diff --git a/VERSION-openeuler b/VERSION-openeuler index d20060fab9bf679126f3aa9b84aac7befe3c4f84..92925568b29417fba77c61d4bfca5ea45498ac4a 100644 --- a/VERSION-openeuler +++ b/VERSION-openeuler @@ -1 +1 @@ -18.09.0.201 +18.09.0.202 diff --git a/docker-engine-openeuler.spec b/docker-engine-openeuler.spec index f6be62fa9499fd4e5457924d81bb4bf3b3e045e6..c3e1c5de4ee84bb6b7af9ad8b396f798b8988f1a 100644 --- a/docker-engine-openeuler.spec +++ b/docker-engine-openeuler.spec @@ -1,6 +1,6 @@ Name: docker-engine Version: 18.09.0 -Release: 201 +Release: 202 Summary: The open-source application container engine Group: Tools/Docker @@ -200,6 +200,12 @@ fi %endif %changelog +* Thu Mar 18 2021 xiadanni - 18.09.0-202 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:prevent an invalid image from crashing docker daemon(CVE-2021-21285) + * Wed Feb 24 2021 xiadanni - 18.09.0-201 - Type:bugfix - ID:NA diff --git a/patch/0190-docker-fix-CVE-2021-21285.patch b/patch/0190-docker-fix-CVE-2021-21285.patch new file mode 100644 index 0000000000000000000000000000000000000000..c50004baf076fac3be006cca75481b2e623f475d --- /dev/null +++ b/patch/0190-docker-fix-CVE-2021-21285.patch @@ -0,0 +1,54 @@ +From c6870e57fa9f7667c59dd21abd6e8034509b6ada Mon Sep 17 00:00:00 2001 +From: xiadanni +Date: Thu, 18 Mar 2021 14:41:15 +0800 +Subject: [PATCH] docker: prevent an invalid image from crashing docker daemon + (CVE-2021-21285) + +Change-Id: I0cf6a1b268e500a2a004c9d9d33f01a3d4ad5b47 +Signed-off-by: xiadanni +--- + .../engine/builder/builder-next/adapters/containerimage/pull.go | 3 +++ + components/engine/distribution/pull_v2.go | 6 ++++++ + 2 files changed, 9 insertions(+) + +diff --git a/components/engine/builder/builder-next/adapters/containerimage/pull.go b/components/engine/builder/builder-next/adapters/containerimage/pull.go +index f6e55f4..4b6eb04 100644 +--- a/components/engine/builder/builder-next/adapters/containerimage/pull.go ++++ b/components/engine/builder/builder-next/adapters/containerimage/pull.go +@@ -493,6 +493,9 @@ func (p *puller) Snapshot(ctx context.Context) (cache.ImmutableRef, error) { + layers := make([]xfer.DownloadDescriptor, 0, len(mfst.Layers)) + + for i, desc := range mfst.Layers { ++ if err := desc.Digest.Validate(); err != nil { ++ return nil, errors.Wrap(err, "layer digest could not be validated") ++ } + ongoing.add(desc) + layers = append(layers, &layerDescriptor{ + desc: desc, +diff --git a/components/engine/distribution/pull_v2.go b/components/engine/distribution/pull_v2.go +index 4150241..98714fd 100644 +--- a/components/engine/distribution/pull_v2.go ++++ b/components/engine/distribution/pull_v2.go +@@ -480,6 +480,9 @@ func (p *v2Puller) pullSchema1(ctx context.Context, ref reference.Reference, unv + // to top-most, so that the downloads slice gets ordered correctly. + for i := len(verifiedManifest.FSLayers) - 1; i >= 0; i-- { + blobSum := verifiedManifest.FSLayers[i].BlobSum ++ if err = blobSum.Validate(); err != nil { ++ return "", "", errors.Wrapf(err, "could not validate layer digest %q", blobSum) ++ } + + var throwAway struct { + ThrowAway bool `json:"throwaway,omitempty"` +@@ -596,6 +599,9 @@ func (p *v2Puller) pullSchema2(ctx context.Context, ref reference.Named, mfst *s + // Note that the order of this loop is in the direction of bottom-most + // to top-most, so that the downloads slice gets ordered correctly. + for _, d := range mfst.Layers { ++ if err := d.Digest.Validate(); err != nil { ++ return "", "", errors.Wrapf(err, "could not validate layer digest %q", d.Digest) ++ } + layerDescriptor := &v2LayerDescriptor{ + digest: d.Digest, + repo: p.repo, +-- +1.8.3.1 + diff --git a/series.conf b/series.conf index f836d773c2cf579a3492d688419856856e81d143..6bc7c12d467466efd52fa7c72cb779826e1e179d 100644 --- a/series.conf +++ b/series.conf @@ -183,4 +183,5 @@ patch/0185-docker-delete-image-reference-when-failed-to-get-ima.patch patch/0186-docker-fix-execCommands-leak-in-health-check.patch patch/0188-docker-check-containerd-pid-before-kill-it.patch patch/0189-docker-fix-Access-to-remapped-root-allows-privilege-.patch +patch/0190-docker-fix-CVE-2021-21285.patch #end