Skip to content

/moby

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix CVE-2019-14271 loading of nsswitch based config inside chroot under Glibc #39612

Merged
merged 1 commit into from Jul 26, 2019
+9 −0

Conversation

@tiborvass
Copy link
Collaborator

tiborvass commented Jul 26, 2019

Initialize nss libraries in Glibc so that the dynamic libraries are loaded in the host environment not in the chroot from untrusted files.

CVE-2019-14271 may allow unprivileged access to host system while copying files from a malicious container image with docker cp command.

Affected versions: v19.03.0. Older Docker versions are not affected by this issue.

This fix is included in the already released Docker v19.03.1. Users of Docker v19.03.0 are advised to upgrade.

The patch was previously reviewed internally by maintainers under GitHub security advisory.
If you find security issues in Moby, please follow responsible disclosure guidelines by sending an email to security@docker.com.
@justincormack @tiborvass
Initialize nss libraries in Glibc so that the dynamic libraries are l…
Loading status checks…
a316b10 
…oaded in the host

environment not in the chroot from untrusted files.

See also OpenVZ https://github.com/kolyshkin/vzctl/blob/a3f732ef751998913fcf0a11b3e05236b51fd7e9/src/enter.c#L227-L234

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
(cherry picked from commit cea6dca993c2b4cfa99b1e7a19ca134c8ebc236b)
Signed-off-by: Tibor Vass <tibor@docker.com>
@andrewhsu
andrewhsu approved these changes Jul 26, 2019
View changes
Copy link
Contributor

andrewhsu left a comment

LGTM
@thaJeztah
thaJeztah approved these changes Jul 26, 2019
View changes
Copy link
Member

thaJeztah left a comment

LGTM
@thaJeztah

This comment has been minimized.

Sign in to view
Copy link
Member

thaJeztah commented Jul 26, 2019

@tiborvass fixes #39449 ?
@thaJeztah

This comment has been minimized.

Sign in to view
Copy link
Member

thaJeztah commented Jul 26, 2019

@moby/moby-maintainers ptal
@cpuguy83
cpuguy83 approved these changes Jul 26, 2019
View changes
Copy link
Contributor

cpuguy83 left a comment

LGTM
@AkihiroSuda
AkihiroSuda approved these changes Jul 26, 2019
View changes
@yongtang
yongtang approved these changes Jul 26, 2019
View changes
Copy link
Member

yongtang left a comment

LGTM
@AkihiroSuda AkihiroSuda merged commit 11e48ba into moby:master Jul 26, 2019
7 checks passed
7 checks passed
dco-signed All commits are signed
experimental Jenkins build Docker-PRs-experimental 46150 has succeeded
Details
janky Jenkins build Docker-PRs 55054 has succeeded
Details
powerpc Jenkins build Docker-PRs-powerpc 15064 has succeeded
Details
windowsRS1 Jenkins build Docker-PRs-WoW-RS1 26063 has succeeded
Details
windowsRS5-process Jenkins build Docker-PRs-WoW-RS5-Process 3162 has succeeded
Details
z Jenkins build Docker-PRs-s390x 14989 has succeeded
Details
@justincormack justincormack mentioned this pull request Jul 26, 2019
Closed
@tonistiigi

This comment has been minimized.

Sign in to view
Copy link
Member

tonistiigi commented Jul 26, 2019

@thaJeztah Just a reminder that this still needs to be cherry-picked to 18.09 tree
@thaJeztah

This comment has been minimized.

Sign in to view
Copy link
Member

thaJeztah commented Jul 26, 2019

@tonistiigi if you can prepare a cherry-pick, I can LGTM 😉 😇
@tonistiigi tonistiigi mentioned this pull request Jul 26, 2019
Merged
@carnil

This comment has been minimized.

Sign in to view
Copy link

carnil commented Aug 4, 2019
edited

@tonistiigi, @thaJeztah: In #39612 (comment) it is said that this affects only 19.03.0 series. But then the #39612 (comment) mentions the fix needs to be cherry-picked to 18.09 tree. So what is right? Are any older versions as well affected by this issue? Where was the issue introduced?

docker#305 (comment) gives the information htat 18.09 needs the fix as well.
@thaJeztah

This comment has been minimized.

Sign in to view
Copy link
Member

thaJeztah commented Aug 4, 2019

current versions of 18.09 are not affected because they are still using Go 1.10, and a custom archive implementation.

The 18.09 release branch was recently updated to Go 1.11 (which also removed the custom archive implementation), but no release was done yet with that code, but we had to backport the fix to prevent the next patch release being vulnerable
@carnil

This comment has been minimized.

Sign in to view
Copy link

carnil commented Aug 4, 2019

@thaJeztah, ack thank you
@tonistiigi tonistiigi mentioned this pull request Sep 3, 2019
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andrewhsu andrewhsu

@cpuguy83 cpuguy83

@thaJeztah thaJeztah

@yongtang yongtang

@AkihiroSuda AkihiroSuda

Assignees
No one assigned
Labels
area/security impact/changelog process/cherry-picked status/4-merge
Projects
None yet
Milestone
No milestone
10 participants
@tiborvass @thaJeztah @tonistiigi @carnil @andrewhsu @cpuguy83 @yongtang @AkihiroSuda @GordonTheTurtle @justincormack
You can’t perform that action at this time.