Bug 25374 - docker new security issue CVE-2019-1020014
Summary: docker new security issue CVE-2019-1020014
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6TOO MGA6-64-OK MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-08-28 22:38 CEST by David Walser
Modified: 2019-09-12 21:11 CEST (History)
7 users (show)

See Also:
Source RPM: docker-18.09.3-2.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2019-08-28 22:38:08 CEST
Ubuntu has issued an advisory on August 19:
https://usn.ubuntu.com/4103-2/

Mageia 6 and Mageia 7 may also be affected.
David Walser 2019-08-28 22:38:15 CEST

Whiteboard: (none) => MGA7TOO, MGA6TOO

Comment 1 Bruno Cornec 2019-09-04 13:21:03 CEST
docker-ce-18.09.8 fixes the issue (looking at the code in components/cli/vendor/github.com/docker/docker-credential-helpers/secretservice/secretservice_linux.go) and has been uploaded into updates_testing for Mageia 7

Status: NEW => ASSIGNED
CC: (none) => bruno

Comment 2 David Walser 2019-09-04 16:11:41 CEST
Uploaded packages:
docker-18.09.3-2.mga7
docker-devel-18.09.3-2.mga7
docker-fish-completion-18.09.3-2.mga7
docker-logrotate-18.09.3-2.mga7
docker-unit-test-18.09.3-2.mga7
docker-vim-18.09.3-2.mga7
docker-zsh-completion-18.09.3-2.mga7
docker-nano-18.09.3-2.mga7


Is Mageia 6 affected?

Version: Cauldron => 7
Whiteboard: MGA7TOO, MGA6TOO => MGA6TOO

Comment 3 Bruno Cornec 2019-09-04 16:14:02 CEST
docker 18.06.3-1.2 in updates_testing should fix the CVE with an applied patch derived from upstream.
Comment 4 Bruno Cornec 2019-09-04 16:15:28 CEST
(In reply to Bruno Cornec from comment #3)
> docker 18.06.3-1.2 in updates_testing should fix the CVE with an applied
> patch derived from upstream.

For Mageia 6!

For Mageia 7 the version is 18.09.8
Now working on cauldron...
Comment 5 Bruno Cornec 2019-09-04 16:49:21 CEST
Cauldron is now updated with docker 19.03.2

Assignee: bruno.cornec => qa-bugs

Comment 6 David Walser 2019-09-04 17:34:48 CEST
(In reply to Bruno Cornec from comment #4)
> For Mageia 7 the version is 18.09.8

No it isn't.  Did you forget to commit something?

CC: (none) => bruno.cornec, qa-bugs
Assignee: qa-bugs => bruno.cornec

Comment 7 David Walser 2019-09-04 17:36:52 CEST
Uploaded for Mageia 6:
docker-18.06.3-1.2.mga6
docker-devel-18.06.3-1.2.mga6
docker-fish-completion-18.06.3-1.2.mga6
docker-logrotate-18.06.3-1.2.mga6
docker-unit-test-18.06.3-1.2.mga6
docker-vim-18.06.3-1.2.mga6
docker-zsh-completion-18.06.3-1.2.mga6
docker-nano-18.06.3-1.2.mga6


What about the python-docker and docker-compose that you built?  Are they supposed to be part of this update (what are they for?) or are you filing another bug for them?
Comment 8 Bruno Cornec 2019-09-04 17:48:47 CEST
The 2 other packages are linked to https://bugs.mageia.org/show_bug.cgi?id=24652 not to this one.(In reply to David Walser from comment #6)
> (In reply to Bruno Cornec from comment #4)
> > For Mageia 7 the version is 18.09.8
> 
> No it isn't.  Did you forget to commit something?

Yep :-( Now submitted with the correct version.
Comment 9 David Walser 2019-09-04 18:46:38 CEST
Advisory for the CVE.  I don't know if you have anything to add for python-docker and docker-compose...

Advisory:
========================

Updated docker packages fix security vulnerability:

Jasiel Spelman discovered that a double free existed in the
docker-credential-helpers bundled in Docker. A local attacker could use this to
cause a denial of service (crash) or possibly execute arbitrary code
(CVE-2019-1020014).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1020014
https://usn.ubuntu.com/4103-2/
========================

Updated packages in core/updates_testing:
========================
docker-18.06.3-1.2.mga6
docker-devel-18.06.3-1.2.mga6
docker-fish-completion-18.06.3-1.2.mga6
docker-logrotate-18.06.3-1.2.mga6
docker-unit-test-18.06.3-1.2.mga6
docker-vim-18.06.3-1.2.mga6
docker-zsh-completion-18.06.3-1.2.mga6
docker-nano-18.06.3-1.2.mga6
docker-18.09.8-1.mga7
docker-devel-18.09.8-1.mga7
docker-fish-completion-18.09.8-1.mga7
docker-logrotate-18.09.8-1.mga7
docker-unit-test-18.09.8-1.mga7
docker-vim-18.09.8-1.mga7
docker-zsh-completion-18.09.8-1.mga7
docker-nano-18.09.8-1.mga7

from SRPMS:
docker-18.06.3-1.2.mga6.src.rpm
docker-18.09.8-1.mga7.src.rpm
Comment 10 David Walser 2019-09-04 20:15:55 CEST
Ahh, I see the other packages are in Bug 24652.

