Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 636562 (CVE-2017-16539) - <app-emulation/docker-17.12.1: Data loss vulnerability (CVE-2017-16539)
Summary: <app-emulation/docker-17.12.1: Data loss vulnerability (CVE-2017-16539)
Status: RESOLVED FIXED
Alias: CVE-2017-16539
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://github.com/moby/moby/pull/35399
Whiteboard: C4 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-11-05 00:55 UTC by GLSAMaker/CVETool Bot
Modified: 2018-07-11 03:06 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2017-11-05 00:55:12 UTC
CVE-2017-16539 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-16539):
  The DefaultLinuxSpec function in oci/defaults.go in Docker Moby through
  17.03.2-ce does not block /proc/scsi pathnames, which allows attackers to
  trigger data loss (when certain older Linux kernels are used) by leveraging
  Docker container access to write a "scsi remove-single-device" line to
  /proc/scsi/scsi, aka SCSI MICDROP.
Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-11-05 00:57:47 UTC
@Maintainers could you please confirm if we are affected? I see 17.06.2 also stable, maybe we just need to clean 17.03? 

Thank you
Comment 2 Tianon 2017-12-27 21:54:51 UTC
17.03 is unsupported upstream, so removing probably makes sense.  Same goes for 17.06, though.

This was fixed in 17.09 via https://github.com/docker/docker-ce/pull/291 (but the change doesn't appear to be in an actual 17.09 release yet, just the staging branch for the release).

The same goes for 17.11 via https://github.com/docker/docker-ce/pull/290 (but with the same caveat that it appears it never went out with an actual release).

So, the only official releases which actually contain this fix are the release candidates for 17.12, currently.
Comment 3 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-04-08 21:29:55 UTC
17.12.1 contains the patch per the upstream commit on:

https://github.com/docker/docker-ce/pull/290

GLSA Vote: No

@maintainers, please clean the vulnerable version.