security fix to runc in docker-1.12.3 wasn't picked

Bug #1675288 reported by Yubao Liu on 2017-03-23
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
runc (Ubuntu)
Undecided
Unassigned
Xenial
Undecided
Unassigned
Yakkety
Undecided
Unassigned

Bug Description

[Impact]
https://github.com/docker/docker/issues/27590#issuecomment-255241013

The steps are very clear, it's very easy to recur, so I don't repeat here.

The CVE link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8867

[Test case]
$ tmp=$(mktemp -d)
$ cd $tmp
$ cat > Dockerfile << EOF
FROM debian
RUN useradd example
RUN id
USER example
RUN id
RUN cat /etc/shadow
CMD /bin/bash
EOF
$ docker build --no-cache -t example .

The 'cat /etc/shadow' in the Dockerfile should fail.

[Regression potential]
We're fixing this by moving to the exact commit of runc the docker 1.12.6 release expects, so there shouldn't be any issues. In addition https://wiki.ubuntu.com/DockerUpdates applies.

CVE References

Yubao Liu (liuyubao) on 2017-03-23
information type: Private Security → Public
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package runc - 1.0.0~rc2+docker1.12.6-0ubuntu1

---------------
runc (1.0.0~rc2+docker1.12.6-0ubuntu1) zesty; urgency=medium

  * Update to the precise commit included in Docker 1.12.6 (LP: #1675288)

 -- Tianon Gravi <email address hidden> Fri, 24 Mar 2017 14:26:40 -0700

Changed in runc (Ubuntu):
status: New → Fix Released
description: updated

Hello Yubao, or anyone else affected,

Accepted runc into yakkety-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/runc/1.0.0~rc2+docker1.12.6-0ubuntu1~16.10.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in runc (Ubuntu Yakkety):
status: New → Fix Committed
tags: added: verification-needed
Łukasz Zemczak (sil2100) wrote :

Hello Yubao, or anyone else affected,

Accepted runc into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/runc/1.0.0~rc2+docker1.12.6-0ubuntu1~16.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in runc (Ubuntu Xenial):
status: New → Fix Committed
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers