Bug 22201

Looks like it was fixed in 17.09.1:
https://docs.docker.com/release-notes/docker-ce/#stable-releases

Whiteboard: (none) => MGA6TOO

openSUSE has issued an advisory on February 9:
https://lists.opensuse.org/opensuse-updates/2018-02/msg00034.html

This issue was also fixed upstream in 17.09.1.

Summary: docker new security issue CVE-2017-14992 => docker new security issue CVE-2017-14992 and CVE-2017-16539

I have started to work on the update of the full Docker stack, but encountered some issues. Will work with the ML for some help around it.

Status: NEW => ASSIGNED

Fedora has issued an advisory on July 12:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZROWSFFIHGDTF4YUUQMDDKXOWPTGADSF/

I'm not sure if this new issue, CVE-2018-10892, affects us.  It has been fixed in a commit upstream but not yet in a released docker-ce version.

According to this comment upstream, our kernel may protect against this already:
https://github.com/moby/moby/pull/37404#issuecomment-403221335

Joseph Wang has made docker packages that are now working, so as soon as it's pushed in cauldron, I'll try to update 6 with these versions if possible.

docker-18.06.1-1.mga7 is now in cauldron

I updated golang to 1.11.1 in mga6 updates_testing in order to be able to compile docker afterwards (1.10+ needed). It would need to be pushed before I can update docker for mga6

docker-18.06.1-1.mga6 is now pushed to updates_testing.

In order to test it, you also need additional updates pushed in the same place:
- opencontainers-runc-1.0.0rc5-3.mga6
- docker-containerd-1.2.0-0.beta.2.2.mga6

Assignee: bruno => qa-bugs

Advisory:
========================

Updated docker packages fix security vulnerabilities:

Lack of content verification in docker allowed a remote attacker to cause a
Denial of Service via a crafted image layer payload, aka gzip bombing
(CVE-2017-14992).

The DefaultLinuxSpec function in oci/defaults.go docker did not block
/proc/scsi pathnames, which allowed attackers to trigger data loss (when
certain older Linux kernels are used) by leveraging Docker container access to
write a "scsi remove-single-device" line to /proc/scsi/scsi, aka SCSI MICDROP
(CVE-2017-16539).

Container breakout without selinux in enforcing mode (CVE-2018-10892).

The docker package has been updated to version 18.06.1 to fix these issues and
other bugs.

Also, the golang package was updated to version 1.11.1 to be able to build the
update docker software.

Additionally, the docker-containerd and opencontainers-runc packages have been
updated to work with the updated docker package.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14992
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16539
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10892
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/LA2D3UDMXW44UEZC4BRH5EKHBGQNP2UC/
https://lists.opensuse.org/opensuse-updates/2018-02/msg00034.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZROWSFFIHGDTF4YUUQMDDKXOWPTGADSF/
========================

Updated packages in core/updates_testing:
========================
golang-1.11.1-1.mga6
golang-docs-1.11.1-1.mga6
golang-misc-1.11.1-1.mga6
golang-tests-1.11.1-1.mga6
golang-src-1.11.1-1.mga6
golang-bin-1.11.1-1.mga6
golang-shared-1.11.1-1.mga6
docker-containerd-1.2.0-0.beta.2.2.mga6
opencontainers-runc-1.0.0rc5-3.mga6
docker-18.06.1-1.mga6
docker-devel-18.06.1-1.mga6
docker-fish-completion-18.06.1-1.mga6
docker-logrotate-18.06.1-1.mga6
docker-unit-test-18.06.1-1.mga6
docker-vim-18.06.1-1.mga6
docker-zsh-completion-18.06.1-1.mga6
docker-nano-18.06.1-1.mga6

from SRPMS:
golang-1.11.1-1.mga6.src.rpm
docker-containerd-1.2.0-0.beta.2.2.mga6.src.rpm
opencontainers-runc-1.0.0rc5-3.mga6.src.rpm
docker-18.06.1-1.mga6.src.rpm

Oops - just gave this an OK - midair collision.

CC: (none) => tarazed25

Mageia 6, x86_64

Referring to my notes it looks like this has come up before - don't know the bug number.  Referring to my ebook on using docker - I know we cannot advertize in Mageia but this volume is highly recommended by me.  Shall try to limit quotes.  Does anybody know the law on such matters?

Limiting this test to ensuring that the updated docker runs OK.
Before the update:

$ sudo systemctl enable docker
$ sudo systemctl start docker
Checked version with built-in command - a lot of output.
Grant user  privileges to run docker.
$ sudo usermod -aG docker lcl
$
Logout and in.

$ sudo systemctl restart docker

Checked version, then:
$ docker run debian echo "Hello World"
Unable to find image 'debian:latest' locally
latest: Pulling from library/debian
bc9ab73e5b14: Pull complete 
Digest: sha256:802706fa62e75c96fff96ada0e8ca11f570895ae2e9ba4a9d409981750ca544c
Status: Downloaded newer image for debian:latest
Hello World

Successfully updated docker and golang.

$ sudo systemctl restart docker
The container is now available locally, stored as an image named debian. 
$ docker run debian echo "Hello World"
Hello World
$ docker version
Client:
 Version:           18.06.0-dev
 API version:       1.38
 Go version:        go1.11.1
 Git commit:        e68fc7a
 Built:             Tue Oct 16 18:09:48 2018
 OS/Arch:           linux/amd64
 Experimental:      false

Server:
 Engine:
  Version:          dev
  API version:      1.38 (minimum version 1.12)
  Go version:       go1.11.1
  Git commit:       e68fc7a
  Built:            Tue Oct 16 18:08:16 2018
  OS/Arch:          linux/amd64
  Experimental:     false

Establish a shell in the container:
$ docker run -h Debby -i -t debian /bin/bash
root@Debby:/# echo "Can you hear me muther?"
Can you hear me muther?
root@Debby:/# exit
exit

$ docker run -h Debby -i -t debian /bin/bash
root@Debby:/# 

Attempt to break the container...
root@Debby:/# mv /bin /basket
root@Debby:/# ls
bash: ls: command not found

From another terminal:
$ docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED              STATUS              PORTS               NAMES
5504fae8075d        debian              "/bin/bash"         About a minute ago   Up About a minute                       zealous_pare
$ docker inspect zealous_pare
[
    {
        "Id": "5504fae8075de66538efb6f19688c89d1172ab3bf11e1fdc0fe1450e8a2d345a",
        "Created": "2018-10-18T08:58:26.920237021Z",
[...]
                    "GlobalIPv6PrefixLen": 0,
                    "MacAddress": "02:42:ac:11:00:02",
                    "DriverOpts": null
                }
            }
        }
    }
]

Lots of information but if you know what  to look for use grep:
$ docker inspect zealous_pare | grep IPAddress
            "SecondaryIPAddresses": null,
            "IPAddress": "172.17.0.2",
                    "IPAddress": "172.17.0.2",

The format command can also be used to get specific information.
There is a 'diff' command but the output does not mean much to me.

I do not think there is much point in working through the whole tutorial here - these simple tests should be enough to show that docker is running normally.
But referring to the advisory:
"Also, the golang package was updated to version 1.11.1 to be able to build the
update docker software.
Additionally, the docker-containerd and opencontainers-runc packages have been
updated to work with the updated docker package."

??

OK for 64-bits.

Validating. Suggested advisory in Comment 9.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0398.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

This update also fixed CVE-2018-15664:
https://usn.ubuntu.com/4048-1/