new file mode 100644

@@ -0,0 +1,72 @@

+diff -ru docker-ce/components/engine/vendor/github.com/vbatts/tar-split/tar/asm/disassemble.go docker-ce-modified/components/engine/vendor/github.com/vbatts/tar-split/tar/asm/disassemble.go

+--- docker-ce/components/engine/vendor/github.com/vbatts/tar-split/tar/asm/disassemble.go	2017-07-14 20:34:55.000000000 -0700

+@@ -2,7 +2,6 @@

+ 

+ import (

+ 	"io"

+-	"io/ioutil"

+ 

+ 	"github.com/vbatts/tar-split/archive/tar"

+ 	"github.com/vbatts/tar-split/tar/storage"

+@@ -119,20 +118,34 @@

+ 			}

+ 		}

+ 

+-		// it is allowable, and not uncommon that there is further padding on the

+-		// end of an archive, apart from the expected 1024 null bytes.

+-		remainder, err := ioutil.ReadAll(outputRdr)

+-		if err != nil && err != io.EOF {

+-			pW.CloseWithError(err)

+-			return

+-		}

+-		_, err = p.AddEntry(storage.Entry{

+-			Type:    storage.SegmentType,

+-			Payload: remainder,

+-		})

+-		if err != nil {

+-			pW.CloseWithError(err)

+-			return

++		// It is allowable, and not uncommon that there is further padding on

++		// the end of an archive, apart from the expected 1024 null bytes. We

++		// do this in chunks rather than in one go to avoid cases where a

++		// maliciously crafted tar file tries to trick us into reading many GBs

++		// into memory.

++		const paddingChunkSize = 1024 * 1024

++		var paddingChunk [paddingChunkSize]byte

++		for {

++			var isEOF bool

++			n, err := outputRdr.Read(paddingChunk[:])

++			if err != nil {

++				if err != io.EOF {

++					pW.CloseWithError(err)

++					return

++				}

++				isEOF = true

++			}

++			_, err = p.AddEntry(storage.Entry{

++				Type:    storage.SegmentType,

++				Payload: paddingChunk[:n],

++			})

++			if err != nil {

++				pW.CloseWithError(err)

++				return

++			}

++			if isEOF {

++				break

++			}

+ 		}

+ 		pW.Close()

+ 	}()

+diff -ru docker-ce/components/engine/vendor.conf docker-ce-modified/components/engine/vendor.conf

+--- docker-ce/components/engine/vendor.conf	2017-07-14 20:34:55.000000000 -0700

+@@ -50,7 +50,7 @@

+ 

+ # get graph and distribution packages

+ github.com/docker/distribution b38e5838b7b2f2ad48e06ec4b500011976080621

+-github.com/vbatts/tar-split v0.10.1

++github.com/vbatts/tar-split v0.10.2

+ github.com/opencontainers/go-digest a6d0ee40d4207ea02364bd3b9e8e77b9159ba1eb

+ 

+ # get go-zfs packages

@@ -3,7 +3,7 @@

 Summary:        Docker

 Name:           docker

 Version:        17.06.0

-Release:        1%{?dist}

+Release:        2%{?dist}

 License:        ASL 2.0

 URL:            http://docs.docker.com

 Group:          Applications/File

@@ -25,6 +25,7 @@ Source4:        https://github.com/krallin/tini/tree/tini-949e6fa.tar.gz

 Source5:        https://github.com/cpuguy83/go-md2man/tree/go-md2man-a65d4d2.tar.gz

 %define sha1 go-md2man=e3d0865c583150f7c76e385a8b4a3f2432ca8ad8

 Patch0:         remove-firewalld.patch

+Patch1:         CVE-2017-14992.patch

 BuildRequires:  systemd

 BuildRequires:  device-mapper-devel

@@ -70,6 +71,7 @@ ln -s docker-ce/components/engine engine

 ln -s docker-ce/components/packaging packaging

 %patch0 -p2

+%patch1 -p2

 mkdir -p /go/src/github.com

 cd /go/src/github.com

@@ -213,6 +215,8 @@ rm -rf %{buildroot}/*

 %{_datadir}/vim/vimfiles/syntax/dockerfile.vim

 %changelog

+*   Thu Dec 21 2017 Kumar Kaushik <kaushikk@vmware.com> 17.06.0-2

+-   Applying patch for CVE-2017-14992

 *   Tue Jul 18 2017 Bo Gan <ganb@vmware.com> 17.06.0-1

 -   Update to 17.06.0-ce

 *   Mon Jul 10 2017 Bo Gan <ganb@vmware.com> 1.13.1-4