Bug 30834

Summary: docker new security issues CVE-2022-29153 and CVE-2022-36109
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, bruno, davidwhodgins, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: docker-20.10.14-3.mga8.src.rpm CVE:
Status comment:
Bug Depends on: 30835    
Bug Blocks:    

Description David Walser 2022-09-09 19:10:30 CEST 
Docker 20.10.18 has been released today (September 9), fixing a security issue:
https://docs.docker.com/engine/release-notes/#201018
https://github.com/moby/moby/security/advisories/GHSA-rc4r-wh2q-q6c4

Mageia 8 is also affected.
Comment 1 David Walser 2022-09-09 19:11:00 CEST 
Also don't forget to look at Bug 30647.

Whiteboard: (none) => MGA8TOO
Assignee: bugsquad => bruno
Status comment: (none) => Fixed upstream in 20.10.18

Comment 2 David Walser 2022-09-09 19:13:37 CEST 
I recommend building the golang update first.

Depends on: (none) => 30835

Comment 3 David Walser 2022-09-15 14:15:14 CEST 
Fedora has issued an advisory for this today (September 15):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/RQQ4E3JBXVR3VK5FIZVJ3QS2TAOOXXTQ/
Comment 4 David Walser 2022-10-14 20:03:11 CEST 
Docker bugfix release 20.10.19 is out too, just FYI:
https://github.com/moby/moby/releases/tag/v20.10.19
Comment 5 David Walser 2022-10-19 16:22:11 CEST 
Docker 20.10.20 is out, with a mitigation for a Git CVE-2022-39253 (Bug 30985):
https://docs.docker.com/engine/release-notes/#201020
Comment 6 David Walser 2022-10-24 18:24:46 CEST 
(In reply to David Walser from comment #5)
> Docker 20.10.20 is out, with a mitigation for a Git CVE-2022-39253 (Bug
> 30985):
> https://docs.docker.com/engine/release-notes/#201020

Fedora has issued an advisory for this on October 22:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VFYXCTLOSESYIP72BUYD6ECDIMUM4WMB/
Comment 7 Bruno Cornec 2022-10-25 10:01:46 CEST 
Still working on the cli build part which isn't working as before :-(

Status: NEW => ASSIGNED

Comment 8 David Walser 2022-10-26 18:48:08 CEST 
Docker bugfix release 20.10.21 is out too, just FYI:
https://github.com/moby/moby/releases/tag/v20.10.21
Comment 9 David Walser 2022-12-27 17:02:56 CET 
(In reply to David Walser from comment #8)
> Docker bugfix release 20.10.21 is out too, just FYI:
> https://github.com/moby/moby/releases/tag/v20.10.21

and it also fixes a security issue:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/RBODKZL7HQE5XXS3SA2VIDVL4LAA5RWH/

Status comment: Fixed upstream in 20.10.18 => Fixed upstream in 20.10.21
Summary: docker new security issue CVE-2022-36109 => docker new security issues CVE-2022-29153 and CVE-2022-36109

Comment 10 David Walser 2022-12-29 17:36:51 CET 
It possibly fixes CVE-2022-3920 in a bundled component as well:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VDJY5ZBYRAJUCIDR2PJWIR4IKNJAX73B/
Comment 11 Bruno Cornec 2022-12-30 02:26:31 CET 
docker 20.10.22 pushed to mga8 updates_testing.

Works for me with the new docker-containerd 1.6.14 on mga8.

Will work now that it builds on the other remaining docker related bugs. So may generate new updates again.

Status comment: Fixed upstream in 20.10.21 => (none)
Assignee: bruno => qa-bugs

Comment 12 Bruno Cornec 2022-12-30 02:30:24 CET 
Same version also pushed to cauldron

Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)
CC: (none) => bruno

Comment 13 David Walser 2022-12-30 03:10:06 CET 
docker-fish-completion-20.10.22-1.mga8
docker-nano-20.10.22-1.mga8
docker-zsh-completion-20.10.22-1.mga8
docker-logrotate-20.10.22-1.mga8
docker-devel-20.10.22-1.mga8
docker-20.10.22-1.mga8

from docker-20.10.22-1.mga8.src.rpm
Comment 14 Thomas Andrews 2023-01-12 01:52:19 CET 
Used qarepo to download all packages in Comment 13, and installed all of them plus dependencies, 66 packages in all. Most of the dependencies were for the devel package. There were no installation issues.

Entirely out of my element here, so I'm trying to more or less follow Len's test from Bug 30205:

Added my user to the docker group, started the docker service, and checked status, which looked OK to my untrained eye.

[tom@localhost ~]$ docker run hello-world
Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
2db29710123e: Pull complete 
Digest: sha256:94ebc7edf3401f299cd3376a1669bc0a49aef92d6d2669005f9bc5ef028dc333
Status: Downloaded newer image for hello-world:latest

Hello from Docker!
This message shows that your installation appears to be working correctly.

[......]

[tom@localhost ~]$ docker run -it fedora:latest bash
Unable to find image 'fedora:latest' locally
latest: Pulling from library/fedora
cd974119263e: Pull complete 
Digest: sha256:3487c98481d1bba7e769cf7bcecd6343c2d383fdd6bed34ec541b6b23ef07664
Status: Downloaded newer image for fedora:latest
[root@f54276031bea /]# dnf install zsh
Fedora 37 - x86_64                                                                                                          5.3 MB/s |  64 MB     00:12    
Fedora 37 openh264 (From Cisco) - x86_64                                                                                    1.9 kB/s | 2.5 kB     00:01    
Fedora Modular 37 - x86_64                                                                                                  1.9 MB/s | 3.0 MB     00:01    
Fedora 37 - x86_64 - Updates                                                                                                3.8 MB/s |  20 MB     00:05    
Fedora Modular 37 - x86_64 - Updates                                                                                        855 kB/s | 1.1 MB     00:01    
Last metadata expiration check: 0:00:01 ago on Thu Jan 12 00:00:01 2023.
Dependencies resolved.
============================================================================================================================================================
 Package                           Architecture                         Version                                  Repository                            Size
============================================================================================================================================================
Installing:
 zsh                               x86_64                               5.9-2.fc37                               fedora                               3.3 M

Transaction Summary
============================================================================================================================================================
Install  1 Package

Total download size: 3.3 M
Installed size: 8.0 M
Is this ok [y/N]: y
Downloading Packages:
zsh-5.9-2.fc37.x86_64.rpm                                                                                                   3.2 MB/s | 3.3 MB     00:01    
------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                       1.2 MB/s | 3.3 MB     00:02     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                                                    1/1 
  Installing       : zsh-5.9-2.fc37.x86_64                                                                                                              1/1 
  Running scriptlet: zsh-5.9-2.fc37.x86_64                                                                                                              1/1 
  Verifying        : zsh-5.9-2.fc37.x86_64                                                                                                              1/1 

Installed:
  zsh-5.9-2.fc37.x86_64                                                                                                                                     

Complete!
[....]
[root@f54276031bea /]# dnf install fish
Last metadata expiration check: 0:14:07 ago on Thu Jan 12 00:00:01 2023.
Dependencies resolved.
[....]
Installed:
  fish-3.5.1-1.fc37.x86_64           groff-base-1.22.4-10.fc37.x86_64     less-590-5.fc37.x86_64                     libpipeline-1.5.6-2.fc37.x86_64      
  libpkgconf-1.8.0-3.fc37.x86_64     man-db-2.10.2-2.fc37.x86_64          man-pages-5.13-4.fc37.noarch               pcre2-utf32-10.40-1.fc37.1.x86_64    
  pkgconf-1.8.0-3.fc37.x86_64        pkgconf-m4-1.8.0-3.fc37.noarch       pkgconf-pkg-config-1.8.0-3.fc37.x86_64    

Complete!
[root@f54276031bea /]# fish
Welcome to fish, the friendly interactive shell
Type help for instructions on how to use fish
root@f54276031bea /# ls -l lib64/libsmartcols.so.1.1.0
-rwxr-xr-x 1 root root 113208 Aug  4 14:12 lib64/libsmartcols.so.1.1.0*
root@f54276031bea /# exit

[tom@localhost ~]$ docker run -it --name cowsay --hostname cowsay debian bash
Unable to find image 'debian:latest' locally
latest: Pulling from library/debian
bbeef03cda1f: Pull complete 
Digest: sha256:534da5794e770279c889daa891f46f5a530b0c5de8bfbc5e40394a0164d9fa87
Status: Downloaded newer image for debian:latest
[....]
root@cowsay:/# apt-get update
[....]
root@cowsay:/# apt-get install -y cowsay fortune
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Note, selecting 'fortune-mod' instead of 'fortune'
The following additional packages will be installed:
[....]
root@cowsay:/# /usr/games/fortune | /usr/games/cowsay
 _________________________________________
/ "What's this? Trix? Aunt! Trix? You?    \
| You're after the prize! What is it?" He |
| picked up the box and studied the back. |
| "A glow-in-the-dark squid! Have you got |
| it out of there yet?" He tilted the     |
| box, angling the little colored balls   |
| of cereal so as to see the bottom, and  |
| nearly spilling them onto the table     |
| top. "Here it is!" He hauled out a      |
| little cream-colored, glitter-sprinkled |
| squid, three-inches long and made out   |
| of rubbery plastic.                     |
|                                         |
\ -- James P. Blaylock, "The Last Coin"   /
 -----------------------------------------
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||

That all looks OK to me. Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Whiteboard: (none) => MGA8-64-OK
Keywords: (none) => validated_update

Comment 15 David Walser 2023-01-17 23:24:11 CET 
(In reply to Bruno Cornec from comment #11)
> docker 20.10.22 pushed to mga8 updates_testing.
> 
> Works for me with the new docker-containerd 1.6.14 on mga8.
> 
> Will work now that it builds on the other remaining docker related bugs. So
> may generate new updates again.

Fedora advisory for 20.10.22:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/5QXXO3TDARAQVD6XOZMJMXGOUH63RFFO/
Comment 16 Dave Hodgins 2023-01-24 01:59:12 CET 
Regarding comment 2, should this update be including any of the golang packages
currently in Mageia 8 core updates testing?

golang-github-mrunalp-fileutils-0.5.0-1.mga8.src.rpm
golang-x-crypto-0-0.31.1.mga8.src.rpm
golang-x-net-0-0.6.1.mga8.src.rpm
golang-x-term-0-1.mga8.src.rpm

Keywords: (none) => feedback
CC: (none) => davidwhodgins

Comment 17 David Walser 2023-01-24 02:35:20 CET 
No.

Keywords: feedback => (none)

Dave Hodgins 2023-01-24 02:47:21 CET

Keywords: (none) => advisory

Comment 18 Mageia Robot 2023-01-24 09:00:10 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0009.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED