1. photon
  2. SPECS
  3. docker
  4. CVE-2017-14992.patch
Raw Blame History 
diff -ru docker-ce/components/engine/vendor/github.com/vbatts/tar-split/tar/asm/disassemble.go docker-ce-modified/components/engine/vendor/github.com/vbatts/tar-split/tar/asm/disassemble.go
--- docker-ce/components/engine/vendor/github.com/vbatts/tar-split/tar/asm/disassemble.go	2017-07-14 20:34:55.000000000 -0700
+++ docker-ce-modified/components/engine/vendor/github.com/vbatts/tar-split/tar/asm/disassemble.go	2017-12-21 14:16:54.564751961 -0800
@@ -2,7 +2,6 @@
 
 import (
 	"io"
-	"io/ioutil"
 
 	"github.com/vbatts/tar-split/archive/tar"
 	"github.com/vbatts/tar-split/tar/storage"
@@ -119,20 +118,34 @@
 			}
 		}
 
-		// it is allowable, and not uncommon that there is further padding on the
-		// end of an archive, apart from the expected 1024 null bytes.
-		remainder, err := ioutil.ReadAll(outputRdr)
-		if err != nil && err != io.EOF {
-			pW.CloseWithError(err)
-			return
-		}
-		_, err = p.AddEntry(storage.Entry{
-			Type:    storage.SegmentType,
-			Payload: remainder,
-		})
-		if err != nil {
-			pW.CloseWithError(err)
-			return
+		// It is allowable, and not uncommon that there is further padding on
+		// the end of an archive, apart from the expected 1024 null bytes. We
+		// do this in chunks rather than in one go to avoid cases where a
+		// maliciously crafted tar file tries to trick us into reading many GBs
+		// into memory.
+		const paddingChunkSize = 1024 * 1024
+		var paddingChunk [paddingChunkSize]byte
+		for {
+			var isEOF bool
+			n, err := outputRdr.Read(paddingChunk[:])
+			if err != nil {
+				if err != io.EOF {
+					pW.CloseWithError(err)
+					return
+				}
+				isEOF = true
+			}
+			_, err = p.AddEntry(storage.Entry{
+				Type:    storage.SegmentType,
+				Payload: paddingChunk[:n],
+			})
+			if err != nil {
+				pW.CloseWithError(err)
+				return
+			}
+			if isEOF {
+				break
+			}
 		}
 		pW.Close()
 	}()
diff -ru docker-ce/components/engine/vendor.conf docker-ce-modified/components/engine/vendor.conf
--- docker-ce/components/engine/vendor.conf	2017-07-14 20:34:55.000000000 -0700
+++ docker-ce-modified/components/engine/vendor.conf	2017-12-21 14:18:20.250968883 -0800
@@ -50,7 +50,7 @@
 
 # get graph and distribution packages
 github.com/docker/distribution b38e5838b7b2f2ad48e06ec4b500011976080621
-github.com/vbatts/tar-split v0.10.1
+github.com/vbatts/tar-split v0.10.2
 github.com/opencontainers/go-digest a6d0ee40d4207ea02364bd3b9e8e77b9159ba1eb
 
 # get go-zfs packages