Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix CVE-2019-14271 loading of nsswitch based config inside chroot under Glibc #39612

Merged
merged 1 commit into from Jul 26, 2019

Conversation

tiborvass
Copy link
Collaborator

@tiborvass tiborvass commented Jul 26, 2019

Initialize nss libraries in Glibc so that the dynamic libraries are loaded in the host environment not in the chroot from untrusted files.

CVE-2019-14271 may allow unprivileged access to host system while copying files from a malicious container image with docker cp command.

Affected versions: v19.03.0. Older Docker versions are not affected by this issue.

This fix is included in the already released Docker v19.03.1. Users of Docker v19.03.0 are advised to upgrade.

The patch was previously reviewed internally by maintainers under GitHub security advisory.
If you find security issues in Moby, please follow responsible disclosure guidelines by sending an email to security@docker.com.

…oaded in the host

environment not in the chroot from untrusted files.

See also OpenVZ https://github.com/kolyshkin/vzctl/blob/a3f732ef751998913fcf0a11b3e05236b51fd7e9/src/enter.c#L227-L234

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
(cherry picked from commit cea6dca993c2b4cfa99b1e7a19ca134c8ebc236b)
Signed-off-by: Tibor Vass <tibor@docker.com>
Copy link
Member

@andrewhsu andrewhsu left a comment

LGTM

Copy link
Member

@thaJeztah thaJeztah left a comment

LGTM

@thaJeztah
Copy link
Member

@thaJeztah thaJeztah commented Jul 26, 2019

@tiborvass fixes #39449 ?

@thaJeztah
Copy link
Member

@thaJeztah thaJeztah commented Jul 26, 2019

@moby/moby-maintainers ptal

Copy link
Member

@cpuguy83 cpuguy83 left a comment

LGTM

Copy link
Member

@yongtang yongtang left a comment

LGTM

@AkihiroSuda AkihiroSuda merged commit 11e48ba into moby:master Jul 26, 2019
7 checks passed
@tonistiigi
Copy link
Member

@tonistiigi tonistiigi commented Jul 26, 2019

@thaJeztah Just a reminder that this still needs to be cherry-picked to 18.09 tree

@thaJeztah
Copy link
Member

@thaJeztah thaJeztah commented Jul 26, 2019

@tonistiigi if you can prepare a cherry-pick, I can LGTM 😉 😇

@carnil
Copy link

@carnil carnil commented Aug 4, 2019

@tonistiigi, @thaJeztah: In #39612 (comment) it is said that this affects only 19.03.0 series. But then the #39612 (comment) mentions the fix needs to be cherry-picked to 18.09 tree. So what is right? Are any older versions as well affected by this issue? Where was the issue introduced?

docker#305 (comment) gives the information htat 18.09 needs the fix as well.

@thaJeztah
Copy link
Member

@thaJeztah thaJeztah commented Aug 4, 2019

current versions of 18.09 are not affected because they are still using Go 1.10, and a custom archive implementation.

The 18.09 release branch was recently updated to Go 1.11 (which also removed the custom archive implementation), but no release was done yet with that code, but we had to backport the fix to prevent the next patch release being vulnerable

@carnil
Copy link

@carnil carnil commented Aug 4, 2019

@thaJeztah, ack thank you

julianladisch added a commit to julianladisch/folio-tools that referenced this issue May 17, 2021
* Update Ansible from 2.9.13 to 2.9.21 fixing security issues:
  * https://access.redhat.com/security/cve/cve-2021-2022 - Mask default and fallback values for `no_log` module options
  * https://access.redhat.com/security/cve/cve-2021-20191 - Various modules missing `no_log` on sensitive module arguments
  * https://access.redhat.com/security/cve/cve-2021-20180 - `bitbucket_pipeline_variable` - hide user sensitive information which are marked as `secured` from logging into the console
  * https://access.redhat.com/security/cve/cve-2021-20178 - `snmp_facts` - hide user sensitive information such as ``privkey`` and ``authkey`` from logging into the console
  * https://access.redhat.com/security/cve/cve-2020-1753 - kubectl connection plugin - now redacts `kubectl_token` and `kubectl_password` in console log

* Update Docker from 19.03.9 to 20.10.6 fixing
  * CVE-2021-21285 Prevent an invalid image from crashing docker daemon GHSA-6fj5-m822-rqx8
  * CVE-2021-21284 Lock down file permissions to prevent remapped root from accessing docker state GHSA-7452-xqpj-6rpc
  * CVE-2019-14271 loading of nsswitch based config inside chroot under Glibc moby/moby#39612
  * CVE-2020-15257 Update bundled static binaries of containerd to v1.3.9 GHSA-36xw-fx78-c5r4

* Update Yarn from 1.22.4 to 1.22.5, to the classic stable version: https://classic.yarnpkg.com/lang/en/

* The re-build also updates many other tools, most notably Node:

* Update Node from 12.20.1 to 12.22.1 fixing
  * https://nodejs.org/en/blog/vulnerability/april-2021-security-releases/ OpenSSL - CA certificate check bypass with `X509_V_FLAG_X509_STRICT` (CVE-2021-3450)
  * https://nodejs.org/en/blog/vulnerability/april-2021-security-releases/ OpenSSL - NULL pointer deref in signature_algorithms processing (CVE-2021-3449)
  * https://nodejs.org/en/blog/vulnerability/april-2021-security-releases/ npm upgrade - Update y18n to fix Prototype-Pollution (CVE-2020-7774)
  * https://nodejs.org/en/blog/vulnerability/february-2021-security-releases/ HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion (CVE-2021-22883)
  * https://nodejs.org/en/blog/vulnerability/february-2021-security-releases/ DNS rebinding in --inspect (CVE-2021-22884)
  * https://nodejs.org/en/blog/vulnerability/february-2021-security-releases/ OpenSSL - Integer overflow in CipherUpdate (CVE-2021-23840)
@shraddhapai
Copy link

@shraddhapai shraddhapai commented May 26, 2021

Hi all, I'm running into the docker cp error with docker 19.03.6 running on Ubuntu 18.04.5 LTS.

This is what I get as output:

Error response from daemon: error processing tar file: docker-tar: relocation error: /lib/x86_64-linux-gnu/libnss_files.so.2: symbol __libc_readline_unlocked version GLIBC_PRIVATE not defined in file libc.so.6 with link time reference
: exit status 127

Any help would be appreciated, thanks!

@thaJeztah
Copy link
Member

@thaJeztah thaJeztah commented May 26, 2021

@shraddhapai is that package a docker-ce package installed from download.docker.com or is it a package installed from the Ubuntu's distro packages?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet