fix CVE-2021-41089

fix #I5CA8X (cherry picked from commit 57f2f606bf67d58e1993e0353244a5f6b60cb598)
2022-06-28 17:42:29 +08:00 · 2022-06-28 17:42:29 +08:00 · 65e2e6f6a5
commit 65e2e6f6a5
parent f8ffee8d73
4 changed files with 62 additions and 2 deletions
--- a/2
+++ b/2
@ -1 +1 @@
-18.09.0.235
+18.09.0.236
--- a/docker-engine-openeuler.spec
+++ b/docker-engine-openeuler.spec
@ -1,6 +1,6 @@
 Name: docker-engine
 Version: 18.09.0
-Release: 235
+Release: 236
 Summary: The open-source application container engine
 Group: Tools/Docker

@ -198,6 +198,12 @@ fi
 %endif

 %changelog
+* Thu Jun 28 2022 chenjiankun <chenjiankun1@huawei.com> - 18.09.0-235
+- Type:CVE
+- CVE:CVE-2021-41089
+- SUG:NA
+- DESC:fix CVE-2021-41089
+
 * Thu Jun 28 2022 chenjiankun <chenjiankun1@huawei.com> - 18.09.0-235
 - Type:bugfix
 - CVE:NA
--- a/patch/0225-docker-chrootarchive-don-t-create-parent-dirs-outside-of-ch.patch
+++ b/patch/0225-docker-chrootarchive-don-t-create-parent-dirs-outside-of-ch.patch
@ -0,0 +1,53 @@
+From 80f1169eca587305759829e626cebd2a434664f6 Mon Sep 17 00:00:00 2001 
+From: Tonis Tiigi <tonistiigi@gmail.com>
+Date: Wed, 19 May 2021 16:51:35 -0700
+Subject: [PATCH] chrootarchive: don't create parent dirsoutside of chroot
+
+If chroot is used with a special root directory then create
+destination directory within chroot. This works automatically
+already due to extractor creating parent paths and is only
+used currently with cp where parent paths are actually required
+and error will be shown to user before reaching this point.
+
+Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
+(cherry picked from commit 52d285184068998c22632bfb869f6294b5613a58)
+Signed-off-by: Brian Goff <cpuguy83@gmail.com>
+
+Conflict:NA
+Reference:https://github.com/moby/moby/commit/bce32e5c93be4caf1a592582155b9cb837fc129a
+
+---
+ components/engine/pkg/chrootarchive/archive.go | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/components/engine/pkg/chrootarchive/archive.go b/components/engine/pkg/chrootarchive/archive.go
+index 6ff61e6a7..9926b63b8 100644
+--- a/components/engine/pkg/chrootarchive/archive.go
+++ b/components/engine/pkg/chrootarchive/archive.go
+@@ -65,13 +65,17 @@ func untarHandler(tarArchive io.Reader, dest string, options *archive.TarOptions
+ 		options.ExcludePatterns = []string{}
+ 	}
+ 
+-	idMapping := idtools.NewIDMappingsFromMaps(options.UIDMaps, options.GIDMaps)
+-	rootIDs := idMapping.RootPair()
+	// If dest is inside a root then directory is created within chroot by extractor.
+	// This case is only currently used by cp.
+	if dest == root {
+		idMapping := idtools.NewIDMappingsFromMaps(options.UIDMaps, options.GIDMaps)
+		rootIDs := idMapping.RootPair()
+ 
+-	dest = filepath.Clean(dest)
+-	if _, err := os.Stat(dest); os.IsNotExist(err) {
+-		if err := idtools.MkdirAllAndChownNew(dest, 0755, rootIDs); err != nil {
+-			return err
+		dest = filepath.Clean(dest)
+		if _, err := os.Stat(dest); os.IsNotExist(err) {
+			if err := idtools.MkdirAllAndChownNew(dest, 0755, rootIDs); err != nil {
+				return err
+			}
+ 		}
+ 	}
+ 
+-- 
+2.30.0
+
--- a/series.conf
+++ b/series.conf
@ -218,4 +218,5 @@ patch/0221-docker-fix-Up-292-years-in-status-in-docker-ps-a.patch
 patch/0222-docker-fix-CVE-2022-24769.patch
 patch/0223-fix-rwlayer-umountd-after-container-restart.patch
 patch/0224-docker-close-channel-in-write-side-to-avoid-panic-in.patch
+patch/0225-docker-chrootarchive-don-t-create-parent-dirs-outside-of-ch.patch
 #end