Ubuntu
docker.io package

Critcial security vulnerabilties in docker < 1.3.3

Bug #1396572 reported by James Page
264
This bug affects 2 people
Affects Status Importance Assigned to Milestone
docker.io (Ubuntu)
Fix Released
High
James Page
Trusty
Fix Released
High
Unassigned
Utopic
Won't Fix
High
Unassigned
Vivid
Fix Released
High
James Page

Bug Description

Today, we are releasing Docker 1.3.2 in order to address two critical
security issues. This release also includes several bugfixes, including
changes to the insecure-registry option. Below are CVE descriptions for the
vulnerabilities addressed in this release.

Docker 1.3.2 is available immediately for all supported platforms:
https://docs.docker.com/installation/

Docker Security Advisory [24 Nov 2014]
=================================================================

=====================================================
[CVE-2014-6407] Archive extraction allowing host privilege escalation
=====================================================
Severity: Critical
Affects: Docker up to 1.3.1

The Docker engine, up to and including version 1.3.1, was vulnerable to
extracting files to arbitrary paths on the host during ‘docker pull’ and
‘docker load’ operations. This was caused by symlink and hardlink
traversals present in Docker's image extraction. This vulnerability could
be leveraged to perform remote code execution and privilege escalation.

Docker 1.3.2 remedies this vulnerability. Additional checks have been added
to pkg/archive and image extraction is now performed in a chroot. No
remediation is available for older versions of Docker and users are advised
to upgrade.

Related vulnerabilities discovered by Florian Weimer of Red Hat Product
Security and independent researcher, Tõnis Tiigi.

=================================================================
[CVE-2014-6408] Security options applied to image could lead to container
escalation
=================================================================
Severity: Critical
Affects: Docker 1.3.0-1.3.1

Docker versions 1.3.0 through 1.3.1 allowed security options to be applied
to images, allowing images to modify the default run profile of containers
executing these images. This vulnerability could allow a malicious image
creator to loosen the restrictions applied to a container’s processes,
potentially facilitating a break-out.

Docker 1.3.2 remedies this vulnerability. Security options applied to
images are no longer consumed by the Docker engine and will be ignored.
Users are advised to upgrade.

=================================================================
Other changes:
=================================================================

Besides the above CVEs, the 1.3.2 release allows administrators to pass a
CIDR-formatted range of addresses for '—insecure-registry'. In addition,
allowing a cleartext registry to exist on localhost is now default
behavior. This change was made due to user feedback following the changes
made in 1.3.1 to resolve CVE-2014-5277.

---

Docker 1.3.3 has been released to address several vulnerabilities and is immediately available for all supported platforms: https://docs.docker.com/installation/

This release addresses vulnerabilities which could be exploited by a malicious Dockerfile, image, or registry to compromise a Docker host, modify images, or spoof official repository images. Note that today we also expect to see the release of Docker 1.4.0, also containing these fixes. While version 1.3.3 is a security-focused update, Docker 1.4.0 will include over 180 new commits, primarily bug fixes.

It is highly recommended that users upgrade to Docker Engine 1.3.3 or higher.

Please send any questions to <email address hidden>.

Docker Security Advisory [141211]
----------------------------------------------------------------------------------------------------------

=============================================================
[CVE-2014-9356] Path traversal during processing of absolute symlinks
=============================================================

Path traversal attacks are possible in the processing of absolute symlinks. In checking symlinks for traversals, only relative links were considered. This allowed path traversals to exist where they should have otherwise been prevented. This was exploitable via both archive extraction and through volume mounts.

This vulnerability allowed malicious images or builds from malicious Dockerfiles to write files to the host system and escape containerization, leading to privilege escalation.

We are releasing Docker 1.3.3 to address this vulnerability. Users are highly encouraged to upgrade.

Discovered by Tõnis Tiigi.

===================================================================
[CVE-2014-9357] Escalation of privileges during decompression of LZMA (.xz) archives
===================================================================

It has been discovered that the introduction of chroot for archive extraction in Docker 1.3.2 had introduced a privilege escalation vulnerability. Malicious images or builds from malicious Dockerfiles could escalate privileges and execute arbitrary code as a privileged root user on the Docker host by providing a malicious ‘xz’ binary.

We are releasing Docker 1.3.3 to address this vulnerability. Only Docker 1.3.2 is vulnerable. Users are highly encouraged to upgrade.

Discovered by Tõnis Tiigi.

=========================================================================
[CVE-2014-9358] Path traversal and spoofing opportunities presented through image identifiers
=========================================================================

It has been discovered that Docker does not sufficiently validate Image IDs as provided either via 'docker load' or through registry communications. This allows for path traversal attacks, causing graph corruption and manipulation by malicious images, as well as repository spoofing attacks.

We are releasing Docker 1.3.3 to address this vulnerability. Users are highly encouraged to upgrade.

Discovered by Eric Windisch of Docker, Inc.

See original description
James Page (james-page)
information type: Public → Public Security
Changed in docker.io (Ubuntu):
importance: Undecided → High
Changed in docker.io (Ubuntu Vivid):
status: New → Fix Committed
Changed in docker.io (Ubuntu Utopic):
importance: Undecided → High
Changed in docker.io (Ubuntu Trusty):
importance: Undecided → High
Revision history for this message
James Page (james-page) wrote :

1.3.2 packages for 14.04 and 14.10 will end up here first:

   https://launchpad.net/~james-page/+archive/ubuntu/docker

This security bug needs discussion in the context of the email to the TB last month with regards to backporting of newer docker releases to the LTS release.

James Page (james-page)
Changed in docker.io (Ubuntu Vivid):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in docker.io (Ubuntu Trusty):
status: New → