Update third party libs to address security vulnerabilities (draios#709)

* Update openssl to 1.0.2j. This fixes a set of ~25 security vulnerabilities. * Update libcurl to 7.52.1. This fixes ~10 security vulnerabilities. * Patch jq 1.5 with a fix for security vulns. After downloading jq 1.5, apply the changes in jqlang/jq@8eb1367 by downloading the commit as a patch and applying it. This fixes CVE-2015-8863. * Add a local dockerfile variant. Add a local dockerfile variant that allows creating an image from a local .deb package.
dmyerscough · Mar 3, 2017 · 72e42e9 · 72e42e9
1 parent 9419a7c
commit 72e42e9
Show file tree

Hide file tree

Showing 3 changed files with 69 additions and 4 deletions.
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -225,6 +225,7 @@ if(NOT WIN32 AND NOT APPLE)
 		CONFIGURE_COMMAND ./configure --disable-maintainer-mode --enable-all-static --disable-dependency-tracking
 		BUILD_COMMAND ${CMD_MAKE} LDFLAGS=-all-static
 		BUILD_IN_SOURCE 1
+		PATCH_COMMAND wget -O jq-1.5-fix-tokenadd.patch https://github.com/stedolan/jq/commit/8eb1367ca44e772963e704a700ef72ae2e12babd.patch && patch -i jq-1.5-fix-tokenadd.patch
 		INSTALL_COMMAND "")
 	endif()
 endif()
@@ -302,8 +303,8 @@ if(NOT WIN32 AND NOT APPLE)
 		message(STATUS "Using bundled openssl in '${OPENSSL_BUNDLE_DIR}'")
 
 		ExternalProject_Add(openssl
-			URL "http://download.draios.com/dependencies/openssl-1.0.2d.tar.gz"
-			URL_MD5 "38dd619b2e77cbac69b99f52a053d25a"
+			URL "http://download.draios.com/dependencies/openssl-1.0.2j.tar.gz"
+			URL_MD5 "96322138f0b69e61b7212bc53d5e912b"
 			CONFIGURE_COMMAND ./config shared --prefix=${OPENSSL_INSTALL_DIR}
 			BUILD_COMMAND ${CMD_MAKE}
 			BUILD_IN_SOURCE 1
@@ -334,8 +335,8 @@ if(NOT WIN32 AND NOT APPLE)
 
 		ExternalProject_Add(curl
 			DEPENDS openssl
-			URL "http://download.draios.com/dependencies/curl-7.45.0.tar.bz2"
-			URL_MD5 "62c1a352b28558f25ba6209214beadc8"
+			URL "http://download.draios.com/dependencies/curl-7.52.1.tar.bz2"
+			URL_MD5 "dd014df06ff1d12e173de86873f9f77a"
 			CONFIGURE_COMMAND ./configure ${CURL_SSL_OPTION} --disable-shared --enable-optimize --disable-curldebug --disable-rt --enable-http --disable-ftp --disable-file --disable-ldap --disable-ldaps --disable-rtsp --disable-telnet --disable-tftp --disable-pop3 --disable-imap --disable-smb --disable-smtp --disable-gopher --disable-sspi --disable-ntlm-wb --disable-tls-srp --without-winssl --without-darwinssl --without-polarssl --without-cyassl --without-nss --without-axtls --without-ca-path --without-ca-bundle --without-libmetalink --without-librtmp --without-winidn --without-libidn --without-nghttp2 --without-libssh2
 			BUILD_COMMAND ${CMD_MAKE}
 			BUILD_IN_SOURCE 1

diff --git a/docker/local/Dockerfile b/docker/local/Dockerfile
@@ -0,0 +1,51 @@
+FROM debian:unstable
+
+MAINTAINER Sysdig <[email protected]>
+
+ENV SYSDIG_VERSION 0.1.1dev
+
+LABEL RUN="docker run -i -t -v /var/run/docker.sock:/host/var/run/docker.sock -v /dev:/host/dev -v /proc:/host/proc:ro -v /boot:/host/boot:ro -v /lib/modules:/host/lib/modules:ro -v /usr:/host/usr:ro --name NAME IMAGE"
+
+ENV SYSDIG_HOST_ROOT /host
+
+ENV HOME /root
+
+RUN cp /etc/skel/.bashrc /root && cp /etc/skel/.profile /root
+
+ADD http://download.draios.com/apt-draios-priority /etc/apt/preferences.d/
+
+RUN echo "deb http://httpredir.debian.org/debian jessie main" > /etc/apt/sources.list.d/jessie.list \
+ && apt-get update \
+ && apt-get install -y --no-install-recommends \
+	bash-completion \
+	curl \
+	gnupg2 \
+	ca-certificates \
+	gcc \
+	gcc-5 \
+	gcc-4.9 \
+	libelf1 \
+	less \
+	dkms && rm -rf /var/lib/apt/lists/*
+
+# Since our base Debian image ships with GCC 5.0 which breaks older kernels, revert the
+# default to gcc-4.9. Also, since some customers use some very old distributions whose kernel
+# makefile is hardcoded for gcc-4.6 or so (e.g. Debian Wheezy), we pretend to have gcc 4.6/4.7
+# by symlinking it to 4.9
+
+RUN rm -rf /usr/bin/gcc \
+ && ln -s /usr/bin/gcc-4.9 /usr/bin/gcc \
+ && ln -s /usr/bin/gcc-4.9 /usr/bin/gcc-4.8 \
+ && ln -s /usr/bin/gcc-4.9 /usr/bin/gcc-4.7 \
+ && ln -s /usr/bin/gcc-4.9 /usr/bin/gcc-4.6
+
+RUN ln -s $SYSDIG_HOST_ROOT/lib/modules /lib/modules
+
+ADD sysdig-${SYSDIG_VERSION}-x86_64.deb /
+RUN dpkg -i /sysdig-${SYSDIG_VERSION}-x86_64.deb
+
+COPY ./docker-entrypoint.sh /
+
+ENTRYPOINT ["/docker-entrypoint.sh"]
+
+CMD ["bash"]
diff --git a/docker/local/docker-entrypoint.sh b/docker/local/docker-entrypoint.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+#set -e
+
+echo "* Setting up /usr/src links from host"
+
+for i in $(ls $SYSDIG_HOST_ROOT/usr/src)
+do
+	ln -s $SYSDIG_HOST_ROOT/usr/src/$i /usr/src/$i
+done
+
+/usr/bin/sysdig-probe-loader
+
+exec "$@"