openSUSE has issued an advisory on October 31: https://lists.opensuse.org/opensuse-updates/2019-10/msg00185.html Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
Fedora has issued an advisory for this on October 8: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DGK6IV5JGVDXHOXEKJOJWKOVNZLT6MYR/
rc9 pushed to cauldron
Status: NEW => ASSIGNED
Same version also pushed to mga7 updates_testing
Assignee: bruno => qa-bugs
Whiteboard: MGA7TOO => (none)Component: RPM Packages => SecurityCC: (none) => brunoQA Contact: (none) => securityVersion: Cauldron => 7
Advisory: ======================== Updated opencontainers-runc packages fix security vulnerability: runc through 1.0.0-rc8, as used in Docker through 19.03.2-ce and other products, allows AppArmor restriction bypass because libcontainer/rootfs_linux.go incorrectly checks mount targets, and thus a malicious Docker image can mount over a /proc directory (CVE-2019-16884). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16884 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DGK6IV5JGVDXHOXEKJOJWKOVNZLT6MYR/ ======================== Updated packages in core/updates_testing: ======================== opencontainers-runc-1.0.0-0.rc9.3.mga7 from opencontainers-runc-1.0.0-0.rc9.3.mga7.src.rpm
CVE-2019-16884 https://github.com/opencontainers/runc/issues/2128 Tried to reproduce the issue but started to run out of / space when building the test image. $ mkdir -p rootfs/proc/self/{attr,fd} $ touch rootfs/proc/self/{status,attr/exec} $ touch rootfs/proc/self/fd/{4,5} Created Dockerfile: ------------ FROM busybox ADD rootfs / VOLUME /proc ------------ # docker build -t apparmor-bypass . That seemed to run away, past 8 GB, where it was killed. The following command could not be issued because the image was not available. # docker run --rm -it --security-opt "apparmor=docker-default" Upstream comments is "container runs unconfined" So PoC cannot be tested. QA tests later.
CC: (none) => tarazed25
Continuing from comment 5: User was forced to run as root because the user .cache contained files with root permission only. After fixing those issues and adding executable permission to directories containing GNOME certificates the command ran as user but hit another problem. $ docker build -t apparmor-bypass . ERRO[0001] failed to dial gRPC: cannot connect to the Docker daemon. Is 'docker daemon' running on this host?: dial unix /var/run/docker.sock: connect: permission denied Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Post http://%2Fvar%2Frun%2Fdocker.sock/v1.39/build?buildargs=%7B%7D&cachefrom=%5B%5D&cgroupparent=&cpuperiod=0&cpuquota=0&cpusetcpus=&cpusetmems=&cpushares=0&dockerfile=Dockerfile&labels=%7B%7D&memory=0&memswap=0&networkmode=default&rm=1&session=ekpawg8evdb7hi8lo19zg8msk&shmsize=0&t=apparmor-bypass&target=&ulimits=null&version=1: dial unix /var/run/docker.sock: connect: permission denied docker is running. Is there a docker group? Shall add user to docker group if it exists. $ grep docker /etc/group docker:x:967:
Logged back in. Ran the command again and it started - sending build context to docker daemon 22GB and counting. / is full - help! Killed it at 49GB. / back to 92% full.
Updated opencontainers-runc, restarted docker and tried the test build again. It ran away as before so we can forget the PoC test. Closing down for tonight.
Mageia7, x86_64 $ docker --version Docker version 18.09.0-dev, build 774a1f4 $ rpm -qa | grep runc opencontainers-runc-1.0.0-0.rc9.3.mga7 Assuming that testing docker itself is sufficient for testing opencontainers-runc. Referring to Bruno's quick test in https://bugs.mageia.org/show_bug.cgi?id=24374. Checked the current system for old files and found none: $ docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES $ docker images REPOSITORY TAG IMAGE ID CREATED SIZE $ docker run hello-world Unable to find image 'hello-world:latest' locally latest: Pulling from library/hello-world 1b930d010525: Pull complete Digest: sha256:9572f7cdcee8591948c2963463447a53466950b3fc15a247fcad1917ca215a2f Status: Downloaded newer image for hello-world:latest Hello from Docker! This message shows that your installation appears to be working correctly. And of course the command can be repeated. $ docker version Client: Version: 18.09.0-dev API version: 1.39 Go version: go1.12.8 ..... Run another distribution in a bash shell in a container. $ docker run -ti ubuntu /bin/bash Unable to find image 'ubuntu:latest' locally latest: Pulling from library/ubuntu 5c939e3a4d10: Pull complete c63719cdbe7a: Pull complete 19a861ea6baf: Pull complete 651c9d2d6c4f: Pull complete Digest: sha256:8d31dad0c58f552e890d68bbfb735588b6b820a46e459672d96e585871acc110 Status: Downloaded newer image for ubuntu:latest root@09d1c34beb63:/# dmesg ......... root@09d1c34beb63:/# exit exit $ $ docker images REPOSITORY TAG IMAGE ID CREATED SIZE ubuntu latest ccc6e87d482b 5 days ago 64.2MB hello-world latest fce289e99eb9 12 months ago 1.84kB $ docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 09d1c34beb63 ubuntu "/bin/bash" 3 minutes ago Exited (0) About a minute ago determined_ardinghelli c8691496018f hello-world "/hello" 11 minutes ago Exited (0) 11 minutes ago elated_rosalind 7555dc2a19f3 hello-world "/hello" 14 minutes ago Exited (0) 14 minutes ago laughing_almeida $ docker pull fedora:latest latest: Pulling from library/fedora d318c91bf2a8: Pull complete Digest: sha256:d4f7df6b691d61af6cee7328f82f1d8afdef63bc38f58516858ae3045083924a Status: Downloaded newer image for fedora:latest $ docker run -ti fedora:latest /bin/bash [root@0d298762bb84 /]# dnf install ruby ruby-devel Fedora Modular 31 - x86_64 1.5 MB/s | 5.2 MB 00:03 ...... Transaction Summary Install 17 Packages Total download size: 4.4 M Installed size: 16 M Is this ok [y/N]: y Downloading Packages: (1/17): ruby-libs-2.6.5-124.fc31.x86_64.rpm 2.0 MB/s | 3.0 MB 00:01 .............................. Complete! [root@0d298762bb84 /]# <sudo works in the container> [root@0d298762bb84 /]# sudo gem install astro_moon Fetching astro_moon-0.2.gem Successfully installed astro_moon-0.2 Parsing documentation for astro_moon-0.2 Installing ri documentation for astro_moon-0.2 Done installing documentation for astro_moon after 0 seconds 1 gem installed [root@0d298762bb84 /]# exit $ docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 0d298762bb84 fedora:latest "/bin/bash" 11 minutes ago Exited (0) 3 minutes ago ecstatic_montalcini $ docker inspect ecstatic_montalcini [ { "Id": "0d298762bb84da8aa0b94c3d45581e5191afe8bf00b060eda9d7083ac17722cc", "Created": "2020-01-21T11:07:04.776967042Z", "Path": "/bin/bash", ................. Restart: $ docker run -ti fedora:latest /bin/bash [root@d7a2d8943ce5 /]# Starts with a clean sheet. Repeated earlier commands. Noted that sudo is not needed. In another terminal issued: $ docker stop d7a2d8943ce5 d7a2d8943ce5 $ docker restart d7a2d8943ce5 d7a2d8943ce5 Forgotten how to re-enter the container. docker run produces a new instance. $ docker run -it --name cowsay --hostname cowsay debian bash Unable to find image 'debian:latest' locally latest: Pulling from library/debian 8f0fdd3eaac0: Pull complete Digest: sha256:f19be6b8095d6ea46f5345e2651eec4e5ee9e84fc83f3bc3b73587197853dc9e Status: Downloaded newer image for debian:latest root@cowsay:/# apt-get install -y cowsay fortune Reading package lists... Done Building dependency tree Reading state information... Done E: Unable to locate package cowsay E: Unable to locate package fortune root@cowsay:/# exit exit So, that no longer works or is no longer available. . $ docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES a0380d9d7f68 debian "bash" 4 minutes ago Exited (100) 2 minutes ago cowsay fcf3d54941fe fedora:latest "/bin/bash" 8 minutes ago Exited (127) 5 minutes ago flamboyant_golick d7a2d8943ce5 fedora:latest "/bin/bash" 39 minutes ago Up 15 minutes vigilant_kilby 0d298762bb84 fedora:latest "/bin/bash" About an hour ago Exited (0) About an hour ago ecstatic_montalcini 09d1c34beb63 ubuntu "/bin/bash" About an hour ago Exited (0) About an hour ago determined_ardinghelli c8691496018f hello-world "/hello" About an hour ago Exited (0) About an hour ago elated_rosalind 7555dc2a19f3 hello-world "/hello" About an hour ago Exited (0) About an hour ago laughing_almeida Used 'docker rm <container-id>' to remove stopped containers. $ docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES d7a2d8943ce5 fedora:latest "/bin/bash" About an hour ago Up About an hour vigilant_kilby The basics seem to work OK.
Whiteboard: (none) => MGA7-64-OK
(In reply to Len Lawrence from comment #9) > $ docker run -it --name cowsay --hostname cowsay debian bash > Unable to find image 'debian:latest' locally > latest: Pulling from library/debian > 8f0fdd3eaac0: Pull complete > Digest: > sha256:f19be6b8095d6ea46f5345e2651eec4e5ee9e84fc83f3bc3b73587197853dc9e > Status: Downloaded newer image for debian:latest > root@cowsay:/# apt-get install -y cowsay fortune > Reading package lists... Done > Building dependency tree > Reading state information... Done > E: Unable to locate package cowsay > E: Unable to locate package fortune > root@cowsay:/# exit > exit > > So, that no longer works or is no longer available. You need to run apt-get update before so the package DB are downloaded, then after you can run apt-get install. Just FTR. Thanks for the tests Len. Bruno.
And thanks for the heads-up Bruno. I shall try that privately.
Validating. Advisory in Comment 4.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0050.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED