New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

vendor: update to github.com/vbatts/tar-split@v0.10.2 #35424

Merged
merged 3 commits into from Nov 7, 2017

Conversation

Projects
None yet
6 participants
@cyphar
Contributor

cyphar commented Nov 7, 2017

Update to the latest version of tar-split, which includes a change to
fix a memory exhaustion issue where a malformed image could cause the
Docker daemon to crash.

  • tar: asm: store padding in chunks to avoid memory exhaustion

axolotls2 by kori monster

axolotls2 by kori monster

Fixes: CVE-2017-14992
Fixes #35075
Signed-off-by: Aleksa Sarai asarai@suse.de

vendor: update to github.com/vbatts/tar-split@v0.10.2
Update to the latest version of tar-split, which includes a change to
fix a memory exhaustion issue where a malformed image could cause the
Docker daemon to crash.

  * tar: asm: store padding in chunks to avoid memory exhaustion

Fixes: CVE-2017-14992
Signed-off-by: Aleksa Sarai <asarai@suse.de>
@cyphar

This comment has been minimized.

Show comment
Hide comment
@cyphar

cyphar Nov 7, 2017

Contributor

/cc @n4ss

Contributor

cyphar commented Nov 7, 2017

/cc @n4ss

@AkihiroSuda

good catch, LGTM

@cyphar

This comment has been minimized.

Show comment
Hide comment
@cyphar

cyphar Nov 7, 2017

Contributor

CVE-2017-14992 was assigned for this bug.

Contributor

cyphar commented Nov 7, 2017

CVE-2017-14992 was assigned for this bug.

@vdemeester

LGTM 🐮
/cc @thaJeztah @vieux

@thaJeztah

LGTM

do we need a test in this repository as well, or is it sufficient that it's tested upstream?

@cyphar

This comment has been minimized.

Show comment
Hide comment
@cyphar

cyphar Nov 7, 2017

Contributor

@thaJeztah I can work up an integration test if you like.

Contributor

cyphar commented Nov 7, 2017

@thaJeztah I can work up an integration test if you like.

@cyphar cyphar requested a review from dnephin as a code owner Nov 7, 2017

internal: testutil: add DevZero helper
This helper acts like /dev/zero (outputs \x00 indefinitely) in an
OS-independent fashion. This ensures we don't need to special-case
around Windows in tests that want to open /dev/zero.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
@thaJeztah

This comment has been minimized.

Show comment
Hide comment
@thaJeztah

thaJeztah Nov 7, 2017

Member

Thanks for adding the test! I restarted PowerPC and Z CI (Jenkins seemed to have some issues)

Member

thaJeztah commented Nov 7, 2017

Thanks for adding the test! I restarted PowerPC and Z CI (Jenkins seemed to have some issues)

@cyphar

This comment has been minimized.

Show comment
Hide comment
@cyphar

cyphar Nov 7, 2017

Contributor

Hmm, looks like 20GB is too large for this test. I'll try reducing it...

Contributor

cyphar commented Nov 7, 2017

Hmm, looks like 20GB is too large for this test. I'll try reducing it...

@thaJeztah

This comment has been minimized.

Show comment
Hide comment
@thaJeztah

thaJeztah Nov 7, 2017

Member

oh, can you squash that commit with the previous one?

Member

thaJeztah commented Nov 7, 2017

oh, can you squash that commit with the previous one?

@cyphar

This comment has been minimized.

Show comment
Hide comment
@cyphar

cyphar Nov 7, 2017

Contributor

I'll squash as soon as I've got a working size. 😉

EDIT: Done, 8GB looks like it's big enough to test the issue but only takes ~2min to "upload".

Contributor

cyphar commented Nov 7, 2017

I'll squash as soon as I've got a working size. 😉

EDIT: Done, 8GB looks like it's big enough to test the issue but only takes ~2min to "upload".

image: add import test for CVE-2017-14992
To ensure that we don't revert CVE-2017-14992, add a test that is quite
similar to that upstream tar-split test (create an empty archive with
lots of junk and make sure the daemon doesn't crash).

Signed-off-by: Aleksa Sarai <asarai@suse.de>
@cyphar

This comment has been minimized.

Show comment
Hide comment
@cyphar

cyphar Nov 7, 2017

Contributor

All tests pass (ppc appears to be stalling in the last bit of clean-up but the actual tests have passed).

🥗

Contributor

cyphar commented Nov 7, 2017

All tests pass (ppc appears to be stalling in the last bit of clean-up but the actual tests have passed).

🥗

@andrewhsu

This comment has been minimized.

Show comment
Hide comment
@andrewhsu

andrewhsu Nov 7, 2017

Contributor

The ppc64le tests passed even though the status is not green:

20:33:27 OK: 1620 passed, 107 skipped
20:33:27 PASS

We've been having connectivity issues with the ppc64le slaves so I'd say don't wait on a perfectly green run from that arch.

Contributor

andrewhsu commented Nov 7, 2017

The ppc64le tests passed even though the status is not green:

20:33:27 OK: 1620 passed, 107 skipped
20:33:27 PASS

We've been having connectivity issues with the ppc64le slaves so I'd say don't wait on a perfectly green run from that arch.

@thaJeztah

This comment has been minimized.

Show comment
Hide comment
@thaJeztah

thaJeztah Nov 7, 2017

Member

SGTM, let's go ahead and merge

Member

thaJeztah commented Nov 7, 2017

SGTM, let's go ahead and merge

@thaJeztah thaJeztah merged commit bd8ed57 into moby:master Nov 7, 2017

6 of 7 checks passed

powerpc Jenkins build Docker-PRs-powerpc 6865 has encountered an error
Details
dco-signed All commits are signed
experimental Jenkins build Docker-PRs-experimental 37751 has succeeded
Details
janky Jenkins build Docker-PRs 46459 has succeeded
Details
vendor Jenkins build Docker-PRs-vendor 3925 has succeeded
Details
windowsRS1 Jenkins build Docker-PRs-WoW-RS1 18021 has succeeded
Details
z Jenkins build Docker-PRs-s390x 6677 has succeeded
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment