fix: qualify Fabric server jar by installer version

Fixes #1191
secruity: Fix CVE-2021-44228 mitigation (#1190 )
2026-02-17 07:03:57 +00:00 · 2021-12-12 15:28:30 -06:00 · 2021-12-12 08:19:16 -06:00 · 2021-12-12 08:10:18 -06:00 · 2021-12-11 16:51:01 -06:00
4 changed files with 80 additions and 45 deletions
--- a/19
+++ b/19
@@ -26,7 +26,7 @@ RUN apt-get update \
 RUN addgroup --gid 1000 minecraft \
  && adduser --system --shell /bin/false --uid 1000 --ingroup minecraft --home /data minecraft

-COPY files/sudoers* /etc/sudoers.d
+COPY --chmod=644 files/sudoers* /etc/sudoers.d

 EXPOSE 25565 25575

@@ -60,7 +60,7 @@ RUN easy-add --var os=${TARGETOS} --var arch=${TARGETARCH}${TARGETVARIANT} \
 --var version=0.1.1 --var app=maven-metadata-release --file {{.app}} \
 --from https://github.com/itzg/{{.app}}/releases/download/{{.version}}/{{.app}}_{{.version}}_{{.os}}_{{.arch}}.tar.gz

-ARG MC_HELPER_VERSION=1.10.0
+ARG MC_HELPER_VERSION=1.11.0
 ARG MC_HELPER_BASE_URL=https://github.com/itzg/mc-image-helper/releases/download/v${MC_HELPER_VERSION}
 RUN curl -fsSL ${MC_HELPER_BASE_URL}/mc-image-helper-${MC_HELPER_VERSION}.tgz \
    | tar -C /usr/share -zxf - \
@@ -78,15 +78,14 @@ ENV UID=1000 GID=1000 \
  ENABLE_AUTOPAUSE=false AUTOPAUSE_TIMEOUT_EST=3600 AUTOPAUSE_TIMEOUT_KN=120 AUTOPAUSE_TIMEOUT_INIT=600 \
  AUTOPAUSE_PERIOD=10 AUTOPAUSE_KNOCK_INTERFACE=eth0

-COPY scripts/start* /
-COPY bin/ /usr/local/bin/
-COPY bin/mc-health /health.sh
-COPY files/server.properties /tmp/server.properties
-COPY files/log4j2.xml /tmp/log4j2.xml
-COPY files/autopause /autopause
+COPY --chmod=755 scripts/start* /
+COPY --chmod=755 bin/ /usr/local/bin/
+COPY --chmod=755 bin/mc-health /health.sh
+COPY --chmod=644 files/server.properties /tmp/server.properties
+COPY --chmod=644 files/log4j2.xml /tmp/log4j2.xml
+COPY --chmod=755 files/autopause /autopause

-RUN dos2unix /start* && chmod +x /start* \
-    && dos2unix /autopause/* && chmod +x /autopause/*.sh
+RUN dos2unix /start* /autopause/*

 ENTRYPOINT [ "/start" ]
 HEALTHCHECK --start-period=1m CMD mc-health
--- a/docker-versions-create.sh
+++ b/docker-versions-create.sh
@@ -130,3 +130,28 @@ EOL
  fi

 done
+
+if [[ $tag ]]; then
+  if [ -f "$HOME/.github.env" ]; then
+    source "$HOME/.github.env"
+    if [[ $GITHUB_TOKEN ]]
+    then
+      auth=(-u ":$GITHUB_TOKEN")
+      base=https://api.github.com
+      : "${owner:=itzg}"
+      : "${repo:=docker-minecraft-server}"
+      read -r -d '' releaseBody << EOF
+        {
+          "tag_name": "$tag",
+          "name": "$tag",
+          "generate_release_notes": true
+        }
+EOF
+      if ! curl "${auth[@]}" -H "Accept: application/vnd.github.v3+json" \
+        "${base}/repos/${owner}/${repo}/releases" -d "$releaseBody"; then
+          echo "ERROR failed to create github release $tag"
+          exit 1
+      fi
+    fi
+  fi
+fi
--- a/scripts/start-deployFabric
+++ b/scripts/start-deployFabric
@@ -2,27 +2,31 @@
 set -eu

 # shellcheck source=start-utils
-. ${SCRIPTS:-/}start-utils
+. "${SCRIPTS:-/}start-utils"

 requireVar VANILLA_VERSION
 export TYPE=FABRIC
-export SERVER=fabric-server-${VANILLA_VERSION}.jar
+: "${FABRIC_INSTALLER_VERSION:=${FABRICVERSION:-LATEST}}"
+: "${FABRIC_INSTALLER:=}"
+: "${FABRIC_INSTALLER_URL:=}"
+: "${FABRIC_LOADER_VERSION:=LATEST}"

 isDebugging && set -x

+log "Checking Fabric version information."
+if [[ $FABRIC_INSTALLER ]]; then
+  FABRIC_INSTALLER_VERSION=$(echo -n "$FABRIC_INSTALLER" | mc-image-helper hash)
+elif [[ $FABRIC_INSTALLER_URL ]]; then
+  FABRIC_INSTALLER_VERSION=$(echo -n "$FABRIC_INSTALLER_URL" | mc-image-helper hash)
+elif [[ ${FABRIC_INSTALLER_VERSION^^} = LATEST ]]; then
+  FABRIC_INSTALLER_VERSION=$(maven-metadata-release https://maven.fabricmc.net/net/fabricmc/fabric-installer/maven-metadata.xml)
+fi
+
+export SERVER=fabric-server-${VANILLA_VERSION}-${FABRIC_INSTALLER_VERSION}.jar
+
 if [[ ! -e ${SERVER} ]]; then

