Bug 31733 - docker new security issues CVE-2023-26054 and CVE-2023-2884[0-2]
Summary: docker new security issues CVE-2023-26054 and CVE-2023-2884[0-2]
Status: ASSIGNED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8TOO MGA8-64-OK
Keywords: feedback
Depends on:
Blocks:
 
Reported: 2023-03-30 20:13 CEST by David Walser
Modified: 2023-09-17 01:16 CEST (History)
8 users (show)

See Also:
Source RPM: docker-20.10.22-1.mga9.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2023-03-30 20:13:18 CEST
Docker 23.0.2 has been released on March 28:
https://github.com/moby/moby/releases/tag/v23.0.2

The Github advisory for the issue is here:
https://github.com/moby/buildkit/security/advisories/GHSA-gc89-7gcr-jxqc

But I don't know which piece of software it's referring to in its versions listed.  I assume it's something that Docker/moby bundles.
Comment 1 Bruno Cornec 2023-03-31 00:19:38 CEST
Seems to be a security issue related to the docker build command part.

Status: NEW => ASSIGNED

Comment 2 David Walser 2023-04-06 18:47:55 CEST
Docker 23.0.2 has been released on April 4:
https://github.com/moby/moby/releases/tag/v23.0.3

It fixes more security issues and references this advisory:
https://github.com/moby/moby/security/advisories/GHSA-vwm3-crmr-xfxw

Whiteboard: (none) => MGA8TOO
Summary: docker new security issue CVE-2023-26054 => docker new security issues CVE-2023-26054 and CVE-2023-2884[0-2]
Status comment: (none) => Fixed upstream in 23.0.3

Comment 3 Morgan Leijström 2023-05-26 12:18:36 CEST
Ping.

Also good to update for functionality on par with other distros, such as user asking in https://forums.mageia.org/en/viewtopic.php?t=14941

CC: (none) => fri

Comment 4 Morgan Leijström 2023-05-26 12:27:15 CEST
https://github.com/moby/moby/releases/tag/v24.0.2 released last hour :)
Comment 5 papoteur 2023-05-26 17:03:44 CEST
@Bruno
What do you think?

CC: (none) => yves.brungard_mageia

Comment 6 Bruno Cornec 2023-05-27 01:29:39 CEST
I think that it needs to be updated of course, but I already encountered issues with 23.0.2 with vendored content:
../../../../../src/vendor/github.com/docker/docker/daemon/config/config.go:16:2: use of vendored package not allowed

And if you try to remove the vendored content you get another error :-(

So I was stuck with that and didn't had enough time to dig more. And it won't happen till end of next week, sorry.
Comment 7 Bruno Cornec 2023-08-17 02:57:01 CEST
A new full docker stack is on its way to cauldron updates_testing. Would be great to have it tested so we can provide these updates very early in mga9 live.

You'll have to install:
docker-24.0.5-2.mga8.x86_64.rpm          
docker-containerd-1.7.3-1.mga8.x86_64.rpm        
opencontainers-runc-1.1.9-1.mga8.x86_64.rpm
docker-logrotate-24.0.5-2.mga8.x86_64.rpm
golang-github-mrunalp-fileutils-0.5.0-3.mga8.x86_64.rpm

to test it.
Much more details available at: https://brunocornec.wordpress.com/2023/08/17/docker-stack-updates-for-mageia-9/

Assignee: bruno => qa-bugs

David Walser 2023-08-17 03:17:56 CEST

Status comment: Fixed upstream in 23.0.3 => (none)

David Walser 2023-08-17 03:18:13 CEST

CC: (none) => bruno

Comment 8 Timo Netzer 2023-08-24 11:47:33 CEST
Great news, thanks a lot. I was briefly playing around with it and I found out that 'docker compose' gives the result 

docker: 'compose' is not a docker command
See 'docker --help'

But the 'docker --version' command gives me the correct version of 24.0.5, build: ced099660009713e0e845eeb754e6050dbaa45d0 

In this version compose should be already a docker command afaik.

Not sure if I did something wrong here, or this is a bug.

CC: (none) => timoofone

Comment 9 Dave Hodgins 2023-08-24 17:42:49 CEST
docker-compose is a package, not a command.
$ urpmq -i docker-compose|grep -e ^Source -e ^Summary|sort -u
Source RPM  : docker-compose-1.26.2-1.mga8.src.rpm
Summary     : Multi-container orchestration for Docker

CC: (none) => davidwhodgins

Comment 10 Bruno Cornec 2023-08-25 00:16:46 CEST
(In reply to Timo Netzer from comment #8)
> Great news, thanks a lot. I was briefly playing around with it and I found
> out that 'docker compose' gives the result 
> 
> docker: 'compose' is not a docker command
> See 'docker --help'
> 
> But the 'docker --version' command gives me the correct version of 24.0.5,
> build: ced099660009713e0e845eeb754e6050dbaa45d0 
> 
> In this version compose should be already a docker command afaik.
> 
> Not sure if I did something wrong here, or this is a bug.

It's the case if you also install the new docker-compose plugin which gives you the docker compose command with docker 24.0.5 *and* docker-compose-2

Tested here with success.

For dave, moving from docker-compoe-1 to docker-compose-2 changes the way people have to invoke the composer:

Before it was a python script called docker-compose. Now it's a docker go plugin installed and dynamically loaded by the docker compose command.

Hoe that is clarifying stuff.
Comment 11 Thomas Andrews 2023-08-29 18:08:26 CEST
Now that Cauldron has transformed into Mageia 10, what is the status of this with regard to Mageia 9? 

According to drakrpm, Docker in Mageia 9 is version  20.10.22-1.mga9. Qarepo can't find any packages containing "docker" in the M9 update testing repos, and we have no M9 list here to work with.

CC: (none) => andrewsfarm

Comment 12 Dave Hodgins 2023-08-29 18:14:45 CEST
The package will need to be resubmitted to the build system as it
is not in updates testing for m9.

Version: Cauldron => 9
Keywords: (none) => feedback

Comment 13 Bruno Cornec 2023-08-30 02:22:08 CEST
I see on my mirror:
9/SRPMS/core/updates_testing/golang-github-mrunalp-fileutils-0.5.0-3.mga9.src.rpm
9/SRPMS/core/updates_testing/docker-24.0.5-2.mga9.src.rpm
9/SRPMS/core/updates_testing/docker-containerd-1.7.3-1.mga9.src.rpm
9/SRPMS/core/updates_testing/golang-1.21.0-1.mga9.src.rpm
9/SRPMS/core/updates_testing/opencontainers-runc-1.1.9-1.mga9.src.rpm


We first need to have golang-1.21 validated *and* and updated on the build system so I can re-submit docker-compose v2 and docker-buildx which are not built without it.

What request should I do on which ML to have the freeze push done ? Should QA test first that ?
Bruno Cornec 2023-08-30 02:22:48 CEST

Keywords: feedback => (none)

Comment 14 Dave Hodgins 2023-08-30 03:10:18 CEST
Check a mirror that is fully up-to-date such as
http://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/9/SRPMS/core/updates_testing/
It currently only has ...
[DIR] media_info/                              2023-08-28 19:36    -   
[DIR] repodata/                                2023-08-28 19:36    -   
[   ] darktable-4.4.2-1.mga9.src.rpm           2023-08-28 10:23  5.8M  
[   ] gnucobol-3.2-1.mga9.src.rpm              2023-08-27 19:49  8.0M  
[   ] kernel-6.4.12-1.mga9.src.rpm             2023-08-28 13:38  136M  
[   ] kmod-virtualbox-7.0.10-26.mga9.src.rpm   2023-08-28 14:46  165K  
[   ] kmod-xtables-addons-3.24-42.mga9.src.rpm 2023-08-28 14:46  142K  
[   ] libdrm-2.4.116-1.mga9.src.rpm            2023-08-27 16:44  521K  
[   ] mesa-23.1.6-1.mga9.src.rpm               2023-08-27 18:45   18M  
[   ] mixxx-2.3.6-1.mga9.src.rpm               2023-08-28 19:36   38M  
[   ] systemd-253.8-1.mga9.src.rpm             2023-08-28 14:54   12M  

Note that all of the m9 updates testing repos were created as empty repos as
part of the release process.

Mirrors that have not been updated since the release still have things from
cauldron updates testing, but don't have the final iso images.

After golang has been pushed as a qa validated update, request that it be
pushed to the build system on the dev and/or sysadmin-discuss ml.
Comment 15 Bruno Cornec 2023-08-30 17:07:32 CEST
Oops, sorry, I removed the --delete options to my mirror to avoid issues while mga9 was syncing and forgot to add it bacK;

Indeded, they are now missing :-(

So I pushed first golang on cauldron and 9 for updates_testing (seems the build farm has issues on ARM)
I'll now pushed the other not depending on it, that QA will be able to test, and once it's ready the rest.
Comment 16 Len Lawrence 2023-09-05 19:30:52 CEST
Mageia 8, x86_64
Installed updates.
docker-24.0.5-2.mga8.x86_64.rpm          
docker-containerd-1.7.3-1.mga8.x86_64.rpm        
opencontainers-runc-1.1.9-1.mga8.x86_64.rpm
docker-logrotate-24.0.5-2.mga8.x86_64.rpm
golang-github-mrunalp-fileutils-0.5.0-3.mga8.x86_64.rpm

Started docker daemon.

Running Bruno's docker lab examples:
$ docker run hello-world
Hello from Docker!
This message shows that your installation appears to be working correctly.
....
$ docker run -it fedora:latest bash
[root@6e92aa797427 /]#
<in another terminal>
$ docker ps -a
CONTAINER ID   IMAGE           COMMAND    CREATED          STATUS                     PORTS     NAMES
6e92aa797427   fedora:latest   "bash"     27 seconds ago   Up 27 seconds                        adoring_hermann
9c35fce8ed65   hello-world     "/hello"   5 minutes ago    Exited (0) 5 minutes ago             romantic_lamarr
a791ac49e724   fedora:latest   "bash"     5 weeks ago      Exited (0) 5 weeks ago               blissful_williamson
$ docker rm a791ac49e724
a791ac49e724

<continuing docker run>
[root@6e92aa797427 /]# dnf install ruby
Fedora 38 - x86_64                              5.7 MB/s |  83 MB     00:14  
[...]
Install  11 Packages

Total download size: 5.5 M
Installed size: 19 M
Is this ok [y/N]: y
[...]
Installed:
  ruby-3.2.2-180.fc38.x86_64                                                    
  ruby-default-gems-3.2.2-180.fc38.noarch                                       

[...]
Complete!
[root@6e92aa797427 /]# dnf install irb
Last metadata expiration check: 1:02:07 ago on Tue Sep  5 15:54:12 2023.
Dependencies resolved.
[...]
Installed:
  rubygem-irb-1.6.2-180.fc38.noarch                                             
Complete!
[root@6e92aa797427 /]# irb
irb(main):001:0> require 'prime'
e': cannot load such file -- prime (LoadError)
	from <internal:/usr/share/rubygems/rubygems/core_ext/kernel_require.rb>:
[...]
<Pushing my luck there but the REPL works>
[root@6e92aa797427 /]# exit

$ docker run -it debian bash
Unable to find image 'debian:latest' locally
latest: Pulling from library/debian
de4cac68b616: Pull complete 
Digest: sha256:b91baba9c2cae5edbe3b0ff50ae8f05157e3ae6f018372dcfc3aba224acb392b
Status: Downloaded newer image for debian:latest
root@5a32bd732037:/# ls /proc/sys
abi  debug  dev  fs  fscache  kernel  net  sunrpc  user  vm
root@5a32bd732037:/# apt-get install -y cowsay fortune
root@5a32bd732037:/# /usr/games/fortune | /usr/games/cowsay
 _________________________________________
< A day for firm decisions!!!!! Or is it? >
 -----------------------------------------
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||
root@5a32bd732037:/# exit

Have a vague memory that there is a command available to test mrunalp-fileutils.
Apart from that, docker looks fine for Mageia 8.

CC: (none) => tarazed25

Len Lawrence 2023-09-07 08:52:19 CEST

Whiteboard: MGA8TOO => MGA8TOO MGA8-64-OK

Comment 17 Brian Rockwell 2023-09-16 18:27:52 CEST
MGA9-64, Xfce, VirtualBox

The following 88 packages are going to be installed:

- appstream-util-0.8.0-2.mga9.x86_64
- autoconf-2.71-5.mga9.noarch
- automake-1.16.5-3.mga9.noarch
- autopoint-0.21.1-2.mga9.x86_64
- cgroup-0.41-5.mga9.x86_64
- cmake-rpm-macros-9-9.mga9.noarch
- ctags-6.0.0-3.mga9.x86_64
- debugedit-5.0-5.mga9.x86_64
- docbook-style-dsssl-1.79-20.mga9.noarch
- docbook-style-xsl-1.79.2-6.mga9.noarch
- docbook-utils-0.6.14-24.mga9.noarch
- docker-24.0.5-2.mga9.x86_64
- docker-containerd-1.7.3-1.mga9.x86_64
- docker-devel-24.0.5-2.mga9.x86_64
- docker-fish-completion-24.0.5-2.mga9.x86_64
- docker-logrotate-24.0.5-2.mga9.x86_64
- docker-nano-24.0.5-2.mga9.x86_64
- docker-zsh-completion-24.0.5-2.mga9.x86_64
- dwz-0.15-1.mga9.x86_64
- efi-srpm-macros-5-3.mga9.noarch
- elfutils-0.189-1.mga9.x86_64
- fish-3.6.1-1.mga9.x86_64
- fonts-srpm-macros-2.0.5-6.mga9.noarch
- gcc-12.3.0-3.mga9.x86_64
- gcc-c++-12.3.0-3.mga9.x86_64
- gcc-cpp-12.3.0-3.mga9.x86_64
- gcc-plugins-12.3.0-3.mga9.x86_64
- gdb-headless-12.1-7.mga9.x86_64
- gdb-minimal-12.1-7.mga9.x86_64
- glibc-2.36-49.mga9.x86_64
- glibc-devel-2.36-49.mga9.x86_64
- go-srpm-macros-3.2.0-1.mga9.noarch
- golang-1.21.0-1.mga9.x86_64
- golang-bin-1.21.0-1.mga9.x86_64
- golang-src-1.21.0-1.mga9.noarch
- gtk-doc-1.33.2-6.mga9.noarch
- guile3.0-runtime-3.0.8-2.mga9.x86_64
- help2man-1.49.3-1.mga9.noarch
- isl-0.24-2.mga9.x86_64
- kernel-userspace-headers-6.5.3-1.mga9.x86_64
- lib64babeltrace1-1.5.11-1.mga9.x86_64
- lib64cgroup1-0.41-5.mga9.x86_64
- lib64guile3.0_1-3.0.8-2.mga9.x86_64
- lib64ipt2-2.0.5-2.mga9.x86_64
- lib64isl23-0.24-2.mga9.x86_64
- lib64mpc3-1.3.1-1.mga9.x86_64
- lib64openjade0-1.3.3-0.pre1.27.mga9.x86_64
- lib64osp5-1.5.2-25.mga9.x86_64
- lib64pcre1-8.45-3.mga9.x86_64
- lib64pcre16_0-8.45-3.mga9.x86_64
- lib64pcre32_0-8.45-3.mga9.x86_64
- lib64pcreposix1-8.45-3.mga9.x86_64
- lib64source-highlight4-3.1.9-13.mga9.x86_64
- lib64xcrypt-devel-4.4.33-3.mga9.x86_64
- libgomp-devel-12.3.0-3.mga9.x86_64
- libstdc++-devel-12.3.0-3.mga9.x86_64
- libstdc++-python-devel-12.3.0-3.mga9.x86_64
- libtool-base-2.4.7-1.mga9.x86_64
- lua-srpm-macros-1-6.mga9.noarch
- m4-1.4.19-2.mga9.x86_64
- make-4.4.1-1.mga9.x86_64
- ocaml-srpm-macros-7-1.mga9.noarch
- opencontainers-runc-1.1.9-1.mga9.x86_64
- openjade-1.3.3-0.pre1.27.mga9.x86_64
- opensp-1.5.2-25.mga9.x86_64
- pcre-8.45-3.mga9.x86_64
- perl-Exporter-Tiny-1.6.0-1.mga9.noarch
- perl-File-Slurp-9999.320.0-2.mga9.noarch
- perl-List-MoreUtils-0.430.0-6.mga9.noarch
- perl-List-MoreUtils-XS-0.430-5.mga9.x86_64
- perl-SGMLSpm-1.03ii-5.mga9.noarch
- perl-srpm-macros-1-35.mga9.noarch
- perl-YAML-1.300.0-3.mga9.noarch
- perl-YAML-Tiny-1.730.0-4.mga9.noarch
- python3-enchant-3.2.2-1.mga9.noarch
- python3-file-magic-5.44-1.mga9.noarch
- python3-pygments-2.13.0-1.mga9.noarch
- python3-rpm-generators-12-9.mga9.noarch
- rpm-build-4.18.0-7.mga9.x86_64
- rpm-mageia-setup-build-2.71-1.mga9.x86_64
- rpmlint-1.11-7.mga9.noarch
- rpmlint-mageia-policy-0.2.29-8.mga9.noarch
- rust-srpm-macros-24-1.mga9.noarch
- source-highlight-3.1.9-13.mga9.x86_64
- spec-helper-0.31.24-1.mga9.noarch
- xsltproc-1.1.38-1.mga9.x86_64
- zsh-5.9-3.mga9.x86_64
- zstd-1.5.5-1.mga9.x86_64

832MB of additional disk space will be used.



