-
Notifications
You must be signed in to change notification settings - Fork 18.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
vendor: update to github.com/vbatts/tar-split@v0.10.2 #35424
Conversation
Update to the latest version of tar-split, which includes a change to fix a memory exhaustion issue where a malformed image could cause the Docker daemon to crash. * tar: asm: store padding in chunks to avoid memory exhaustion Fixes: CVE-2017-14992 Signed-off-by: Aleksa Sarai <asarai@suse.de>
/cc @n4ss |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
good catch, LGTM
CVE-2017-14992 was assigned for this bug. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM 🐮
/cc @thaJeztah @vieux
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
do we need a test in this repository as well, or is it sufficient that it's tested upstream?
@thaJeztah I can work up an integration test if you like. |
c6fdfc9
to
4c4013c
Compare
This helper acts like /dev/zero (outputs \x00 indefinitely) in an OS-independent fashion. This ensures we don't need to special-case around Windows in tests that want to open /dev/zero. Signed-off-by: Aleksa Sarai <asarai@suse.de>
4c4013c
to
91d6fdd
Compare
Thanks for adding the test! I restarted PowerPC and Z CI (Jenkins seemed to have some issues) |
Hmm, looks like |
oh, can you squash that commit with the previous one? |
a48cd1c
to
56599e5
Compare
I'll squash as soon as I've got a working size. 😉 EDIT: Done, |
56599e5
to
0a13f82
Compare
To ensure that we don't revert CVE-2017-14992, add a test that is quite similar to that upstream tar-split test (create an empty archive with lots of junk and make sure the daemon doesn't crash). Signed-off-by: Aleksa Sarai <asarai@suse.de>
All tests pass (ppc appears to be stalling in the last bit of clean-up but the actual tests have passed). 🥗 |
The
We've been having connectivity issues with the |
SGTM, let's go ahead and merge |
Update to the latest version of tar-split, which includes a change to
fix a memory exhaustion issue where a malformed image could cause the
Docker daemon to crash.
axolotls2 by kori monster
Fixes: CVE-2017-14992
Fixes #35075
Signed-off-by: Aleksa Sarai asarai@suse.de