Assigning to QA.  Advisory and package list in Comment 9.

Assignee: bruno.cornec => qa-bugs

Comment 11 Len Lawrence 2019-09-09 11:51:41 CEST
mga6, x86_64

Clean update.
Ran some basic tests, referring to an earlier bug report.
The most thorough test would be to run Bruno's Labs which is a bit beyond this tester's
sketchy acquaintance with container technology.  However Bruno provided a helpful recipe
in comment 13, https://bugs.mageia.org/show_bug.cgi?id=24374 which I shall return to later.

Started docker dæmon.
Granted user privileges to lcl.
$ sudo usermod -aG docker lcl
$ id lcl
uid=1000(lcl) gid=1000(lcl)
groups=955(docker),954(vboxusers),946(qarepo),940(wireshark),1000(lcl)

Logged out and in and restarted docker.

$ docker version
Client:
 Version:           18.06.0-dev
 API version:       1.38
 Go version:        go1.11.5
[...]
Server:
 Engine:
  Version:          18.06.3-ce
  API version:      1.38 (minimum version 1.12)

Current go version:
$ go version
go version go1.11.13 linux/amd64

$ docker run debian echo "Hello World"
Hello World

That worked smoothly because the debian:latest image was already in the system.

$ docker run -h Debby -i -t debian /bin/bash
root@Debby:/# echo "Message from shell Debby in container debian"
Message from shell Debby in container debian
root@Debby:/# exit
exit

$ docker run -h Debby -i -t debian /bin/bash
root@Debby:/# mv /bin /basket
root@Debby:/# ls
bash: ls: command not found
root@Debby:/# 

From another terminal:
$ docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
9f677465bf18        debian              "/bin/bash"         2 minutes ago       Up 2 minutes                            adoring_banach

$ docker inspect adoring_banach
[
    {
        "Id": "9f677465bf189f49374bcffdeb2ee1620054dbb3374dd6ae8ad594f07e9756a2",
        "Created": "2019-09-09T08:35:06.58767681Z",
        "Path": "/bin/bash",
        "Args": [],
        "State": {
            "Status": "running",
[...]

$ docker inspect adoring_banach | grep IPAddress
            "SecondaryIPAddresses": null,
            "IPAddress": "172.17.0.2",
                    "IPAddress": "172.17.0.2",

Could not get much further at this point even though I have a docker hub id and
password.  Login was successful.

OK, taking up the thread from point 5 of Bruno's recipe.
$ docker ps -a
CONTAINER ID        IMAGE               COMMAND                CREATED             STATUS                         PORTS               NAMES
9f677465bf18        debian              "/bin/bash"            40 minutes ago      Up 40 minutes                                      adoring_banach
37f86a9f1695        debian              "/bin/bash"            43 minutes ago      Exited (0) 41 minutes ago                          dreamy_varahamihira
3a0bab492449        debian              "/bin/bash"            About an hour ago   Exited (0) 44 minutes ago                          eloquent_curran
b42d4cb60b29        debian              "echo 'Hello World'"   About an hour ago   Exited (0) About an hour ago                       agitated_leakey
6df72c73c123        debian              "bash"                 5 months ago        Exited (255) 4 months ago                          cowsay
c70d49401bea        fedora:latest       "/bin/bash"            5 months ago        Exited (0) 5 months ago                            upbeat_chatterjee
23a1a062bdde        fedora:latest       "/bin/bash"            5 months ago        Exited (255) 4 months ago                          pedantic_sammet
64740c6ad06b        hello-world         "/hello"               5 months ago        Exited (0) 5 months ago                            gracious_keldysh

Removed most of those with the command:
$ docker rm <CONTAINER ID>
$ docker run hello-world
Hello from Docker!
This message shows that your installation appears to be working correctly.
To generate this message, Docker took the following steps:
 1. The Docker client contacted the Docker daemon.
[...]
For more examples and ideas, visit:
 https://docs.docker.com/get-started/

$ docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
debian              latest              2d337f242f07        5 months ago        101MB
mageia              6                   87bf589833e3        5 months ago        317MB
fedora              latest              d09302f77cfc        6 months ago        275MB
hello-world         latest              fce289e99eb9        8 months ago        1.84kB

$ docker pull fedora
Using default tag: latest
latest: Pulling from library/fedora
5a915a173fbc: Pull complete 
Digest: sha256:d8d53450cae00985f9dad54a3520944c59e64aa8f01d3be61988404e11c15973
Status: Downloaded newer image for fedora:latest

$ docker ps -a | grep fedora
$
$ docker run -ti fedora:latest /bin/bash
[root@a571c1f28d2f /]# dnf install tcsh
Fedora Modular 30 - x86_64                      1.9 MB/s | 1.9 MB     00:01    
Fedora Modular 30 - x86_64 - Updates            2.0 MB/s | 2.9 MB     00:01    
Fedora 30 - x86_64 - Updates                    2.5 MB/s |  23 MB     00:09    
Fedora 30 - x86_64                              5.6 MB/s |  61 MB     00:10    
Dependencies resolved.
================================================================================
 Package       Architecture    Version                    Repository       Size
================================================================================
Installing:
 tcsh          x86_64          6.20.00-12.fc30            fedora          421 k

Transaction Summary
================================================================================
Install  1 Package

Total download size: 421 k
Installed size: 1.3 M
Is this ok [y/N]: y
Downloading Packages:
tcsh-6.20.00-12.fc30.x86_64.rpm                 1.4 MB/s | 421 kB     00:00    
--------------------------------------------------------------------------------
Total                                           861 kB/s | 421 kB     00:00     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                        1/1 
  Installing       : tcsh-6.20.00-12.fc30.x86_64                            1/1 
  Running scriptlet: tcsh-6.20.00-12.fc30.x86_64                            1/1 
  Verifying        : tcsh-6.20.00-12.fc30.x86_64                            1/1 

Installed:
  tcsh-6.20.00-12.fc30.x86_64                                                   

Complete!
[root@a571c1f28d2f /]# exit
exit
$ docker ps -a
CONTAINER ID        IMAGE               COMMAND                CREATED             STATUS                         PORTS               NAMES
a571c1f28d2f        fedora:latest       "/bin/bash"            4 minutes ago       Exited (0) 38 seconds ago                          naughty_bhabha
2bd09b571a70        hello-world         "/hello"               13 minutes ago      Exited (0) 13 minutes ago                          gifted_carson

That all looks OK.
Thanks again Bruno for earlier help.

CC: (none) => tarazed25

Comment 12 Len Lawrence 2019-09-09 13:09:38 CEST
mga7, x86_64

Before update:
$ rpm -qa | grep docker
docker-18.09.3-2.mga7
docker-logrotate-18.09.3-2.mga7
docker-zsh-completion-18.09.3-2.mga7
docker-unit-test-18.09.3-2.mga7
docker-containerd-1.2.5-2.mga7
docker-vim-18.09.3-2.mga7
docker-nano-18.09.3-2.mga7
docker-fish-completion-18.09.3-2.mga7
docker-devel-18.09.3-2.mga7 
$ id lcl
uid=1000(lcl) gid=1000(lcl) groups=1000(lcl)
$ sudo usermod -aG docker lcl

Logged out and in.
Comment 13 Len Lawrence 2019-09-09 13:32:18 CEST
Continuing from comment 12:

Clean update of all eight packages.
Started docker running.

$ docker ps -a
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
$ 

$ docker version
Client:
 Version:           18.09.0-dev
.....
Server:
 Engine:
  Version:          18.09.8

$ docker run hello-world
Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
1b930d010525: Pull complete 
Digest: sha256:451ce787d12369c5df2a32c85e5a03d52cbcef6eb3586dd03075f3034f10adcd
Status: Downloaded newer image for hello-world:latest

Hello from Docker!
This message shows that your installation appears to be working correctly.

$ docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
hello-world         latest              fce289e99eb9        8 months ago        1.84kB
$ docker ps -a
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS                     PORTS               NAMES
ea64d7925056        hello-world         "/hello"            3 minutes ago       Exited (0) 3 minutes ago                       elated_matsumoto

$ docker pull fedora
Using default tag: latest
latest: Pulling from library/fedora
5a915a173fbc: Pull complete 
Digest: sha256:d8d53450cae00985f9dad54a3520944c59e64aa8f01d3be61988404e11c15973
Status: Downloaded newer image for fedora:latest
$ docker run -ti fedora:latest /bin/bash
[root@abfb669f150e /]# dnf install tcsh
Fedora Modular 30 - x86_64                      1.0 MB/s | 1.9 MB     00:01    
Fedora Modular 30 - x86_64 - Updates            2.4 MB/s | 2.9 MB     00:01    
[...]
Installed:
  tcsh-6.20.00-12.fc30.x86_64                                                   
Complete!

That all worked fine again.

$ docker ps -a
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS                       PORTS               NAMES
abfb669f150e        fedora:latest       "/bin/bash"         4 minutes ago       Exited (127) 5 seconds ago                       epic_hoover
ea64d7925056        hello-world         "/hello"            9 minutes ago       Exited (0) 9 minutes ago                         elated_matsumoto

Whiteboard: MGA6TOO => MGA6TOO MGA6-64-OK MGA7-64-OK

Comment 14 Thomas Andrews 2019-09-09 14:53:50 CEST
Validating. Advisory in Comment 9.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2019-09-12 18:58:56 CEST

CC: (none) => tmb
Keywords: (none) => advisory

Comment 15 Mageia Robot 2019-09-12 21:11:35 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0269.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.