Bug 30205 - docker new security issue CVE-2022-24769
Summary: docker new security issue CVE-2022-24769
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-03-24 14:35 CET by David Walser
Modified: 2022-03-28 18:24 CEST (History)
5 users (show)

See Also:
Source RPM: docker-20.10.9-3.mga9.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2022-03-24 14:35:18 CET
Docker 20.10.14 has been released today (March 24), fixing a security issue:
https://docs.docker.com/engine/release-notes/#201014

The issues is in the Moby engine:
https://github.com/moby/moby/security/advisories/GHSA-2mm7-x5h6-5pvq

Mageia 8 is also affected.
David Walser 2022-03-24 14:35:35 CET

Status comment: (none) => Fixed upstream in 20.10.14
Whiteboard: (none) => MGA8TOO

Comment 1 Bruno Cornec 2022-03-24 16:51:43 CET
Version 20.10.14 pushed to both cauldron and mga8

CC: (none) => bruno
Status: NEW => ASSIGNED
Assignee: bruno => qa-bugs

Thomas Backlund 2022-03-24 17:05:47 CET

Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)

Comment 2 David Walser 2022-03-24 23:48:33 CET
Please be careful to reset the release tag to 1 when upgrading versions.

docker-fish-completion-20.10.14-3.mga8
docker-zsh-completion-20.10.14-3.mga8
docker-nano-20.10.14-3.mga8
docker-logrotate-20.10.14-3.mga8
docker-20.10.14-3.mga8
docker-devel-20.10.14-3.mga8

from docker-20.10.14-3.mga8.src.rpm

Status comment: Fixed upstream in 20.10.14 => (none)

Comment 3 Len Lawrence 2022-03-25 15:29:10 CET
Mageia8, x86_64

docker has run OK on this machine on another partition so went ahead and installed the components then updated them via qarepo.  Added user to docker group and started the docker daemon, status good.

Ran some of the tests from Bruno's docker lab as in bug 29527.
$ docker run hello-world
Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
2db29710123e: Pull complete 
Digest: sha256:bfea6278a0a267fad2634554f4f0c6f31981eea41c553fdf5a83e95a41d40c38
Status: Downloaded newer image for hello-world:latest

Hello from Docker!
This message shows that your installation appears to be working correctly.
$ docker run -it fedora:latest bash
[root@9bba83f62fb3 /]# dnf install zsh
[....]
Dependencies resolved.
Installing:
 zsh           x86_64           5.8.1-1.fc35            updates           2.9 M
[...]
Running transaction
  Preparing        :                                                        1/1 
  Installing       : zsh-5.8.1-1.fc35.x86_64                                1/1 
  Running scriptlet: zsh-5.8.1-1.fc35.x86_64                                1/1 
  Verifying        : zsh-5.8.1-1.fc35.x86_64                                1/1 
Installed:
  zsh-5.8.1-1.fc35.x86_64                                                       
[root@9bba83f62fb3 /]# zsh
[root@9bba83f62fb3]/# ls -l lib64/libz<Tab>.so.1<Return>
lrwxrwxrwx 1 root root 14 Jul 29  2021 lib64/libz.so.1 -> libz.so.1.2.11
[root@9bba83f62fb3]/# exit
[root@9bba83f62fb3 /]# dnf install fish
....................
[root@9bba83f62fb3 /]# fish
<The following was arrived at by tabbing from .....libsmart
root@9bba83f62fb3 /# ls -l lib64/libsmartcols.so.1.1.0
root@9bba83f62fb3 /# exit
[root@9bba83f62fb3 /]# dnf install nano
............
[root@9bba83f62fb3 /]# nano
<Editor opened in the terminal.  Saved some text and exited.>
[root@9bba83f62fb3 /]# exit

Realized that there was no check for the output of the nano command.
Experimented a bit:
$ docker ps -a
CONTAINER ID   IMAGE           COMMAND    CREATED          STATUS                      PORTS     NAMES
9bba83f62fb3   fedora:latest   "bash"     28 minutes ago   Exited (0) 3 minutes ago              confident_cohen
4976874bff92   fedora:latest   "zsh"      28 minutes ago   Created                               magical_ellis
fe0665997f34   fedora:latest   "zsh"      29 minutes ago   Created                               loving_hypatia
77a453253eef   hello-world     "/hello"   39 minutes ago   Exited (0) 39 minutes ago             pedantic_easley

Discovered that I did not know how to restart the last container run so could not check for persistence.  Another time maybe.

$ docker rm 4976874bff92 fe0665997f34
4976874bff92
fe0665997f34
$ docker inspect pedantic_easley
[
    {
        "Id": "77a453253eef2c80b4a3967b7a1b6a1fea3971bef0a17e8277a9d09387db0907",
        "Created": "2022-03-25T13:15:50.818603219Z",
        "Path": "/hello",
.....................

$ docker run -it --name cowsay --hostname cowsay debian bash
Unable to find image 'debian:latest' locally
latest: Pulling from library/debian
5492f66d2700: Pull complete 
Digest: sha256:b42494c466d101bf06038e959e2e5acd227e1251987e79528e7d8b1f4040deaf
Status: Downloaded newer image for debian:latest
root@cowsay:/# apt-get update
root@cowsay:/# apt-get install -y cowsay fortune
Reading package lists... Done
..............................
root@cowsay:/# /usr/games/fortune | /usr/games/cowsay
 ________________________________________
/ Your lucky number is 3552664958674928. \
\ Watch for it everywhere.               /
 ----------------------------------------
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||

These entry level tests shall have to do.  OK for 64-bits.

CC: (none) => tarazed25
Whiteboard: (none) => MGA8-64-OK

Comment 4 Len Lawrence 2022-03-25 18:48:29 CET
root@cowsay:/# /usr/games/fortune | /usr/games/cowsay
 ____________________________________
/ Q: Why did the germ cross the      \
| microscope? A: To get to the other |
\ slide.                             /
 ------------------------------------
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||
root@cowsay:/#
Comment 5 Thomas Andrews 2022-03-26 19:14:55 CET
So, are those things on the top of her head supposed to be ears, or horns? Oh, well.

Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2022-03-28 16:06:31 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 6 Mageia Robot 2022-03-28 18:24:38 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0117.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.