From: Justin Cormack <justin.cormack@docker.com>
Date: Thu, 25 Jul 2019 14:24:39 +0000 (+0100)
Subject: Initialize nss libraries in Glibc so that the dynamic libraries are loaded in the... 
X-Git-Tag: archive/raspbian/18.09.1+dfsg1-7.1+rpi1+deb10u1^2~20
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=d85d16c2a1633b95b710ee84e2bf3b0c14cd8434;p=docker.io.git

Initialize nss libraries in Glibc so that the dynamic libraries are loaded in the host environment not in the chroot from untrusted files.

See also OpenVZ https://github.com/kolyshkin/vzctl/blob/a3f732ef751998913fcf0a11b3e05236b51fd7e9/src/enter.c#L227-L234

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Signed-off-by: Tibor Vass <tibor@docker.com>
(cherry picked from commit a316b10dab79d9298b02c7930958ed52e0ccf4e4)

Gbp-Pq: Name cve-2019-14271-Initialize-nss-libraries-in-Glibc.patch
---

diff --git a/engine/pkg/chrootarchive/archive.go b/engine/pkg/chrootarchive/archive.go
index 6ff61e6a..83ed0c6b 100644
--- a/engine/pkg/chrootarchive/archive.go
+++ b/engine/pkg/chrootarchive/archive.go
@@ -4,13 +4,22 @@ import (
 	"fmt"
 	"io"
 	"io/ioutil"
+	"net"
 	"os"
+	"os/user"
 	"path/filepath"
 
 	"github.com/docker/docker/pkg/archive"
 	"github.com/docker/docker/pkg/idtools"
 )
 
+func init() {
+	// initialize nss libraries in Glibc so that the dynamic libraries are loaded in the host
+	// environment not in the chroot from untrusted files.
+	_, _ = user.Lookup("docker")
+	_, _ = net.LookupHost("localhost")
+}
+
 // NewArchiver returns a new Archiver which uses chrootarchive.Untar
 func NewArchiver(idMapping *idtools.IdentityMapping) *archive.Archiver {
 	if idMapping == nil {