From ${URL} : Container launch does not distinguish between numeric UIDs and string usernames. A malicious image can provide a username to UID mapping at a high privileged level. This means that innoculous looking launches such as: docker -u 1000 ... actually result in the image processes running as root. This ambiguity also confuses OpenShift's UID-based controls. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
This was fixed in https://github.com/opencontainers/runc/pull/708, which was included in runc 0.1.0+ (and thus at least Docker 1.11+).
Arches please stabilize: =app-emulation/docker-1.11.0 ~amd64 =app-emulation/runc-0.1.0 ~amd64 =app-emulation/containerd-0.2.0 ~amd64 =dev-go/go-md2man-1.0.3 ~amd64 =dev-go/blackfriday-1.2_p20150720 ~amd64 =dev-go/sanitized-anchor-name-0_pre20151027 ~amd64
amd64 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
commit 62fb332f629ff9b965c80ce4df6a3f0d03c282eb Author: Kacper Kowalik <xarthisius@gentoo.org> Date: Wed Apr 27 10:19:29 2016 -0500 app-emulation/docker: Drop vulnerable versions wrt bug 581236 Package-Manager: portage-2.2.27
*** Bug 580650 has been marked as a duplicate of this bug. ***
CVE-2016-3697 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3697): libcontainer/user/user.go in runC before 0.1.0, as used in Docker before 1.11.2, improperly treats a numeric UID as a potential username, which allows local users to gain privileges via a numeric username in the password file in a container.
@security: Should I fast stable 1.12.0?
(In reply to William Hubbs from comment #7) > @security: > Should I fast stable 1.12.0? No, it's fixed in 1.11 which *is* stable.
This issue was resolved and addressed in GLSA 201612-28 at https://security.gentoo.org/glsa/201612-28 by GLSA coordinator Kristian Fiskerstrand (K_F).