Bug 26815 - docker new security issue CVE-2020-13401
Summary: docker new security issue CVE-2020-13401
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2020-06-18 22:09 CEST by David Walser
Modified: 2020-07-05 17:55 CEST (History)
4 users (show)

See Also:
Source RPM: docker-18.09.9-1.mga7.src.rpm
Status comment:


Description David Walser 2020-06-18 22:09:38 CEST
SUSE has issued an advisory today (June 18):

The issue is fixed upstream in 19.03.11.

RedHat has a link to the commit that fixed the issue:
Comment 1 Nicolas Lécureuil 2020-06-21 01:39:06 CEST
pushed in mga7 updates_testing:


Assignee: bruno => qa-bugs
CC: (none) => mageia

Comment 2 David Walser 2020-06-21 04:08:25 CEST

Updated docker packages fix security vulnerability:

A flaw was found in Docker when it creates network bridges that accept IPv6
router advertisements by default. This flaw allows an attacker who can execute
code in a container to possibly spoof rogue IPv6 router advertisements to
perform a man-in-the-middle (MitM) attack against the host network or another
container (CVE-2020-13401).


Updated packages in core/updates_testing:

from docker-18.09.9-1.1.mga7.src.rpm
Comment 3 Len Lawrence 2020-06-22 00:58:14 CEST
mageia7, x64

Updates installed OK.
Cannot make anything of the issue this bug deals with.
Utility test following earlier docker tests: bugs:https://bugs.mageia.org/show_bug.cgi?id=24374 and https://bugs.mageia.org/show_bug.cgi?id=25374.

Started docker dæmon.
$ sudo systemctl start docker
$ systemctl status docker
● docker.service - Docker Application Container Engine
   Loaded: loaded (/usr/lib/systemd/system/docker.service; disabled; vendor pre>
   Active: active (running) since Sun 2020-06-21 23:04:38 BST; 17s ago
     Docs: http://docs.docker.com

$ sudo usermod -aG docker lcl
Logged out and in.
$ id
uid=1000(lcl) gid=1000(lcl) groups=1000(lcl),956(docker)
$ sudo systemctl restart docker
$ docker version
 Version:           18.09.0-dev
 API version:       1.39
 Go version:        go1.12.17
  Version:          18.09.9
  API version:      1.39 (minimum version 1.12)
$ go version
go version go1.12.17 linux/amd64

$ docker run debian echo "Hello World"
Unable to find image 'debian:latest' locally
latest: Pulling from library/debian
e9afc4f90ab0: Pull complete 
Digest: sha256:46d659005ca1151087efa997f1039ae45a7bf7a2cbbe2d17d3dcbda632a3ee9a
Status: Downloaded newer image for debian:latest
Hello World

$ docker run -h Debby -i -t debian /bin/bash
root@Debby:/# echo "Message from shell Debby in container debian"
Message from shell Debby in container debian
root@Debby:/# mv /bin /basket
root@Debby:/# ls
bash: ls: command not found
root@Debby:/# mv /basket /bin
bash: /bin/mv: No such file or directory
root@Debby:/# exit

$ docker run -h Debby -i -t debian /bin/bash
root@Debby:/# ls
bin   dev  home  lib64	mnt  proc  run	 srv  tmp  var
boot  etc  lib	 media	opt  root  sbin  sys  usr

From another terminal:
$ docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED              STATUS              PORTS               NAMES
6904a31f2761        debian              "/bin/bash"         About a minute ago   Up About a minute                       stoic_haslett
$ docker inspect stoic_haslett
        "Id": "6904a31f2761f4b3aa3af80e7a3b09ed3e95daa869738c82a06d32b4baba3a05",
        "Created": "2020-06-21T22:24:38.119481243Z",
        "Path": "/bin/bash",
<lots of information>

$ $ docker inspect stoic_haslett | egrep "MacAddress|IPAddress"
            "SecondaryIPAddresses": null,
            "IPAddress": "",
            "MacAddress": "02:42:ac:11:00:02",
                    "IPAddress": "",
                    "MacAddress": "02:42:ac:11:00:02",
$ docker ps -a
CONTAINER ID        IMAGE               COMMAND                CREATED             STATUS                        PORTS               NAMES
6904a31f2761        debian              "/bin/bash"            10 minutes ago      Up 10 minutes                                     stoic_haslett
9eba09a118f0        debian              "/bin/bash"            16 minutes ago      Exited (127) 13 minutes ago                       determined_wilson
2990742378f8        debian              "echo 'Hello World'"   17 minutes ago      Exited (0) 17 minutes ago                         priceless_banach

$ docker rm 9eba09a118f0
$ docker rm 2990742378f8
$ docker ps -a
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
6904a31f2761        debian              "/bin/bash"         12 minutes ago      Up 12 minutes                           stoic_haslett
$ docker run hello-world
Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
0e03bdcc26d7: Pull complete 
Digest: sha256:d58e752213a51785838f9eed2b7a498ffa1cb3aa7f946dda11af39286c3db9a9
Status: Downloaded newer image for hello-world:latest

Hello from Docker!
This message shows that your installation appears to be working correctly.

$ docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
debian              latest              1b686a95ddbf        12 days ago         114MB
hello-world         latest              bf756fb1ae65        5 months ago        13.3kB

$ docker pull fedora
Using default tag: latest
latest: Pulling from library/fedora
4c69497db035: Pull complete 
Digest: sha256:ee55117b3058f2f12961184fae4b9c392586e400487626c6bd0d15b4eae94ecc
Status: Downloaded newer image for fedora:latest
$ docker ps -a | grep fedora
$ docker run -ti fedora:latest /bin/bash
[root@be99974599e8 /]# dnf install ruby
Fedora Modular 31 - x86_64                      1.6 MB/s | 5.2 MB     00:03    
Fedora Modular 31 - x86_64 - Updates            1.6 MB/s | 4.1 MB     00:02    
Fedora 31 - x86_64 - Updates                    4.1 MB/s |  26 MB     00:06    
Fedora 31 - x86_64                              4.1 MB/s |  71 MB     00:17    
Last metadata expiration check: 0:00:01 ago on Sun Jun 21 22:44:14 2020.
Dependencies resolved.
 Package                   Arch        Version               Repository    Size
 ruby                      x86_64      2.6.6-125.fc31        updates       40 k
Installing dependencies:
 ruby-libs                 x86_64      2.6.6-125.fc31        updates      3.0 M
 rubygem-irb               noarch      1.0.0-125.fc31        updates       62 k
 rubygem-json              x86_64      2.2.0-202.fc31        updates       57 k
 rubygem-psych             x86_64      3.1.0-125.fc31        updates       49 k
 rubypick                  noarch      1.1.1-11.fc31         fedora       9.8 k
Installing weak dependencies:
 rubygem-bigdecimal        x86_64      1.4.1-125.fc31        updates       55 k
 rubygem-did_you_mean      noarch      1.3.0-125.fc31        updates       35 k
 rubygem-io-console        x86_64      0.4.7-125.fc31        updates       20 k
 rubygem-openssl           x86_64      2.1.2-125.fc31        updates      151 k
 rubygem-rdoc              noarch      6.1.2-125.fc31        updates      406 k
 rubygems                  noarch      3.0.3-125.fc31        updates      245 k

Transaction Summary
Install  12 Packages

Total download size: 4.1 M
Installed size: 15 M
Is this ok [y/N]: y 
[root@be99974599e8 /]# irb
irb(main):001:0> 1.upto( 16 ).inject( :+ ) 
=> 136
irb(main):002:0> exit
# dnf install tcsh
Last metadata expiration check: 0:06:57 ago on Sun Jun 21 22:44:14 2020.
Dependencies resolved.
[root@be99974599e8 /]# exit
$ docker ps -a
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS                        PORTS               NAMES
be99974599e8        fedora:latest       "/bin/bash"         10 minutes ago      Exited (127) 21 seconds ago                       elastic_spence
1191cd742ca9        fedora:latest       "/bin/fish"         11 minutes ago      Created                                           recursing_lamport
39b52a3e7714        hello-world         "/hello"            15 minutes ago      Exited (0) 15 minutes ago                         inspiring_chatterjee
6904a31f2761        debian              "/bin/bash"         29 minutes ago      Exited (0) 13 minutes ago                         stoic_haslett

Everything seems to work at this basic level.  Creating docker images is another chapter.

CC: (none) => tarazed25
Whiteboard: (none) => MGA7-64-OK

Comment 4 Len Lawrence 2020-06-22 01:32:39 CEST
Sorry - forgot the cowsay test.

$ docker run -it --name cowsay --hostname cowsay debian bash
root@cowsay:/# apt-get update
Get:1 http://security.debian.org/debian-security buster/updates InRelease [65.4 kB]
Get:2 http://deb.debian.org/debian buster InRelease [121 kB]
Get:3 http://deb.debian.org/debian buster-updates InRelease [51.9 kB]
Get:4 http://security.debian.org/debian-security buster/updates/main amd64 Packages [204 kB]
Get:5 http://deb.debian.org/debian buster/main amd64 Packages [7905 kB]
Get:6 http://deb.debian.org/debian buster-updates/main amd64 Packages [7868 B]
Fetched 8355 kB in 3s (3087 kB/s)                    
Reading package lists... Done
root@cowsay:/# apt-get install -y cowsay fortune
Setting up cowsay (3.03+dfsg2-6) ...
Processing triggers for libc-bin (2.28-10) ...
root@cowsay:/# /usr/games/fortune | /usr/games/cowsay
< You will be divorced within a year. >
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||

Fortunately the up arrow works...
root@cowsay:/# /usr/games/fortune | /usr/games/cowsay
/ Kindness is a language which the deaf \
| can hear and the blind can read.      |
|                                       |
\ -- Mark Twain                         /
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||
root@cowsay:/# exit
Comment 5 Thomas Andrews 2020-06-23 15:29:31 CEST
The cowsay test. I'll have to remember that one.

Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 6 David Walser 2020-06-23 23:58:04 CEST
openSUSE has issued an advisory for this today (June 23):
Nicolas Lécureuil 2020-07-05 13:14:45 CEST

Keywords: (none) => advisory

Comment 7 Mageia Robot 2020-07-05 17:55:01 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.