Bug 27437 - docker new security issue CVE-2020-15157
Summary: docker new security issue CVE-2020-15157
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-10-16 17:39 CEST by David Walser
Modified: 2020-11-09 15:49 CET (History)
5 users (show)

See Also:
Source RPM: docker-19.03.11-2.mga8.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2020-10-16 17:39:14 CEST
Ubuntu has issued an advisory on October 15:
https://ubuntu.com/security/notices/USN-4589-2

More details are here:
https://www.openwall.com/lists/oss-security/2020/10/15/1

Mageia 7 is also affected.
David Walser 2020-10-16 17:39:21 CEST

Whiteboard: (none) => MGA7TOO

Comment 1 Bruno Cornec 2020-11-01 12:14:42 CET
docker-19.03.13-1.mga8 source rpm uploaded with corresponding build packages to fix this for cauldron.

Mageia7 in process.

Status: NEW => ASSIGNED

Comment 2 Bruno Cornec 2020-11-01 14:06:37 CET
docker-18.09.9-1.2.mga7 source rpm uploaded with corresponding build packages to fix this for Mageia7 in updtaes_testing.

Assignee: bruno => qa-bugs

Comment 3 David Walser 2020-11-01 16:58:04 CET
Advisory:
========================

Updated docker packages fix security vulnerability:

It was discovered that Docker could be made to expose sensitive information
when processing URLs in container image manifests. A remote attacker could use
this to trick the user and obtain the user's registry credentials
(CVE-2020-15157).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15157
https://www.openwall.com/lists/oss-security/2020/10/15/1
https://ubuntu.com/security/notices/USN-4589-2
========================

Updated packages in core/updates_testing:
========================
docker-18.09.9-1.2.mga7
docker-devel-18.09.9-1.2.mga7
docker-fish-completion-18.09.9-1.2.mga7
docker-logrotate-18.09.9-1.2.mga7
docker-unit-test-18.09.9-1.2.mga7
docker-vim-18.09.9-1.2.mga7
docker-zsh-completion-18.09.9-1.2.mga7
docker-nano-18.09.9-1.2.mga7

from docker-18.09.9-1.2.mga7.src.rpm

CC: (none) => bruno
Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)

Comment 4 Len Lawrence 2020-11-05 21:24:22 CET
Hope to get round to this soon.

CC: (none) => tarazed25

Comment 5 Len Lawrence 2020-11-07 01:49:54 CET
mga7, x86_64

Starting from 18.09.9.1-1 version
Updated all the packages.
$ rpm -qa | grep docker
docker-fish-completion-18.09.9-1.2.mga7
docker-vim-18.09.9-1.2.mga7
docker-devel-18.09.9-1.2.mga7
docker-18.09.9-1.2.mga7
docker-logrotate-18.09.9-1.2.mga7
docker-unit-test-18.09.9-1.2.mga7
docker-nano-18.09.9-1.2.mga7
docker-zsh-completion-18.09.9-1.2.mga7
docker-containerd-1.2.5-2.mga7

Followed procedure used in previous updates of docker based on notes from Bruno Cornec.
Added user to docker group.
Logged out and in.
$ sudo systemctl start docker
Status check OK.
$ id
uid=1000(lcl) gid=1000(lcl) groups=1000(lcl),951(docker),955(wireshark)
$ docker version
Client:
 Version:           18.09.0-dev
 API version:       1.39
 Go version:        go1.13.15
[...]

Server:
 Engine:
  Version:          18.09.9
....
$ docker run debian echo "Hello World"
Unable to find image 'debian:latest' locally
latest: Pulling from library/debian
e4c3d3e4f7b0: Pull complete 
Digest: sha256:8414aa82208bc4c2761dc149df67e25c6b8a9380e5d8c4e7b5c84ca2d04bb244
Status: Downloaded newer image for debian:latest
Hello World
$ docker run -h Debby -i -t debian /bin/bash
root@Debby:/# echo "Message from shell Debby in container debian"
Message from shell Debby in container debian
root@Debby:/# mv /bin /basket
root@Debby:/# date
bash: date: command not found
root@Debby:/# mv /basket /bin
bash: /bin/mv: No such file or directory
root@Debby:/# exit
exit
$ docker run -h Debby -i -t debian /bin/bash
root@Debby:/# ls
bin   dev  home  lib64	mnt  proc  run	 srv  tmp  var
boot  etc  lib	 media	opt  root  sbin  sys  usr
root@Debby:/# date
Sat Nov  7 00:11:26 UTC 2020

From another terminal:
$ docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
7903a29613ec        debian              "/bin/bash"         2 minutes ago       Up 2 minutes                            condescending_brown
[
    {
        "Id": "7903a29613ecfb9d6edfd6f9a386759eeb6fdecc962a105a05101e7210b7b1c7",
        "Created": "2020-11-07T00:10:58.508651438Z",
        "Path": "/bin/bash",
.....

Lots of information about the running instance.

Look at recent process history.
$ docker ps -a
CONTAINER ID        IMAGE               COMMAND                CREATED             STATUS                       PORTS               NAMES
7903a29613ec        debian              "/bin/bash"            6 minutes ago       Up 6 minutes                                     condescending_brown
d9924dd8a48a        debian              "/bin/bash"            8 minutes ago       Exited (127) 7 minutes ago                       tender_fermat
e49fa0abbb2f        debian              "echo 'Hello World'"   9 minutes ago       Exited (0) 9 minutes ago                         eloquent_vaughan

$ docker run hello-world
Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
0e03bdcc26d7: Pull complete 
Digest: sha256:8c5aeeb6a5f3ba4883347d3747a7249f491766ca1caa47e5da5dfcf6b9b717c0
Status: Downloaded newer image for hello-world:latest

Hello from Docker!
This message shows that your installation appears to be working correctly.
.................

$ docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
debian              latest              1510e8501783        3 weeks ago         114MB
hello-world         latest              bf756fb1ae65        10 months ago       13.3kB

$ docker pull fedora
Using default tag: latest
latest: Pulling from library/fedora
ee7e89337106: Pull complete 
Digest: sha256:b9ec86d36fca7b1d3de39cd7c258e8d90c377d312c21a7748071ce49069b8db4
Status: Downloaded newer image for fedora:latest
$ docker ps -a | grep fedora
$ docker run -ti fedora:latest /bin/bash
[root@60997345f921 /]# dnf install ruby
Fedora 33 openh264 (From Cisco) - x86_64        2.1 kB/s | 2.5 kB     00:01    
Fedora Modular 33 - x86_64                      2.2 MB/s | 3.3 MB     00:01    
Fedora Modular 33 - x86_64 - Updates            919 kB/s | 1.0 MB     00:01    
Fedora 33 - x86_64 - Updates                    1.8 MB/s |  11 MB     00:06    
Fedora 33 - x86_64                              8.7 MB/s |  72 MB     00:08    
Dependencies resolved.
================================================================================
 Package                  Architecture Version              Repository     Size
================================================================================
Installing:
 ruby                     x86_64       2.7.2-135.fc33       updates        41 k
Installing dependencies:
 ruby-libs                x86_64       2.7.2-135.fc33       updates       3.2 M
[...]
 rubygems                  noarch      3.0.3-125.fc31        updates      245 k

Transaction Summary
================================================================================
Install  12 Packages

Total download size: 4.1 M
Installed size: 15 M
Is this ok [y/N]: y 
[...]
Installed:
  ruby-2.7.2-135.fc33.x86_64                                                    
  ruby-default-gems-2.7.2-135.fc33.noarch                                       
  ruby-libs-2.7.2-135.fc33.x86_64                                               
[...]
Complete!
[root@60997345f921 /]# irb
irb(main):001:0> 1.upto( 16 ).inject( :+ )
=> 136
irb(main):002:0> exit
[root@60997345f921 /]# dnf install tcsh
Last metadata expiration check: 0:05:14 ago on Sat Nov  7 00:25:06 2020.
Dependencies resolved.
[...]
Complete!
[root@60997345f921 /]# exit

$ docker ps -a
CONTAINER ID        IMAGE               COMMAND                CREATED             STATUS                        PORTS               NAMES
60997345f921        fedora:latest       "/bin/bash"            9 minutes ago       Exited (0) 21 seconds ago                         keen_euler
1f5c09fe35ff        hello-world         "/hello"               13 minutes ago      Exited (0) 13 minutes ago                         pedantic_johnson
7903a29613ec        debian              "/bin/bash"            22 minutes ago      Up 22 minutes                                     condescending_brown
d9924dd8a48a        debian              "/bin/bash"            24 minutes ago      Exited (127) 22 minutes ago                       tender_fermat
e49fa0abbb2f        debian              "echo 'Hello World'"   24 minutes ago      Exited (0) 24 minutes ago                         eloquent_vaughan

$ docker run -it --name cowsay --hostname cowsay debian bash
root@cowsay:/# apt-get update
[...]
Fetched 8397 kB in 2s (4717 kB/s)                    
Reading package lists... Done
root@cowsay:/# apt-get install -y cowsay fortune
[...]
Processing triggers for libc-bin (2.28-10) ...
root@cowsay:/#  /usr/games/fortune | /usr/games/cowsay
 ______________________________________
/ A tall, dark stranger will have more \
\ fun than you.                        /
 --------------------------------------
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||
root@cowsay:/# /usr/games/fortune | /usr/games/cowsay
 ______________________________________
/ You are a fluke of the universe; you \
\ have no right to be here.            /
 --------------------------------------
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||

<Used up arrow to repeat the command.>

root@cowsay:/# exit

Passing this on the basis that the installation succeeded and the bash shell and basic commands all work as expected.

Whiteboard: (none) => MGA7-64-OK

Comment 6 Thomas Andrews 2020-11-07 22:33:24 CET
Validating. Advisory in Comment 3.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 7 Aurelien Oudelet 2020-11-09 11:45:55 CET
Advisory pushed to SVN.

CC: (none) => ouaurelien
Keywords: (none) => advisory

Comment 8 Mageia Robot 2020-11-09 15:49:46 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0406.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.