vendor: update to github.com/vbatts/tar-split@v0.10.2 #35424
Conversation
Update to the latest version of tar-split, which includes a change to fix a memory exhaustion issue where a malformed image could cause the Docker daemon to crash. * tar: asm: store padding in chunks to avoid memory exhaustion Fixes: CVE-2017-14992 Signed-off-by: Aleksa Sarai <asarai@suse.de>
|
/cc @n4ss |
|
CVE-2017-14992 was assigned for this bug. |
|
@thaJeztah I can work up an integration test if you like. |
cyphar
force-pushed
the
tar-split-cve_2017_14992
branch
from
c6fdfc9
to
4c4013c
Compare
This helper acts like /dev/zero (outputs \x00 indefinitely) in an OS-independent fashion. This ensures we don't need to special-case around Windows in tests that want to open /dev/zero. Signed-off-by: Aleksa Sarai <asarai@suse.de>
cyphar
force-pushed
the
tar-split-cve_2017_14992
branch
from
4c4013c
to
91d6fdd
Compare
|
Thanks for adding the test! I restarted PowerPC and Z CI (Jenkins seemed to have some issues) |
|
Hmm, looks like |
|
oh, can you squash that commit with the previous one? |
cyphar
force-pushed
the
tar-split-cve_2017_14992
branch
from
a48cd1c
to
56599e5
Compare
|
I'll squash as soon as I've got a working size. 😉 EDIT: Done, |
cyphar
force-pushed
the
tar-split-cve_2017_14992
branch
from
56599e5
to
0a13f82
Compare
To ensure that we don't revert CVE-2017-14992, add a test that is quite similar to that upstream tar-split test (create an empty archive with lots of junk and make sure the daemon doesn't crash). Signed-off-by: Aleksa Sarai <asarai@suse.de>
|
All tests pass (ppc appears to be stalling in the last bit of clean-up but the actual tests have passed). 🥗 |
|
The We've been having connectivity issues with the |
|
SGTM, let's go ahead and merge |
Update to the latest version of tar-split, which includes a change to
fix a memory exhaustion issue where a malformed image could cause the
Docker daemon to crash.
axolotls2 by kori monster
Fixes: CVE-2017-14992
Fixes #35075
Signed-off-by: Aleksa Sarai asarai@suse.de