packages/docker
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
docker/patch/0190-docker-fix-CVE-2021-21285.patch
xiadanni 1bae2e5ea3 docker:sync bugfix and fix CVE-2021-21284 2021-21285 
1.fix execCommands leak in health-check
2.check containerd pid before kill it
3.fix CVE-2021-21284
4.fix CVE-2021-21285

Change-Id: I2fe1dd40281f1786ecc63ff19d416b113710e611
Signed-off-by: xiadanni <xiadanni1@huawei.com>
2021-03-18 15:40:53 +08:00

55 lines
2.5 KiB
Diff
Raw Permalink Blame History

From c6870e57fa9f7667c59dd21abd6e8034509b6ada Mon Sep 17 00:00:00 2001
From: xiadanni <xiadanni1@huawei.com>
Date: Thu, 18 Mar 2021 14:41:15 +0800
Subject: [PATCH] docker: prevent an invalid image from crashing docker daemon
(CVE-2021-21285)
Change-Id: I0cf6a1b268e500a2a004c9d9d33f01a3d4ad5b47
Signed-off-by: xiadanni <xiadanni1@huawei.com>
---
.../engine/builder/builder-next/adapters/containerimage/pull.go | 3 +++
components/engine/distribution/pull_v2.go | 6 ++++++
2 files changed, 9 insertions(+)
diff --git a/components/engine/builder/builder-next/adapters/containerimage/pull.go b/components/engine/builder/builder-next/adapters/containerimage/pull.go
index f6e55f4..4b6eb04 100644
--- a/components/engine/builder/builder-next/adapters/containerimage/pull.go
+++ b/components/engine/builder/builder-next/adapters/containerimage/pull.go
@@ -493,6 +493,9 @@ func (p *puller) Snapshot(ctx context.Context) (cache.ImmutableRef, error) {
layers := make([]xfer.DownloadDescriptor, 0, len(mfst.Layers))
for i, desc := range mfst.Layers {
+ if err := desc.Digest.Validate(); err != nil {
+ return nil, errors.Wrap(err, "layer digest could not be validated")
+ }
ongoing.add(desc)
layers = append(layers, &layerDescriptor{
desc: desc,
diff --git a/components/engine/distribution/pull_v2.go b/components/engine/distribution/pull_v2.go
index 4150241..98714fd 100644
--- a/components/engine/distribution/pull_v2.go
+++ b/components/engine/distribution/pull_v2.go
@@ -480,6 +480,9 @@ func (p *v2Puller) pullSchema1(ctx context.Context, ref reference.Reference, unv
// to top-most, so that the downloads slice gets ordered correctly.
for i := len(verifiedManifest.FSLayers) - 1; i >= 0; i-- {
blobSum := verifiedManifest.FSLayers[i].BlobSum
+ if err = blobSum.Validate(); err != nil {
+ return "", "", errors.Wrapf(err, "could not validate layer digest %q", blobSum)
+ }
var throwAway struct {
ThrowAway bool `json:"throwaway,omitempty"`
@@ -596,6 +599,9 @@ func (p *v2Puller) pullSchema2(ctx context.Context, ref reference.Named, mfst *s
// Note that the order of this loop is in the direction of bottom-most
// to top-most, so that the downloads slice gets ordered correctly.
for _, d := range mfst.Layers {
+ if err := d.Digest.Validate(); err != nil {
+ return "", "", errors.Wrapf(err, "could not validate layer digest %q", d.Digest)
+ }
layerDescriptor := &v2LayerDescriptor{
digest: d.Digest,
repo: p.repo,
--
1.8.3.1
Reference in New Issue View Git Blame Copy Permalink