[19.03] Revert Pass root to chroot to for chroot Tar/Untar (CVE-2018-15664) #275
Conversation
This reverts commit 3e057d5. Signed-off-by: Tibor Vass <[email protected]>
This reverts commit 9781cce. Signed-off-by: Tibor Vass <[email protected]>
tonistiigi
left a comment
tonistiigi
left a comment
There was a problem hiding this comment.
I do not understand how this doesn't just automatically delay the release but LGTM if there is no other way.
|
Sorry, I'm not seeing the problem with the proposed patch (outside of showing the need for a rewrite) |
|
@cpuguy83 it partially reverts the guarantees that the CVE fix added (by chroot-ing to one directory level above, which in the case of other drivers than overlay2 provides access to any other layer). |
andrewhsu
left a comment
andrewhsu
left a comment
There was a problem hiding this comment.
LGTM
need more time to come up with a more suitable fix for the CVE, next train is june patch release due by end of month
|
In the meantime, until a more suitable fix for the CVE is available, mitigation is to pause the container before doing file system operations if one is concerned about somebody being sneaky: moby#39252 |
|
Doesn't it make sense to have a partial mitigation? |
Add docker.socket requirement for docker.service
5 participants
The CVE fix merged in #254 is currently incorrect and breaks users (see moby#39348).
While we figure out the proper fix, unfortunately we need to revert the fix for 19.03.
Ping @andrewhsu @justincormack @tonistiigi @cpuguy83 @thaJeztah