-  : ${FABRIC_INSTALLER:=}
-  : ${FABRIC_INSTALLER_URL:=}
-  : ${FABRIC_LOADER_VERSION:=LATEST}
-  : ${FABRIC_INSTALLER_VERSION:=${FABRICVERSION:-LATEST}}
-
  if [[ -z $FABRIC_INSTALLER && -z $FABRIC_INSTALLER_URL ]]; then
-    log "Checking Fabric version information."
-    if [[ ${FABRIC_INSTALLER_VERSION^^} = LATEST ]]; then
-      FABRIC_INSTALLER_VERSION=$(maven-metadata-release https://maven.fabricmc.net/net/fabricmc/fabric-installer/maven-metadata.xml)
-    fi
-
    FABRIC_INSTALLER="fabric-installer-${FABRIC_INSTALLER_VERSION}.jar"
    FABRIC_INSTALLER_URL="https://maven.fabricmc.net/net/fabricmc/fabric-installer/${FABRIC_INSTALLER_VERSION}/fabric-installer-${FABRIC_INSTALLER_VERSION}.jar"
  elif [[ -z $FABRIC_INSTALLER ]]; then
@@ -70,4 +74,4 @@ if [[ ! -e ${SERVER} ]]; then
 fi

 export FAMILY=FABRIC
-exec ${SCRIPTS:-/}start-setupWorld "$@"
+exec "${SCRIPTS:-/}start-setupWorld" "$@"
--- a/scripts/start-finalExec
+++ b/scripts/start-finalExec
@@ -107,7 +107,36 @@ if [ -n "$ICON" ]; then
    fi
 fi

+canUseRollingLogs=true
+
+patchLog4jConfig() {
+  file=${1?}
+  url=${2?}
+  if ! get -o "$file" "$url"; then
+    log "ERROR: failed to download corrected log4j config"
+    exit 1
+  fi
+  JVM_OPTS="-Dlog4j.configurationFile=${file} ${JVM_OPTS}"
+  canUseRollingLogs=false
+}
+
+# Patch Log4j remote code execution vulnerability
+# See https://www.minecraft.net/en-us/article/important-message--security-vulnerability-java-edition
+if versionLessThan 1.7; then
+  : # No patch required here.
+elif isFamily VANILLA && versionLessThan 1.12; then
+  patchLog4jConfig log4j2_17-111.xml https://launcher.mojang.com/v1/objects/dd2b723346a8dcd48e7f4d245f6bf09e98db9696/log4j2_17-111.xml
+elif isFamily VANILLA && versionLessThan 1.17; then
+  patchLog4jConfig log4j2_112-116.xml https://launcher.mojang.com/v1/objects/02937d122c86ce73319ef9975b58896fc1b491d1/log4j2_112-116.xml
+elif versionLessThan 1.18.1; then
+  JVM_OPTS="-Dlog4j2.formatMsgNoLookups=true ${JVM_OPTS}"
+fi
+
 if isTrue ${ENABLE_ROLLING_LOGS:-false}; then
+  if ! ${canUseRollingLogs}; then
+    log "ERROR: Using rolling logs is currently not possible in the selected version due to CVE-2021-44228"
+    exit 1
+  fi
  # Set up log configuration
  LOGFILE="/data/log4j2.xml"
  if [ ! -e "$LOGFILE" ]; then
@@ -150,28 +179,6 @@ if [ -n "$JVM_DD_OPTS" ]; then
      done
 fi

-patchLog4jConfig() {
-  file=${1?}
-  url=${2?}
-  if ! get -o "$file" "$url"; then
-    log "ERROR: failed to download corrected log4j config"
-    exit 1
-  fi
-  JVM_OPTS="-Dlog4j.configurationFile=${file} ${JVM_OPTS}"
-}
-
-# Patch Log4j remote code execution vulnerability
-# See https://www.minecraft.net/en-us/article/important-message--security-vulnerability-java-edition
-if versionLessThan 1.7; then
-  : # No patch required here.
-elif isFamily VANILLA && versionLessThan 1.12; then
-  patchLog4jConfig log4j2_17-111.xml https://launcher.mojang.com/v1/objects/dd2b723346a8dcd48e7f4d245f6bf09e98db9696/log4j2_17-111.xml
-elif isFamily VANILLA && versionLessThan 1.17; then
-  patchLog4jConfig log4j2_112-116.xml https://launcher.mojang.com/v1/objects/02937d122c86ce73319ef9975b58896fc1b491d1/log4j2_112-116.xml
-elif versionLessThan 1.18.1; then
-  JVM_OPTS="-Dlog4j2.formatMsgNoLookups=true ${JVM_OPTS}"
-fi
-
 if isTrue ${ENABLE_JMX}; then
  : ${JMX_PORT:=7091}
  JVM_OPTS="${JVM_OPTS}
Author	SHA1	Message	Date
Geoff Bourne	4b28d5e472	fix: qualify Fabric server jar by installer version Fixes #1191	2021-12-12 15:28:30 -06:00
Levy Ehrstein	eccc989887	secruity: Fix CVE-2021-44228 mitigation (#1190 )	2021-12-12 08:19:16 -06:00
Brett Randall	c4aa105042	Added --chmod to all COPY instructions in Dockerfile (#1184 )	2021-12-12 08:10:18 -06:00
Geoff Bourne	ffcb76f73f	build: auto-create github release when docker-versions-create with tag (#1188 )	2021-12-11 16:51:01 -06:00