Merge pull request #60 from infosiftr/CVE-2019-5021

Add simple fix for CVE-2019-5021 (patching Buildroot's file)
docker-library · May 8, 2019 · 6bf0102 · 6bf0102
2 parents 8098324 + 304f1f4
commit 6bf0102
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 1 deletion.
diff --git a/glibc/Dockerfile.builder b/glibc/Dockerfile.builder
@@ -121,6 +121,10 @@ RUN set -ex; \
 	for f in passwd shadow group; do \
 		curl -fL -o "rootfs/etc/$f" "https://git.busybox.net/buildroot/plain/system/skeleton/etc/$f?id=$buildrootVersion"; \
 	done; \
+# CVE-2019-5021, https://github.com/docker-library/official-images/pull/5880#issuecomment-490681907
+	grep -E '^root::' rootfs/etc/shadow; \
+	sed -ri -e 's/^root::/root:*:/' rootfs/etc/shadow; \
+	grep -E '^root:[*]:' rootfs/etc/shadow; \
 # set expected permissions, etc too (https://git.busybox.net/buildroot/tree/system/device_table.txt)
 	curl -fL -o buildroot-device-table.txt "https://git.busybox.net/buildroot/plain/system/device_table.txt?id=$buildrootVersion"; \
 	awk ' \

diff --git a/musl/Dockerfile.builder b/musl/Dockerfile.builder
@@ -108,6 +108,10 @@ RUN set -ex; \
 	for f in passwd shadow group; do \
 		curl -fL -o "rootfs/etc/$f" "https://git.busybox.net/buildroot/plain/system/skeleton/etc/$f?id=$buildrootVersion"; \
 	done; \
+# CVE-2019-5021, https://github.com/docker-library/official-images/pull/5880#issuecomment-490681907
+	grep -E '^root::' rootfs/etc/shadow; \
+	sed -ri -e 's/^root::/root:*:/' rootfs/etc/shadow; \
+	grep -E '^root:[*]:' rootfs/etc/shadow; \
 # set expected permissions, etc too (https://git.busybox.net/buildroot/tree/system/device_table.txt)
 	curl -fL -o buildroot-device-table.txt "https://git.busybox.net/buildroot/plain/system/device_table.txt?id=$buildrootVersion"; \
 	awk ' \

diff --git a/uclibc/Dockerfile.builder b/uclibc/Dockerfile.builder
@@ -244,6 +244,10 @@ RUN set -ex; \
 			"../buildroot/system/skeleton/etc/$f" \
 			"rootfs/etc/$f"; \
 	done; \
+# CVE-2019-5021, https://github.com/docker-library/official-images/pull/5880#issuecomment-490681907
+	grep -E '^root::' rootfs/etc/shadow; \
+	sed -ri -e 's/^root::/root:*:/' rootfs/etc/shadow; \
+	grep -E '^root:[*]:' rootfs/etc/shadow; \
 # set expected permissions, etc too (https://git.busybox.net/buildroot/tree/system/device_table.txt)
 	awk ' \
 		!/^#/ { \
@@ -257,7 +261,7 @@ RUN set -ex; \
 			} \
 			printf "chmod %s %s\n", $3, $1; \
 		} \
-	' "../buildroot/system/device_table.txt" | bash -Eeuo pipefail -x
+	' ../buildroot/system/device_table.txt | bash -Eeuo pipefail -x
 
 # create missing home directories
 RUN set -ex \