Bug 14530

Summary: docker-io new security issues CVE-2014-5277, CVE-2014-6407, and CVE-2014-935[6-8]
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Bruno Cornec <bruno>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: mageia
Version: Cauldron   
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/620332/
Whiteboard:
Source RPM: docker-io-1.2.0-7.mga5.src.rpm CVE:
Status comment:

Description David Walser 2014-11-13 16:44:52 CET 
OpenSuSE has issued an advisory today (November 13):
http://lists.opensuse.org/opensuse-updates/2014-11/msg00048.html

The relevant part is about docker, as we already upgrading golang to 1.3.3 in Cauldron fixing the other issue.

There is a little more info about the docker CVE on the OpenSuSE bug:
https://bugzilla.suse.com/show_bug.cgi?id=CVE-2014-5277

OpenSuSE fixed it by updating Docker to version 1.3.1.

Reproducible: 

Steps to Reproduce:
Comment 1 Bruno Cornec 2014-11-19 10:39:44 CET 
While trying to update docker-io to 1.3.0 I have issue with golang-libcontainer:

+ mkdir -p ./_build/src/github.com/docker
++ pwd
+ ln -s /users/bruno/prj/mageia/golang-libcontainer/BUILD/libcontainer-1.2.0 ./_build/src/github.com/docker/libcontainer
++ pwd
+ export GOPATH=/users/bruno/prj/mageia/golang-libcontainer/BUILD/libcontainer-1.2.0/_build:/usr/lib64/golang
+ GOPATH=/users/bruno/prj/mageia/golang-libcontainer/BUILD/libcontainer-1.2.0/_build:/usr/lib64/golang
++ pwd
+ pushd /users/bruno/prj/mageia/golang-libcontainer/BUILD/libcontainer-1.2.0/_build/src
~/prj/mageia/golang-libcontainer/BUILD/libcontainer-1.2.0/_build/src ~/prj/mageia/golang-libcontainer/BUILD/libcontainer-1.2.0
+ go build github.com/docker/libcontainer/nsinit
# github.com/docker/libcontainer/namespaces/nsenter
/tmp/go-build681149517/github.com/docker/libcontainer/namespaces/nsenter/_obj/nsenter.cgo2.o: dans la fonction « init »:
/usr/lib64/golang/src/pkg/github.com/docker/libcontainer/namespaces/nsenter/nsenter.go:7: référence indéfinie vers « nsenter »
collect2: erreur: ld a retourné 1 code d'état d'exécution
erreur : Mauvais statut de sortie pour /users/bruno/prj/mageia/golang-libcontainer/BUILDROOT/rpm-tmp.8GL0hS (%build)


If someone has a clue that would be great !
Comment 2 Bruno Cornec 2014-11-24 01:22:45 CET 
I'm now trying with docker 1.3.1 (tagged or git version) and still have issue, even after importing all the new golang packages needed:

+ export DOCKER_GITCOMMIT=c59b308/1.3.1.gitc59b308
+ DOCKER_GITCOMMIT=c59b308/1.3.1.gitc59b308
++ pwd
+ export GOPATH=/users/bruno/prj/mageia/docker-io/BUILD/docker-c59b308b6b2fc8112a93d64f4922b0ece01a4e6a/_build:/usr/lib64/golang
+ GOPATH=/users/bruno/prj/mageia/docker-io/BUILD/docker-c59b308b6b2fc8112a93d64f4922b0ece01a4e6a/_build:/usr/lib64/golang
+ hack/make.sh dynbinary
# WARNING! I don't seem to be running in the Docker container.
# The result of this command might be an incorrect build, and will not be
#   officially supported.
#
# Try this instead: make all
#

---> Making bundle: dynbinary (in bundles/1.3.1-dev/dynbinary)
# github.com/docker/docker/pkg/archive
_build/src/github.com/docker/docker/pkg/archive/changes.go:138: undefined: system.Stat
erreur : Mauvais statut de sortie pour /users/bruno/prj/mageia/docker-io/BUILDROOT/rpm-tmp.E6nCVe (%build)

So again looking for hints as I found nothing on my side alone...
Comment 3 David Walser 2014-11-25 00:06:16 CET 
Upstream has issued an advisory today (November 24):
http://openwall.com/lists/oss-security/2014/11/24/5

This addresses two new CVEs, CVE-2014-6407 and CVE-2014-6408.

CVE-2014-6408 doesn't affect us as we hadn't yet upgraded to 1.3.x.

Both issues are fixed in 1.3.2.

Summary: docker-io new security issue CVE-2014-5277 => docker-io new security issues CVE-2014-5277 and CVE-2014-6407

Comment 4 David Walser 2014-11-25 16:33:53 CET 
The press has caught wind of this :o):
http://www.theregister.co.uk/2014/11/25/docker_vulnerabilities/

Severity: normal => critical

Comment 5 David Walser 2014-11-26 01:36:07 CET 
More info on all of these vulnerabilities:
http://www.eweek.com/blogs/security-watch/docker-update-fixes-pair-of-critical-security-flaws.html
David Walser 2014-11-27 17:22:09 CET

Blocks: (none) => 14674

Comment 6 David Walser 2014-12-09 01:38:59 CET 
LWN reference for CVE-2014-6707 and CVE-2014-6708:
http://lwn.net/Vulnerabilities/625052/
Comment 7 David Walser 2014-12-12 17:59:24 CET 
Docker 1.3.3 and 1.4.0 have been released, fixing more security issues:
http://openwall.com/lists/oss-security/2014/12/12/1

Summary: docker-io new security issues CVE-2014-5277 and CVE-2014-6407 => docker-io new security issues CVE-2014-5277, CVE-2014-6407, and CVE-2014-935[6-8]

Comment 8 David Walser 2014-12-15 20:15:01 CET 
(In reply to David Walser from comment #7)
> Docker 1.3.3 and 1.4.0 have been released, fixing more security issues:
> http://openwall.com/lists/oss-security/2014/12/12/1

Fedora has issued an advisory for this on December 13:
https://lists.fedoraproject.org/pipermail/package-announce/2014-December/146224.html
Comment 9 David Walser 2014-12-15 21:11:56 CET 
LWN reference for CVE-2014-935[6-8]:
http://lwn.net/Vulnerabilities/626414/
Comment 10 Bruno Cornec 2014-12-21 01:48:37 CET 
Updated to 1.4.1. Still same build issue.
Building locally outside of packages and just tying to docker build process works. 

So I need to dig and find what are the differences.
I've also opened an upstream bug to get help on this at 
https://github.com/docker/docker/issues/9453
Comment 11 Sander Lepik 2015-01-17 10:56:38 CET 
Ping..

CC: (none) => mageia

Comment 12 Bruno Cornec 2015-01-18 01:15:15 CET 
Still working on it, in particular this week-end
Comment 13 Bruno Cornec 2015-01-22 01:29:03 CET 
I have asked to push the related packages to have docker 1.4.1 in cauldron and mga5.
Bruno Cornec 2015-01-22 01:30:41 CET

Status: NEW => ASSIGNED

Comment 14 David Walser 2015-01-23 17:03:52 CET 
Fixed in docker-1.4.1-2.mga5.  Nice work Bruno!

Resolution: (none) => FIXED
Blocks: 14674 => (none)
Status: ASSIGNED => RESOLVED