598364 – (CVE-2016-8867) <app-emulation/docker-1.12.3: Possible container privilege escalation

Bug 598364 (CVE-2016-8867) - <app-emulation/docker-1.12.3: Possible container privilege escalation

Summary: <app-emulation/docker-1.12.3: Possible container privilege escalation

Status:	RESOLVED FIXED

Alias:	CVE-2016-8867

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	~2 [noglsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2016-10-28 15:48 UTC by Manuel Rüger (RETIRED)
Modified:	2017-10-15 20:33 UTC (History)
CC List:	4 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Manuel Rüger (RETIRED) gentoo-dev

2016-10-28 15:48:52 UTC

See https://github.com/docker/docker/issues/27590

Seems to be fixed in 1.12.3 Changelog is here: https://github.com/docker/docker/releases/tag/v1.12.3

Comment 1 Kristian Fiskerstrand (RETIRED) gentoo-dev

2016-11-01 22:21:25 UTC

Only affects 1.12.2 which is not stable

Comment 2 Euan Kemp 2017-02-23 04:57:29 UTC

This should to be reopened; it was not properly fixed.

On the current gentoo release, with "app-emulation/runc-1.0.0_rc2-r2::gentoo", I can repro it with the following:

$ docker run --user 1000:1000 fedora sh -c 'capsh --print; echo; ls /root'                                           
Current: = cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap+eip
Bounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap
Securebits: 00/0x0/1'b0
 secure-noroot: no (unlocked)
 secure-no-suid-fixup: no (unlocked)
 secure-keep-caps: no (unlocked)
uid=1000(???)
gid=1000(???)
groups=

anaconda-ks.cfg
original-ks.cfg


This is CVE-2016-8867. This can see by the fact that uid 1000 can read /root and that capsh shows I have effective cap_fowner.



This will be fixed by applying the patch I've posted at https://github.com/gentoo/gentoo/pull/4058

After updating runc to the "-r3" included in that pr, the above command gives the following:

$ docker run --user 1000:1000 fedora sh -c 'capsh --print; echo; ls /root'
Current: = cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap+i
Bounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap
Securebits: 00/0x0/1'b0
 secure-noroot: no (unlocked)
 secure-no-suid-fixup: no (unlocked)
 secure-keep-caps: no (unlocked)
uid=1000(???)
gid=1000(???)
groups=

ls: cannot open directory '/root': Permission denied


Note the lack of "+eip" for capabilities and that filesystem permissions now work.

Comment 3 Manuel Rüger (RETIRED) gentoo-dev

2017-02-23 15:04:00 UTC

I added a snapshot named runc-1.0.0_rc2_p20170222 which picks up latest changes from master. This should be good to go until upstream decides to release rc3.

Comment 4 Aaron Bauman (RETIRED) gentoo-dev

2017-10-15 20:33:38 UTC

Please open a request with a new bug detailing the runc issue.