security fix to runc in docker-1.12.3 wasn't picked

Bug #1675288 reported by Yubao Liu on 2017-03-23
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
runc (Ubuntu)
Undecided
Unassigned
Xenial
Undecided
Unassigned
Yakkety
Undecided
Unassigned

Bug Description

[Impact]
https://github.com/docker/docker/issues/27590#issuecomment-255241013

The steps are very clear, it's very easy to recur, so I don't repeat here.

The CVE link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8867

[Test case]
$ tmp=$(mktemp -d)
$ cd $tmp
$ cat > Dockerfile << EOF
FROM debian
RUN useradd example
RUN id
USER example
RUN id
RUN cat /etc/shadow
CMD /bin/bash
EOF
$ docker build --no-cache -t example .

The 'cat /etc/shadow' in the Dockerfile should fail.

[Regression potential]
We're fixing this by moving to the exact commit of runc the docker 1.12.6 release expects, so there shouldn't be any issues. In addition https://wiki.ubuntu.com/DockerUpdates applies.

CVE References

Yubao Liu (liuyubao) on 2017-03-23
information type: Private Security → Public
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package runc - 1.0.0~rc2+docker1.12.6-0ubuntu1

---------------
runc (1.0.0~rc2+docker1.12.6-0ubuntu1) zesty; urgency=medium

  * Update to the precise commit included in Docker 1.12.6 (LP: #1675288)

 -- Tianon Gravi <email address hidden> Fri, 24 Mar 2017 14:26:40 -0700

Changed in runc (Ubuntu):
status: New → Fix Released
description: updated

Hello Yubao, or anyone else affected,

Accepted runc into yakkety-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/runc/1.0.0~rc2+docker1.12.6-0ubuntu1~16.10.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in runc (Ubuntu Yakkety):
status: New → Fix Committed
tags: added: verification-needed
Łukasz Zemczak (sil2100) wrote :

Hello Yubao, or anyone else affected,

Accepted runc into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/runc/1.0.0~rc2+docker1.12.6-0ubuntu1~16.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in runc (Ubuntu Xenial):
status: New → Fix Committed

As part of a recent change in the Stable Release Update verification policy we would like to inform that for a bug to be considered verified for a given release a verification-done-$RELEASE tag needs to be added to the bug where $RELEASE is the name of the series the package that was tested (e.g. verification-done-xenial). Please note that the global 'verification-done' tag can no longer be used for this purpose.

Thank you!

Michael Hudson-Doyle (mwhudson) wrote :

Confirmed that this is fixed with the version in xenial-proposed: http://paste.ubuntu.com/25066235/

Given that yakkety EOLs in slightly more than a week I am not worried about that.

tags: added: verification-done-trusty
removed: verification-needed
tags: added: verification-done-xenial
removed: verification-done-trusty
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package runc - 1.0.0~rc2+docker1.12.6-0ubuntu1~16.04.1

---------------
runc (1.0.0~rc2+docker1.12.6-0ubuntu1~16.04.1) xenial; urgency=medium

  * Backport to Xenial. (LP: #1675288)

 -- Michael Hudson-Doyle <email address hidden> Tue, 28 Mar 2017 13:49:34 +1300

Changed in runc (Ubuntu Xenial):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for runc has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Changed in runc (Ubuntu Yakkety):
status: Fix Committed → Won't Fix
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers