cve-2019-14271,docker cp

[x1280]

How to solve this problem
docker cp test:/etc/passwd /home
Error response from daemon: error processing tar file: docker-tar: relocation error: /lib/x86_64-linux-gnu/libnss_files.so.2: symbol __libc_readline_unlocked version GLIBC_PRIVATE not defined in file libc.so.6 with link time reference
: exit status 127

[brant-ruan]

How to solve this problem
docker cp test:/etc/passwd /home
Error response from daemon: error processing tar file: docker-tar: relocation error: /lib/x86_64-linux-gnu/libnss_files.so.2: symbol __libc_readline_unlocked version GLIBC_PRIVATE not defined in file libc.so.6 with link time reference
: exit status 127

Hi @x1280 , could you please give more information about your OS environment and reproduction process (also metarget commands)? It works in my environment (refering to writeup here).

[x1280]

ubuntu18.04 .4 5.3.0-28-generic
运行docker cp 会报错，原因应该是检测到这个版本docker cp 有问题，请问您用的是什么环境复现的？

[ListenerMoya]

try to run container with alpine image, not ubuntu

[allewwaly]

try to run container with alpine image, not ubuntu

That solved the problem of docker cp, however the inotifywait command won't get any notification of file access.

My OS: ubuntu18.04
Command used to run docker:
john@ubuntu:~$ sudo docker run -itd --name=test alpine 44fca15ab752845489cfac2788725961c38d76eae6d8964491d617fa15556c9d john@ubuntu:~$ sudo docker exec -it test cat /proc/mounts | grep docker overlay / overlay rw,relatime,lowerdir=/var/lib/docker/overlay2/l/C5RY6AI72SZHPALBFW4UNSDI3M:/var/lib/docker/overlay2/l/FJDOTHRFRXKVGRWVK3GR2JHQFG,upperdir=/var/lib/docker/overlay2/711b8b61bd1b2564ff32c38f7a8afc9e5eab4a8a1d53e9279e4202cc067666b7/diff,workdir=/var/lib/docker/overlay2/711b8b61bd1b2564ff32c38f7a8afc9e5eab4a8a1d53e9279e4202cc067666b7/work,xino=off 0 0 john@ubuntu:~$ sudo docker cp test:/etc/passwd ./ john@ubuntu:~$
Commands used to monitor file access:
sudo inotifywait -mr /var/lib/docker/overlay2/711b8b61bd1b2564ff32c38f7a8afc9e5eab4a8a1d53e9279e4202cc067666b7/merged/lib/ Setting up watches. Beware: since -r was given, this may take a while! Watches established.

[XDTG]

I have the same problem. And it seems like a docker version mistake.

root@pc:metarget# ./metarget cnv install cve-2019-14271
cve-2019-14271 is going to be installed
uninstalling current docker gadgets if applicable
installing prerequisites
adding apt repository deb [arch=amd64] https://download.docker.com/linux/ubuntu bionic stable
adding apt repository deb http://archive.ubuntu.com/ubuntu xenial-updates universe
adding apt repository deb http://archive.ubuntu.com/ubuntu bionic-updates universe
installing docker-ce with 5:19.03.0~3-0~ubuntu-bionic version
cve-2019-14271 successfully installed

root@pc:metarget# docker -v
Docker version 20.10.14, build a224086

But cve-2019-14271 still works on it (by changing libnss_files.so.2)..., What's happening here？