Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 598364 (CVE-2016-8867)

Summary: <app-emulation/docker-1.12.3: Possible container privilege escalation
Product: Gentoo Security Reporter: Manuel Rüger (RETIRED) <mrueg>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: admwiggin, euank, williamh, xarthisius
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: ~2 [noglsa cve]
Package list:
Runtime testing required: ---

Description Manuel Rüger (RETIRED) gentoo-dev 2016-10-28 15:48:52 UTC 
See https://github.com/docker/docker/issues/27590

Seems to be fixed in 1.12.3 Changelog is here: https://github.com/docker/docker/releases/tag/v1.12.3
Comment 1 Kristian Fiskerstrand (RETIRED) gentoo-dev 2016-11-01 22:21:25 UTC 
Only affects 1.12.2 which is not stable
Comment 2 Euan Kemp 2017-02-23 04:57:29 UTC 
This should to be reopened; it was not properly fixed.

On the current gentoo release, with "app-emulation/runc-1.0.0_rc2-r2::gentoo", I can repro it with the following:

$ docker run --user 1000:1000 fedora sh -c 'capsh --print; echo; ls /root'                                           
Current: = cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap+eip
Bounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap
Securebits: 00/0x0/1'b0
 secure-noroot: no (unlocked)
 secure-no-suid-fixup: no (unlocked)
 secure-keep-caps: no (unlocked)
uid=1000(???)
gid=1000(???)
groups=

anaconda-ks.cfg
original-ks.cfg


This is CVE-2016-8867. This can see by the fact that uid 1000 can read /root and that capsh shows I have effective cap_fowner.



This will be fixed by applying the patch I've posted at https://github.com/gentoo/gentoo/pull/4058

After updating runc to the "-r3" included in that pr, the above command gives the following:

$ docker run --user 1000:1000 fedora sh -c 'capsh --print; echo; ls /root'
Current: = cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap+i
Bounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap
Securebits: 00/0x0/1'b0
 secure-noroot: no (unlocked)
 secure-no-suid-fixup: no (unlocked)
 secure-keep-caps: no (unlocked)
uid=1000(???)
gid=1000(???)
groups=

ls: cannot open directory '/root': Permission denied


Note the lack of "+eip" for capabilities and that filesystem permissions now work.
Comment 3 Manuel Rüger (RETIRED) gentoo-dev 2017-02-23 15:04:00 UTC 
I added a snapshot named runc-1.0.0_rc2_p20170222 which picks up latest changes from master. This should be good to go until upstream decides to release rc3.
Comment 4 Aaron Bauman (RETIRED) gentoo-dev 2017-10-15 20:33:38 UTC 
Please open a request with a new bug detailing the runc issue.