Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.
Sign upFix CVE-2019-14271 loading of nsswitch based config inside chroot under Glibc #39612
Conversation
…oaded in the host environment not in the chroot from untrusted files. See also OpenVZ https://github.com/kolyshkin/vzctl/blob/a3f732ef751998913fcf0a11b3e05236b51fd7e9/src/enter.c#L227-L234 Signed-off-by: Justin Cormack <justin.cormack@docker.com> (cherry picked from commit cea6dca993c2b4cfa99b1e7a19ca134c8ebc236b) Signed-off-by: Tibor Vass <tibor@docker.com>
LGTM |
LGTM |
This comment has been minimized.
This comment has been minimized.
@tiborvass fixes #39449 ? |
This comment has been minimized.
This comment has been minimized.
LGTM |
LGTM |
11e48ba
into
moby:master
This comment has been minimized.
This comment has been minimized.
@thaJeztah Just a reminder that this still needs to be cherry-picked to 18.09 tree |
This comment has been minimized.
This comment has been minimized.
@tonistiigi if you can prepare a cherry-pick, I can LGTM |
This comment has been minimized.
This comment has been minimized.
carnil
commented
Aug 4, 2019
•
@tonistiigi, @thaJeztah: In #39612 (comment) it is said that this affects only 19.03.0 series. But then the #39612 (comment) mentions the fix needs to be cherry-picked to 18.09 tree. So what is right? Are any older versions as well affected by this issue? Where was the issue introduced? docker#305 (comment) gives the information htat 18.09 needs the fix as well. |
This comment has been minimized.
This comment has been minimized.
current versions of 18.09 are not affected because they are still using Go 1.10, and a custom archive implementation. The 18.09 release branch was recently updated to Go 1.11 (which also removed the custom archive implementation), but no release was done yet with that code, but we had to backport the fix to prevent the next patch release being vulnerable |
This comment has been minimized.
This comment has been minimized.
carnil
commented
Aug 4, 2019
@thaJeztah, ack thank you |
tiborvass commentedJul 26, 2019
Initialize nss libraries in Glibc so that the dynamic libraries are loaded in the host environment not in the chroot from untrusted files.
CVE-2019-14271 may allow unprivileged access to host system while copying files from a malicious container image with
docker cp
command.Affected versions: v19.03.0. Older Docker versions are not affected by this issue.
This fix is included in the already released Docker v19.03.1. Users of Docker v19.03.0 are advised to upgrade.
The patch was previously reviewed internally by maintainers under GitHub security advisory.
If you find security issues in Moby, please follow responsible disclosure guidelines by sending an email to security@docker.com.