Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 532344 (CVE-2014-9356)

Summary: app-emulation/docker: two vulnerabilities (CVE-2014-{9357,9358})
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: admwiggin, proxy-maint, xarthisius
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: ~1 [noglsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2014-12-12 08:23:31 UTC 
From https://bugzilla.redhat.com/show_bug.cgi?id=1172782:

Docker Inc. has discovered an issue whereby a malicious image could execute arbitrary code when being unpacked automatically after a "docker pull". From the Docker Inc report:

"It has been discovered that the introduction of chroot for archive extraction in Docker 1.3.2 had introduced a privilege escalation vulnerability. Malicious images or builds from malicious Dockerfiles could escalate privileges and execute arbitrary code as a 
root user on the Docker host by providing a malicious ‘xz’ binary.

We are releasing Docker 1.3.3 to address this vulnerability. Only Docker 1.3.2 is vulnerable. Users are highly encouraged to upgrade."


From https://bugzilla.redhat.com/show_bug.cgi?id=1172761:

A problem was reported by Docker Inc. whereby a malicious image could overwrite arbitrary portions of the host filesystem by including absolute symlinks. From the upstream report:

"Path traversal attacks are possible in the processing of absolute symlinks. In checking symlinks for traversals, only relative links were considered. This allowed path traversals to exist where they should have otherwise been prevented. This was exploitable via 
both archive extraction and through volume mounts.

This vulnerability allowed malicious images or builds from malicious Dockerfiles to write files to the host system and escape containerization, leading to privilege escalation."


@maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
Comment 1 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2014-12-12 18:53:58 UTC 
+*docker-1.4.0 (12 Dec 2014)
+
+  12 Dec 2014; Kacper Kowalik <xarthisius@gentoo.org> +docker-1.4.0.ebuild,
+  -docker-1.3.2.ebuild:
+  Version bump, drop vulnerable versions wrt #532344
Comment 2 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-12-12 18:55:35 UTC 
(In reply to Kacper Kowalik (Xarthisius) from comment #1)
> +*docker-1.4.0 (12 Dec 2014)
> +
> +  12 Dec 2014; Kacper Kowalik <xarthisius@gentoo.org> +docker-1.4.0.ebuild,
> +  -docker-1.3.2.ebuild:
> +  Version bump, drop vulnerable versions wrt #532344

Thanks! There  are no stable versions affected, closed.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2015-01-11 20:48:01 UTC 
CVE-2014-9358 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9358):
  Docker before 1.3.3 does not properly validate image IDs, which allows
  remote attackers to conduct path traversal attacks and spoof repositories
  via a crafted image in a (1) "docker load" operation or (2) "registry
  communications."

CVE-2014-9357 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9357):
  Docker 1.3.2 allows remote attackers to execute arbitrary code with root
  privileges via a crafted (1) image or (2) build in a Dockerfile in an LZMA
  (.xz) archive, related to the chroot for archive extraction.