DESC:fix CVE-2022-36109 + * Tue Sep 13 2022 chenjiankun - 18.09.0-308 - Type:bugfix - CVE:NA diff --git a/git-commit b/git-commit index accb316..54f45c8 100644 --- a/git-commit +++ b/git-commit @@ -1 +1 @@ -385c3a952ec017d7fadb9ec83983f8284bb35eb2 +1f53e790e570d524f6ebf5b81c914ddda97f0924 diff --git a/patch/0231-docker-AdditionalGids-must-include-effective-group-I.patch b/patch/0231-docker-AdditionalGids-must-include-effective-group-I.patch new file mode 100644 index 0000000..9706b80 --- /dev/null +++ b/patch/0231-docker-AdditionalGids-must-include-effective-group-I.patch @@ -0,0 +1,32 @@ +From 7f4258e2b8b9b769beab23246d27984ada539ac9 Mon Sep 17 00:00:00 2001 +From: chenjiankun +Date: Thu, 15 Sep 2022 10:33:12 +0800 +Subject: [PATCH] docker: AdditionalGids must include effective group ID + +otherwise this one won't be considered for permission checks + +Signed-off-by: Nicolas De Loof + +Conflict:daemon/oci_linux.go +Reference:https://github.com/moby/moby/commit/de7af816e76a7fd3fbf06bffa6832959289fba32 + +--- + components/engine/daemon/oci_linux.go | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/components/engine/daemon/oci_linux.go b/components/engine/daemon/oci_linux.go +index 6d3bc165..2b803955 100644 +--- a/components/engine/daemon/oci_linux.go ++++ b/components/engine/daemon/oci_linux.go +@@ -201,7 +201,7 @@ func getUser(c *container.Container, username string) (uint32, uint32, []uint32, + uid := uint32(execUser.Uid) + gid := uint32(execUser.Gid) + sgids := append(execUser.Sgids, addGroups...) +- var additionalGids []uint32 ++ additionalGids := []uint32{gid} + for _, g := range sgids { + additionalGids = append(additionalGids, uint32(g)) + } +-- +2.23.0 + diff --git a/series.conf b/series.conf index f99eaa7..f7f469c 100644 --- a/series.conf +++ b/series.conf @@ -228,4 +228,5 @@ patch/0227-docker-Lock-down-docker-root-dir-perms.patch patch/0228-docker-registry-ensure-default-auth-config-has-address.patch patch/0229-docker-fix-terminal-abnormal-after-docker-run.patch patch/0230-docker-Add-an-ExitPid-field-for-State-struct-to-reco.patch +patch/0231-docker-AdditionalGids-must-include-effective-group-I.patch #end