$ docker --version
Docker version 24.0.5, build ced099660009713e0e845eeb754e6050dbaa45d0


requires service to be running.  That won't start:

# systemctl restart docker
Job for docker.service failed because the control process exited with error code.
See "systemctl status docker.service" and "journalctl -xeu docker.service" for details.
# systemctl status docker.service
× docker.service - Docker Application Container Engine
     Loaded: loaded (/usr/lib/systemd/system/docker.service; enabled; preset: disabled)
     Active: failed (Result: exit-code) since Sat 2023-09-16 11:17:57 CDT; 12s ago
TriggeredBy: × docker.socket
       Docs: http://docs.docker.com
    Process: 2027 ExecStartPre=/usr/sbin/docker-network-cleanup (code=exited, status=0/SUCCESS)
    Process: 2030 ExecStart=/usr/sbin/dockerd $OPTIONS $DOCKER_STORAGE_OPTIONS $DOCKER_NETWORK_OPTIONS $INSECURE_REGISTRY (code=exited, status=1/FAILURE)
    Process: 2039 ExecStopPost=/usr/sbin/docker-network-cleanup (code=exited, status=0/SUCCESS)
   Main PID: 2030 (code=exited, status=1/FAILURE)
        CPU: 58ms

Sep 16 11:17:57 localhost systemd[1]: docker.service: Scheduled restart job, restart counter is at 3.
Sep 16 11:17:57 localhost systemd[1]: Stopped docker.service.
Sep 16 11:17:57 localhost systemd[1]: docker.service: Start request repeated too quickly.
Sep 16 11:17:57 localhost systemd[1]: docker.service: Failed with result 'exit-code'.
Sep 16 11:17:57 localhost systemd[1]: Failed to start docker.service.



# journalctl -xeu docker.service
Sep 16 11:17:57 localhost systemd[1]: Stopped docker.service.
░░ Subject: A stop job for unit docker.service has finished
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░ 
░░ A stop job for unit docker.service has finished.
░░ 
░░ The job identifier is 1894 and the job result is done.
Sep 16 11:17:57 localhost systemd[1]: docker.service: Start request repeated too quickly.
Sep 16 11:17:57 localhost systemd[1]: docker.service: Failed with result 'exit-code'.
░░ Subject: Unit failed
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░ 
░░ The unit docker.service has entered the 'failed' state with result 'exit-code'.
Sep 16 11:17:57 localhost systemd[1]: Failed to start docker.service.
░░ Subject: A start job for unit docker.service has failed
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░ 
░░ A start job for unit docker.service has finished with a failure.
░░ 
░░ The job identifier is 1894 and the job result is failed.
...skipping...
Sep 16 11:17:57 localhost systemd[1]: Stopped docker.service.
░░ Subject: A stop job for unit docker.service has finished
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░ 
░░ A stop job for unit docker.service has finished.
░░ 
░░ The job identifier is 1894 and the job result is done.
Sep 16 11:17:57 localhost systemd[1]: docker.service: Start request repeated too quickly.
Sep 16 11:17:57 localhost systemd[1]: docker.service: Failed with result 'exit-code'.
░░ Subject: Unit failed
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░ 
░░ The unit docker.service has entered the 'failed' state with result 'exit-code'.
Sep 16 11:17:57 localhost systemd[1]: Failed to start docker.service.
░░ Subject: A start job for unit docker.service has failed
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░ 
░░ A start job for unit docker.service has finished with a failure.
░░ 
░░ The job identifier is 1894 and the job result is failed.
lines 305-327/327 (END)

------------

I'm not a docker user by default - but not working for me.

Note:  I'm using RPM and not DNF.

CC: (none) => brtians1
Keywords: (none) => feedback

Comment 18 Len Lawrence 2023-09-17 01:16:57 CEST
@Brian with reference to comment 21.  
Have I missed something?  Have not seen golang-1.21 in testing yet.  See comment 13.  Was hanging back for a full package list for docker as well.

Concerning starting the service:
Have you added yourself to the docker group?  Problem here before I did that.  The service starts alright for docker version 20.10.22 and the hello-world check succeeds.

Note You need to log in before you can comment on or make changes to this bug.