Bug 18456

Summary: docker new security issue CVE-2016-3697
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: bruno, davidwhodgins, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/687396/
Whiteboard: has_procedure advisory mga5-64-ok
Source RPM: docker-1.9.1-1.mga6.src.rpm CVE:
Status comment:

Description David Walser 2016-05-13 18:28:56 CEST 
RedHat has issued an advisory on May 12:
https://rhn.redhat.com/errata/RHSA-2016-1034.html

Mageia 5 may also be affected.
David Walser 2016-05-13 18:29:06 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 Bruno Cornec 2016-05-22 20:33:00 CEST 
I've update cauldron with docker 1.11.1
I've as a consequence also uploaded runc and containerd which are now required when docker is >= 1.11

My docker install (on mga5) is working fine with these updates.
It just needs to be noted that the first time I launched docker, it computed checksums for my exiting images, and systemd timed out :-( There should be a way to avoid that, but I don't have time to look at that now, if womeone wnats to do it, welcome !

Relaunching docker, it finished to compute them, and thus launched it correctly finally.

Not sure it's worth putting in mga5 that version, so I'll look at backporting the patches that our frinds at SuSE have cooked:
https://bugzilla.suse.com/show_bug.cgi?id=976777

Status: NEW => ASSIGNED

Comment 2 Bruno Cornec 2016-05-23 01:58:57 CEST 
I derived a patch from the commit da38ac6c79fe902ed0687afc73d731c95c6d491a which is fixing the issue in order for our version to build. Hopefully this doesn't break anything else. If yes, then I'd recommend to baclport the version 1.11 I updated into cooker.

Assignee: bruno => qa-bugs
Target Milestone: --- => Mageia 6

Comment 3 Bruno Cornec 2016-05-23 02:03:03 CEST 
Advisory provided

CC: (none) => bruno

Comment 4 David Walser 2016-05-23 02:22:30 CEST 
Advisory in SVN updated.

type: security
subject: Updated docker package fixes CVE-2016-3697
CVE:
 - CVE-2016-3697
src:
  5:
   core:
     - docker-1.9.1-1.1.mga5
description: |
  Updated docker packages fix security vulnerability:

  It was found that Docker would launch containers under the specified UID
  instead of a username. An attacker able to launch a container could use this
  flaw to escalate their privileges to root within the launched container
  (CVE-2016-3697).
references:
 - https://bugs.mageia.org/show_bug.cgi?id=18456
 - https://bugzilla.suse.com/show_bug.cgi?id=976777
 - https://rhn.redhat.com/errata/RHSA-2016-1034.html

Updated packages:
================
docker-1.9.1-1.1.mga5
docker-devel-1.9.1-1.1.mga5
docker-fish-completion-1.9.1-1.1.mga5
docker-logrotate-1.9.1-1.1.mga5
docker-unit-test-1.9.1-1.1.mga5
docker-vim-1.9.1-1.1.mga5
docker-zsh-completion-1.9.1-1.1.mga5

Version: Cauldron => 5
Whiteboard: MGA5TOO => advisory

Comment 5 David Walser 2016-05-23 02:28:06 CEST 
Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=16984#c10

Target Milestone: Mageia 6 => ---
Whiteboard: advisory => has_procedure advisory

Comment 6 claire robinson 2016-05-23 22:00:56 CEST 
Testing complete mga5 64

# docker run hello-world

Hello from Docker.
This message shows that your installation appears to be working correctly.
...etc

Whiteboard: has_procedure advisory => has_procedure advisory mga5-64-ok

Dave Hodgins 2016-05-27 14:03:40 CEST

Keywords: (none) => validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 7 Mageia Robot 2016-05-29 15:56:02 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0209.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED