Bug 24289 - docker new security issue CVE-2018-20699
Summary: docker new security issue CVE-2018-20699
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on: 24253
Blocks:
  Show dependency treegraph
 
Reported: 2019-02-01 22:16 CET by David Walser
Modified: 2019-02-13 12:10 CET (History)
4 users (show)

See Also:
Source RPM: docker-18.06.1-1.mga6.src.rpm
CVE:
Status comment:


Attachments
Basic introduction to docker commands (7.35 KB, text/plain)
2019-02-06 17:38 CET, Len Lawrence
Details

David Walser 2019-02-01 22:17:07 CET

Depends on: (none) => 24253

Comment 1 Bruno Cornec 2019-02-04 19:09:05 CET
Do you want mte to backport 18.09 ? That would require some other packages as well (runc, and probably some dependencies, maybe including go IIRC). 

I have all these updates made for my own mga6 distro I run, so feasible pretty easily, but ask to see whether I pass the time or if an individual fix would be sufficient such as the one described here: https://github.com/docker/engine/pull/69

Let me know and will work on one or the other.

Status: NEW => ASSIGNED

Comment 2 David Walser 2019-02-04 19:47:49 CET
Whatever is easier for you would be fine.
Comment 3 Bruno Cornec 2019-02-05 01:30:17 CET
Ok, so lazy as I am I just applied the patch and rebuilt and pushed to updates_testing docker-18.06.1-1.2.mga6

Assignee: bruno => qa-bugs

Comment 4 David Walser 2019-02-05 17:11:49 CET
Advisory:
========================

Updated docker packages fix security vulnerability:

Docker Engine before 18.09 allows attackers to cause a denial of service
(dockerd memory consumption) via a large integer in a --cpuset-mems or
--cpuset-cpus value, related to daemon/daemon_unix.go, pkg/parsers/parsers.go,
and pkg/sysinfo/sysinfo.go (CVE-2018-20699).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20699
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/LYP4H4PVCY43Z7LGZZQJ24SVGS54BVKQ/
========================

Updated packages in core/updates_testing:
========================
docker-18.06.1-1.2.mga6
docker-devel-18.06.1-1.2.mga6
docker-fish-completion-18.06.1-1.2.mga6
docker-logrotate-18.06.1-1.2.mga6
docker-unit-test-18.06.1-1.2.mga6
docker-vim-18.06.1-1.2.mga6
docker-zsh-completion-18.06.1-1.2.mga6
docker-nano-18.06.1-1.2.mga6

from docker-18.06.1-1.2.mga6.src.rpm
David Walser 2019-02-05 17:15:30 CET

CC: (none) => bruno

Comment 5 Len Lawrence 2019-02-06 11:25:41 CET
mga6, x86_64
Checked CVE-2018-20699 to see if the vulnerability could be triggered easily.  There is no example of how to use the command-line parameters so have skipped that part and updated the packages.  docker was already installed for a previous QA test as was an image of the debian OS.

User is a member of the docker group.
Running through a tutorial currently.  So far everything has worked fine, including linking two docker images.

Report later.

CC: (none) => tarazed25

Comment 6 Len Lawrence 2019-02-06 17:38:58 CET
Created attachment 10737 [details]
Basic introduction to docker commands

The report is just a list of docker commands which have been tried.
Comment 7 Len Lawrence 2019-02-06 17:55:44 CET
Reached page 43 of the docker manual.  The help system lists the available commands, for which further help is often available.  The attached report covers my attempt to familiarize myself with the docker command set, run as a terminal session.  As far as it goes it shows that docker is working as expected.

Note that since the documentation used is an e-book it is probably advisable not to expose the contents any further.  If anybody needs it you would find it easily enough online, or else email me for the name and publisher.

Whiteboard: (none) => MGA6-64-OK

Comment 8 Bruno Cornec 2019-02-06 18:45:23 CET
Maybe another time, that Lab I made could be used: https://github.com/bcornec/Labs/tree/master/Docker
Comment 9 Len Lawrence 2019-02-06 22:28:07 CET
Yes, even better.  We should bookmark that.  Thanks Bruno.
Comment 10 Len Lawrence 2019-02-06 23:00:48 CET
General comment for future testers and adopters.  Have just installed Bruno's Lab and would recommend its use as it follows similar lines as the ebook I was using, at least at the start.
Len Lawrence 2019-02-09 00:34:03 CET

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Dave Hodgins 2019-02-13 03:25:34 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 11 Mageia Robot 2019-02-13 12:10:49 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0076.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.