I'd like to point out that having access to the Docker API is well documented to be equivalent to root on the host (ie, from a privileged container, I can do anything "docker cp" can do here and even a whole lot more), so this is more of a general bug than a security issue, and it's been noted on the upstream issue that it's fixed in master and will be in the next release.

The fix for this issue was in 1.0.0 (and also 1.0.1 which was just uploaded to the tree this evening).

I'd still reiterate that it's a lot less of a security issue and more of a cosmetic issue, especially since with access to the Docker socket, access to unrestricted root on the host system is implied and trivial to gain (see also http://docs.docker.com/articles/security/#docker-daemon-attack-surface).

Comment 3 Kristian Fiskerstrand (RETIRED) 2014-06-29 13:17:23 UTC

Thank you. Is this related to http://seclists.org/oss-sec/2014/q2/565 or are those completely separate issues? 

In any case, this package has not been stabilized so won't require a glsa, but would you please clean up the affected versions from the tree?

That one is actually a completely separate issue, but I'll make sure we go clean out everything less than version 1.0.0 anyhow (and hopefully we'll get a good resolution on the masking issue being discussed on the ML).

Comment 5 Kristian Fiskerstrand (RETIRED) 2014-11-11 22:42:59 UTC

Thank you for cleanup. All vulnerable versions removed, closing noglsa.