Bug 30834 - docker new security issues CVE-2022-29153 and CVE-2022-36109
Summary: docker new security issues CVE-2022-29153 and CVE-2022-36109
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on: 30835
Blocks:
  Show dependency treegraph
 
Reported: 2022-09-09 19:10 CEST by David Walser
Modified: 2023-01-24 09:00 CET (History)
4 users (show)

See Also:
Source RPM: docker-20.10.14-3.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2022-09-09 19:10:30 CEST 
Docker 20.10.18 has been released today (September 9), fixing a security issue:
https://docs.docker.com/engine/release-notes/#201018
https://github.com/moby/moby/security/advisories/GHSA-rc4r-wh2q-q6c4

Mageia 8 is also affected.
Comment 1 David Walser 2022-09-09 19:11:00 CEST 
Also don't forget to look at Bug 30647.

Whiteboard: (none) => MGA8TOO
Assignee: bugsquad => bruno
Status comment: (none) => Fixed upstream in 20.10.18

Comment 2 David Walser 2022-09-09 19:13:37 CEST 
I recommend building the golang update first.

Depends on: (none) => 30835

Comment 3 David Walser 2022-09-15 14:15:14 CEST 
Fedora has issued an advisory for this today (September 15):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/RQQ4E3JBXVR3VK5FIZVJ3QS2TAOOXXTQ/
Comment 4 David Walser 2022-10-14 20:03:11 CEST 
Docker bugfix release 20.10.19 is out too, just FYI:
https://github.com/moby/moby/releases/tag/v20.10.19
Comment 5 David Walser 2022-10-19 16:22:11 CEST 
Docker 20.10.20 is out, with a mitigation for a Git CVE-2022-39253 (Bug 30985):
https://docs.docker.com/engine/release-notes/#201020
Comment 6 David Walser 2022-10-24 18:24:46 CEST 
(In reply to David Walser from comment #5)
> Docker 20.10.20 is out, with a mitigation for a Git CVE-2022-39253 (Bug
> 30985):
> https://docs.docker.com/engine/release-notes/#201020

Fedora has issued an advisory for this on October 22:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VFYXCTLOSESYIP72BUYD6ECDIMUM4WMB/
Comment 7 Bruno Cornec 2022-10-25 10:01:46 CEST 
Still working on the cli build part which isn't working as before :-(

Status: NEW => ASSIGNED

Comment 8 David Walser 2022-10-26 18:48:08 CEST 
Docker bugfix release 20.10.21 is out too, just FYI:
https://github.com/moby/moby/releases/tag/v20.10.21
Comment 9 David Walser 2022-12-27 17:02:56 CET 
(In reply to David Walser from comment #8)
> Docker bugfix release 20.10.21 is out too, just FYI:
> https://github.com/moby/moby/releases/tag/v20.10.21

and it also fixes a security issue:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/RBODKZL7HQE5XXS3SA2VIDVL4LAA5RWH/

Status comment: Fixed upstream in 20.10.18 => Fixed upstream in 20.10.21
Summary: docker new security issue CVE-2022-36109 => docker new security issues CVE-2022-29153 and CVE-2022-36109

Comment 10 David Walser 2022-12-29 17:36:51 CET 
It possibly fixes CVE-2022-3920 in a bundled component as well:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/VDJY5ZBYRAJUCIDR2PJWIR4IKNJAX73B/
Comment 11 Bruno Cornec 2022-12-30 02:26:31 CET 
docker 20.10.22 pushed to mga8 updates_testing.

Works for me with the new docker-containerd 1.6.14 on mga8.

Will work now that it builds on the other remaining docker related bugs. So may generate new updates again.

Status comment: Fixed upstream in 20.10.21 => (none)
Assignee: bruno => qa-bugs

Comment 12 Bruno Cornec 2022-12-30 02:30:24 CET 
Same version also pushed to cauldron

Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)
CC: (none) => bruno

Comment 13 David Walser 2022-12-30 03:10:06 CET 
docker-fish-completion-20.10.22-1.mga8
docker-nano-20.10.22-1.mga8
docker-zsh-completion-20.10.22-1.mga8
docker-logrotate-20.10.22-1.mga8
docker-devel-20.10.22-1.mga8
docker-20.10.22-1.mga8

from docker-20.10.22-1.mga8.src.rpm
Comment 14 Thomas Andrews 2023-01-12 01:52:19 CET 
Used qarepo to download all packages in Comment 13, and installed all of them plus dependencies, 66 packages in all. Most of the dependencies were for the devel package. There were no installation issues.

Entirely out of my element here, so I'm trying to more or less follow Len's test from Bug 30205:

Added my user to the docker group, started the docker service, and checked status, which looked OK to my untrained eye.

[tom@localhost ~]$ docker run hello-world
Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
2db29710123e: Pull complete 
Digest: sha256:94ebc7edf3401f299cd3376a1669bc0a49aef92d6d2669005f9bc5ef028dc333
Status: Downloaded newer image for hello-world:latest

Hello from Docker!
This message shows that your installation appears to be working correctly.

[......]

[tom@localhost ~]$ docker run -it fedora:latest bash
Unable to find image 'fedora:latest' locally
latest: Pulling from library/fedora
cd974119263e: Pull complete 
Digest: sha256:3487c98481d1bba7e769cf7bcecd6343c2d383fdd6bed34ec541b6b23ef07664
Status: Downloaded newer image for fedora:latest
[root@f54276031bea /]# dnf install zsh
Fedora 37 - x86_64                                                                                                          5.3 MB/s |  64 MB     00:12    
Fedora 37 openh264 (From Cisco) - x86_64                                                                                    1.9 kB/s | 2.5 kB     00:01    
Fedora Modular 37 - x86_64                                                                                                  1.9 MB/s | 3.0 MB     00:01    
Fedora 37 - x86_64 - Updates                                                                                                3.8 MB/s |  20 MB     00:05    
Fedora Modular 37 - x86_64 - Updates                                                                                        855 kB/s | 1.1 MB     00:01    
Last metadata expiration check: 0:00:01 ago on Thu Jan 12 00:00:01 2023.
Dependencies resolved.
============================================================================================================================================================
 Package                           Architecture                         Version                                  Repository                            Size
============================================================================================================================================================
Installing:
 zsh                               x86_64                               5.9-2.fc37                               fedora                               3.3 M

Transaction Summary
============================================================================================================================================================
Install  1 Package

Total download size: 3.3 M
Installed size: 8.0 M
Is this ok [y/N]: y
Downloading Packages:
zsh-5.9-2.fc37.x86_64.rpm                                                                                                   3.2 MB/s | 3.3 MB     00:01    
------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                       1.2 MB/s | 3.3 MB     00:02     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                                                    1/1 
  Installing       : zsh-5.9-2.fc37.x86_64                                                                                                              1/1 
  Running scriptlet: zsh-5.9-2.fc37.x86_64                                                                                                              1/1 
  Verifying        : zsh-5.9-2.fc37.x86_64                                                                                                              1/1 

Installed:
  zsh-5.9-2.fc37.x86_64                                                                                                                                     

Complete!
[....]
[root@f54276031bea /]# dnf install fish
Last metadata expiration check: 0:14:07 ago on Thu Jan 12 00:00:01 2023.
Dependencies resolved.
[....]
Installed:
  fish-3.5.1-1.fc37.x86_64           groff-base-1.22.4-10.fc37.x86_64     less-590-5.fc37.x86_64                     libpipeline-1.5.6-2.fc37.x86_64      
  libpkgconf-1.8.0-3.fc37.x86_64     man-db-2.10.2-2.fc37.x86_64          man-pages-5.13-4.fc37.noarch               pcre2-utf32-10.40-1.fc37.1.x86_64    
  pkgconf-1.8.0-3.fc37.x86_64        pkgconf-m4-1.8.0-3.fc37.noarch       pkgconf-pkg-config-1.8.0-3.fc37.x86_64    

Complete!
[root@f54276031bea /]# fish
Welcome to fish, the friendly interactive shell
Type help for instructions on how to use fish
root@f54276031bea /# ls -l lib64/libsmartcols.so.1.1.0
-rwxr-xr-x 1 root root 113208 Aug  4 14:12 lib64/libsmartcols.so.1.1.0*
root@f54276031bea /# exit

[tom@localhost ~]$ docker run -it --name cowsay --hostname cowsay debian bash
Unable to find image 'debian:latest' locally
latest: Pulling from library/debian
bbeef03cda1f: Pull complete 
Digest: sha256:534da5794e770279c889daa891f46f5a530b0c5de8bfbc5e40394a0164d9fa87
Status: Downloaded newer image for debian:latest
[....]
root@cowsay:/# apt-get update
[....]
root@cowsay:/# apt-get install -y cowsay fortune
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Note, selecting 'fortune-mod' instead of 'fortune'
The following additional packages will be installed:
[....]
root@cowsay:/# /usr/games/fortune | /usr/games/cowsay
 _________________________________________
/ "What's this? Trix? Aunt! Trix? You?    \
| You're after the prize! What is it?" He |
| picked up the box and studied the back. |
| "A glow-in-the-dark squid! Have you got |
| it out of there yet?" He tilted the     |
| box, angling the little colored balls   |
| of cereal so as to see the bottom, and  |
| nearly spilling them onto the table     |
| top. "Here it is!" He hauled out a      |
| little cream-colored, glitter-sprinkled |
| squid, three-inches long and made out   |
| of rubbery plastic.                     |
|                                         |
\ -- James P. Blaylock, "The Last Coin"   /
 -----------------------------------------
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||

That all looks OK to me. Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Whiteboard: (none) => MGA8-64-OK
Keywords: (none) => validated_update

Comment 15 David Walser 2023-01-17 23:24:11 CET 
(In reply to Bruno Cornec from comment #11)
> docker 20.10.22 pushed to mga8 updates_testing.
> 
> Works for me with the new docker-containerd 1.6.14 on mga8.
> 
> Will work now that it builds on the other remaining docker related bugs. So
> may generate new updates again.

Fedora advisory for 20.10.22:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/5QXXO3TDARAQVD6XOZMJMXGOUH63RFFO/
Comment 16 Dave Hodgins 2023-01-24 01:59:12 CET 
Regarding comment 2, should this update be including any of the golang packages
currently in Mageia 8 core updates testing?

golang-github-mrunalp-fileutils-0.5.0-1.mga8.src.rpm
golang-x-crypto-0-0.31.1.mga8.src.rpm
golang-x-net-0-0.6.1.mga8.src.rpm
golang-x-term-0-1.mga8.src.rpm

Keywords: (none) => feedback
CC: (none) => davidwhodgins

Comment 17 David Walser 2023-01-24 02:35:20 CET 
No.

Keywords: feedback => (none)

Dave Hodgins 2023-01-24 02:47:21 CET

Keywords: (none) => advisory

Comment 18 Mageia Robot 2023-01-24 09:00:10 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0009.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.