security fix to runc in docker-1.12.3 wasn't picked

Bug #1675288 reported by Yubao Liu
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
runc (Ubuntu)
Fix Released
Undecided
Unassigned
Xenial
Fix Released
Undecided
Unassigned
Yakkety
Won't Fix
Undecided
Unassigned

Bug Description

[Impact]
https://github.com/docker/docker/issues/27590#issuecomment-255241013

The steps are very clear, it's very easy to recur, so I don't repeat here.

The CVE link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8867

[Test case]
$ tmp=$(mktemp -d)
$ cd $tmp
$ cat > Dockerfile << EOF
FROM debian
RUN useradd example
RUN id
USER example
RUN id
RUN cat /etc/shadow
CMD /bin/bash
EOF
$ docker build --no-cache -t example .

The 'cat /etc/shadow' in the Dockerfile should fail.

[Regression potential]
We're fixing this by moving to the exact commit of runc the docker 1.12.6 release expects, so there shouldn't be any issues. In addition https://wiki.ubuntu.com/DockerUpdates applies.

CVE References

Yubao Liu (liuyubao)
information type: Private Security → Public
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package runc - 1.0.0~rc2+docker1.12.6-0ubuntu1

---------------
runc (1.0.0~rc2+docker1.12.6-0ubuntu1) zesty; urgency=medium

  * Update to the precise commit included in Docker 1.12.6 (LP: #1675288)

 -- Tianon Gravi <email address hidden> Fri, 24 Mar 2017 14:26:40 -0700

Changed in runc (Ubuntu):
status: New → Fix Released
description: updated
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Please test proposed package

Hello Yubao, or anyone else affected,

Accepted runc into yakkety-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/runc/1.0.0~rc2+docker1.12.6-0ubuntu1~16.10.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in runc (Ubuntu Yakkety):
status: New → Fix Committed
tags: added: verification-needed
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Hello Yubao, or anyone else affected,

Accepted runc into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/runc/1.0.0~rc2+docker1.12.6-0ubuntu1~16.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in runc (Ubuntu Xenial):
status: New → Fix Committed
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Change of SRU verification policy

As part of a recent change in the Stable Release Update verification policy we would like to inform that for a bug to be considered verified for a given release a verification-done-$RELEASE tag needs to be added to the bug where $RELEASE is the name of the series the package that was tested (e.g. verification-done-xenial). Please note that the global 'verification-done' tag can no longer be used for this purpose.

Thank you!

Revision history for this message
Michael Hudson-Doyle (mwhudson) wrote :

Confirmed that this is fixed with the version in xenial-proposed: http://paste.ubuntu.com/25066235/

Given that yakkety EOLs in slightly more than a week I am not worried about that.

tags: added: verification-done-trusty
removed: verification-needed
tags: added: verification-done-xenial
removed: verification-done-trusty
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package runc - 1.0.0~rc2+docker1.12.6-0ubuntu1~16.04.1

---------------
runc (1.0.0~rc2+docker1.12.6-0ubuntu1~16.04.1) xenial; urgency=medium

  * Backport to Xenial. (LP: #1675288)

 -- Michael Hudson-Doyle <email address hidden> Tue, 28 Mar 2017 13:49:34 +1300

Changed in runc (Ubuntu Xenial):
status: Fix Committed → Fix Released
Revision history for this message
Chris Halse Rogers (raof) wrote : Update Released

The verification of the Stable Release Update for runc has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Changed in runc (Ubuntu Yakkety):
status: Fix Committed → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.