Merge release v1.3.3

CHANGELOG.md

@@ -1,5 +1,19 @@
 # Changelog
 
+## 1.3.3 (2014-12-11)
+
+#### Security
+- Fix path traversal vulnerability in processing of absolute symbolic links (CVE-2014-9356)
+- Fix decompression of xz image archives, preventing privilege escalation (CVE-2014-9357)
+- Validate image IDs (CVE-2014-9358)
+
+#### Runtime
+- Fix an issue when image archives are being read slowly
+
+#### Client
+- Fix a regression related to stdin redirection
+- Fix a regression with `docker cp` when destination is the current directory
+
 ## 1.3.2 (2014-11-20)
 
 #### Security

VERSION

@@ -1 +1 @@
-1.3.2-dev
+1.3.3-dev

docs/sources/release-notes.md

@@ -4,6 +4,40 @@ page_keywords: docker, documentation, about, technology, understanding, release
 
 #Release Notes
 
+##Version 1.3.3
+(2014-12-11)
+
+This release fixes several security issues. In order to encourage immediate
+upgrading, this release also patches some critical bugs. All users are highly
+encouraged to upgrade as soon as possible.
+
+*Security fixes*
+
+Patches and changes were made to address the following vulnerabilities:
+
+* CVE-2014-9356: Path traversal during processing of absolute symlinks. 
+Absolute symlinks were not adequately checked for  traversal which created a
+vulnerability via image extraction and/or volume mounts.
+* CVE-2014-9357: Escalation of privileges during decompression of LZMA (.xz)
+archives. Docker 1.3.2 added `chroot` for archive extraction. This created a
+vulnerability that could allow malicious images or builds to write files to the
+host system and escape containerization, leading to privilege escalation.
+* CVE-2014-9358: Path traversal and spoofing opportunities via image
+identifiers. Image IDs passed either via `docker load` or registry communications
+were not sufficiently validated. This created a vulnerability to path traversal
+attacks wherein malicious images or repository spoofing could lead to graph
+corruption and manipulation.
+
+*Runtime fixes*
+
+* Fixed an issue that cause image archives to be read slowly.
+
+*Client fixes*
+
+* Fixed a regression related to STDIN redirection.
+* Fixed a regression involving `docker cp` when the current directory is the
+destination.
+
 ##Version 1.3.2
 (2014-11-24)
 

graph/load.go

@@ -14,6 +14,7 @@ import (
 	"github.com/docker/docker/image"
 	"github.com/docker/docker/pkg/archive"
 	"github.com/docker/docker/pkg/chrootarchive"
+	"github.com/docker/docker/utils"
 )
 
 // Loads a set of images into the repository. This is the complementary of ImageExport.
@@ -114,6 +115,10 @@ func (s *TagStore) recursiveLoad(eng *engine.Engine, address, tmpImageDir string
 			log.Debugf("Error unmarshalling json", err)
 			return err
 		}
+		if err := utils.ValidateID(img.ID); err != nil {
+			log.Debugf("Error validating ID: %s", err)
+			return err
+		}
 		if img.Parent != "" {
 			if !s.graph.Exists(img.Parent) {
 				if err := s.recursiveLoad(eng, img.Parent, tmpImageDir); err != nil {

graph/tags_unit_test.go

@@ -16,7 +16,7 @@ import (
 
 const (
 	testImageName = "myapp"
-	testImageID   = "foo"
+	testImageID   = "1a2d3c4d4e5fa2d2a21acea242a5e2345d3aefc3e7dfa2a2a2a21a2a2ad2d234"
 )
 
 func fakeTar() (io.Reader, error) {