Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 581236 (CVE-2016-3697) - <app-emulation/docker-1.11.0: privilege escalation via confusion of usernames and UIDs (CVE-2016-3697)
Summary: <app-emulation/docker-1.11.0: privilege escalation via confusion of usernames...
Status: RESOLVED FIXED
Alias: CVE-2016-3697
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B1 [glsa cve]
Keywords:
: 580650 (view as bug list)
Depends on:
Blocks:
 
Reported: 2016-04-26 08:59 UTC by Agostino Sarubbo
Modified: 2016-12-11 23:45 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-04-26 08:59:19 UTC
From ${URL} :

Container launch does not distinguish between numeric UIDs and string usernames. A malicious image 
can provide a username to UID mapping at a high privileged level. This means that innoculous 
looking launches such as:

    docker -u 1000 ...

actually result in the image processes running as root.

This ambiguity also confuses OpenShift's UID-based controls.


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Tianon 2016-04-26 14:17:14 UTC
This was fixed in https://github.com/opencontainers/runc/pull/708, which was included in runc 0.1.0+ (and thus at least Docker 1.11+).
Comment 2 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2016-04-26 18:09:18 UTC
Arches please stabilize:

=app-emulation/docker-1.11.0 ~amd64
=app-emulation/runc-0.1.0 ~amd64
=app-emulation/containerd-0.2.0 ~amd64
=dev-go/go-md2man-1.0.3 ~amd64
=dev-go/blackfriday-1.2_p20150720 ~amd64
=dev-go/sanitized-anchor-name-0_pre20151027 ~amd64
Comment 3 Agostino Sarubbo gentoo-dev 2016-04-27 08:24:42 UTC
amd64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 4 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2016-04-27 15:25:52 UTC
commit 62fb332f629ff9b965c80ce4df6a3f0d03c282eb
Author: Kacper Kowalik <xarthisius@gentoo.org>
Date:   Wed Apr 27 10:19:29 2016 -0500

    app-emulation/docker: Drop vulnerable versions wrt bug 581236
    
    Package-Manager: portage-2.2.27
Comment 5 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2016-04-27 15:28:51 UTC
*** Bug 580650 has been marked as a duplicate of this bug. ***
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2016-06-13 10:01:10 UTC
CVE-2016-3697 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3697):
  libcontainer/user/user.go in runC before 0.1.0, as used in Docker before
  1.11.2, improperly treats a numeric UID as a potential username, which
  allows local users to gain privileges via a numeric username in the password
  file in a container.
Comment 7 William Hubbs gentoo-dev 2016-08-03 22:38:12 UTC
@security:
Should I fast stable 1.12.0?
Comment 8 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2016-08-04 14:43:25 UTC
(In reply to William Hubbs from comment #7)
> @security:
> Should I fast stable 1.12.0?

No, it's fixed in 1.11 which *is* stable.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2016-12-11 23:45:17 UTC
This issue was resolved and addressed in
 GLSA 201612-28 at https://security.gentoo.org/glsa/201612-28
by GLSA coordinator Kristian Fiskerstrand (K_F).