Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 768612 (CVE-2021-21284, CVE-2021-21285) - <app-emulation/docker-{19.03.15, 20.10.3}: multiple vulnerabilities (CVE-2021-{21284,21285})
Summary: <app-emulation/docker-{19.03.15, 20.10.3}: multiple vulnerabilities (CVE-2021...
Status: RESOLVED FIXED
Alias: CVE-2021-21284, CVE-2021-21285
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-02-04 03:03 UTC by John Helmert III
Modified: 2021-07-10 02:51 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2021-02-04 03:03:47 UTC
CVE-2021-21284 (https://github.com/moby/moby/security/advisories/GHSA-7452-xqpj-6rpc):

In Docker before versions 9.03.15, 20.10.3 there is a vulnerability involving the --userns-remap option in which access to remapped root allows privilege escalation to real root. When using "--userns-remap", if the root user in the remapped namespace has access to the host filesystem they can modify files under "/var/lib/docker/<remapping>" that cause writing files with extended privileges. Versions 20.10.3 and 19.03.15 contain patches that prevent privilege escalation from remapped user.

CVE-2021-21285 (https://github.com/moby/moby/security/advisories/GHSA-6fj5-m822-rqx8):

In Docker before versions 9.03.15, 20.10.3 there is a vulnerability in which pulling an intentionally malformed Docker image manifest crashes the dockerd daemon. Versions 20.10.3 and 19.03.15 contain patches that prevent the daemon from crashing.


Please bump to 19.03.15 and 20.10.3.
Comment 1 Larry the Git Cow gentoo-dev 2021-02-04 15:06:17 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a61c65ac049a905f70fdd3771946816c4d265b36

commit a61c65ac049a905f70fdd3771946816c4d265b36
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2021-02-04 15:05:56 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2021-02-04 15:05:56 +0000

    app-emulation/docker: 20.10.3 bump
    
    Bug: https://bugs.gentoo.org/768612
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 app-emulation/docker/Manifest              |   1 +
 app-emulation/docker/docker-20.10.3.ebuild | 293 +++++++++++++++++++++++++++++
 2 files changed, 294 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cdfb741d34233f5d2e57fe2f8cdd4946b0a3c8c5

commit cdfb741d34233f5d2e57fe2f8cdd4946b0a3c8c5
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2021-02-04 15:05:55 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2021-02-04 15:05:55 +0000

    app-emulation/docker: 19.03.15 bump
    
    Bug: https://bugs.gentoo.org/768612
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 app-emulation/docker/Manifest               |   1 +
 app-emulation/docker/docker-19.03.15.ebuild | 333 ++++++++++++++++++++++++++++
 2 files changed, 334 insertions(+)
Comment 2 John Helmert III gentoo-dev Security 2021-02-04 15:13:02 UTC
Thank you! Please stable 19.03.15 when ready.
Comment 3 Larry the Git Cow gentoo-dev 2021-02-04 19:15:06 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=81ba14bce19876c223817064e2607b1da480f0f5

commit 81ba14bce19876c223817064e2607b1da480f0f5
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2021-02-04 19:13:59 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2021-02-04 19:14:11 +0000

    app-emulation/docker: stable 19.03.15 on amd64
    
    Bug: https://bugs.gentoo.org/768612
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 app-emulation/docker/docker-19.03.15.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 4 Georgy Yakovlev gentoo-dev 2021-02-05 19:37:28 UTC
arm64 and ppc64 done.

leaving old versions in the tree for about a week in case of regressions.
Comment 5 Larry the Git Cow gentoo-dev 2021-02-15 01:16:46 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8c0abb54b8099aaa2b026fe74ceccccb1564b532

commit 8c0abb54b8099aaa2b026fe74ceccccb1564b532
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2021-02-15 01:11:48 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2021-02-15 01:15:00 +0000

    app-emulation/docker: remove vulnerable versions
    
    Bug: https://bugs.gentoo.org/768612
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 app-emulation/docker/Manifest                  |   3 -
 app-emulation/docker/docker-19.03.13-r2.ebuild | 333 -------------------------
 app-emulation/docker/docker-19.03.14.ebuild    | 333 -------------------------
 app-emulation/docker/docker-20.10.2.ebuild     | 293 ----------------------
 4 files changed, 962 deletions(-)
Comment 6 John Helmert III gentoo-dev Security 2021-02-15 01:35:34 UTC
Thank you!
Comment 7 Georgy Yakovlev gentoo-dev 2021-06-14 00:37:06 UTC
cleanup done
Comment 8 John Helmert III gentoo-dev Security 2021-07-10 00:25:29 UTC
GLSA request filed.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2021-07-10 02:51:07 UTC
This issue was resolved and addressed in
 GLSA 202107-23 at https://security.gentoo.org/glsa/202107-23
by GLSA coordinator John Helmert III (ajak).