Docker Inc. has discovered an issue whereby a malicious image could execute arbitrary code when being unpacked automatically after a "docker pull". From the Docker Inc report:
"It has been discovered that the introduction of chroot for archive extraction in Docker 1.3.2 had introduced a privilege escalation vulnerability. Malicious images or builds from malicious Dockerfiles could escalate privileges and execute arbitrary code as a
root user on the Docker host by providing a malicious ‘xz’ binary.
We are releasing Docker 1.3.3 to address this vulnerability. Only Docker 1.3.2 is vulnerable. Users are highly encouraged to upgrade."
A problem was reported by Docker Inc. whereby a malicious image could overwrite arbitrary portions of the host filesystem by including absolute symlinks. From the upstream report:
"Path traversal attacks are possible in the processing of absolute symlinks. In checking symlinks for traversals, only relative links were considered. This allowed path traversals to exist where they should have otherwise been prevented. This was exploitable via
both archive extraction and through volume mounts.
This vulnerability allowed malicious images or builds from malicious Dockerfiles to write files to the host system and escape containerization, leading to privilege escalation."
@maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
+*docker-1.4.0 (12 Dec 2014)
+ 12 Dec 2014; Kacper Kowalik <firstname.lastname@example.org> +docker-1.4.0.ebuild,
+ Version bump, drop vulnerable versions wrt #532344
(In reply to Kacper Kowalik (Xarthisius) from comment #1)
> +*docker-1.4.0 (12 Dec 2014)
> + 12 Dec 2014; Kacper Kowalik <email@example.com> +docker-1.4.0.ebuild,
> + -docker-1.3.2.ebuild:
> + Version bump, drop vulnerable versions wrt #532344
Thanks! There are no stable versions affected, closed.
Docker before 1.3.3 does not properly validate image IDs, which allows
remote attackers to conduct path traversal attacks and spoof repositories
via a crafted image in a (1) "docker load" operation or (2) "registry
Docker 1.3.2 allows remote attackers to execute arbitrary code with root
privileges via a crafted (1) image or (2) build in a Dockerfile in an LZMA
(.xz) archive, related to the chroot for archive extraction.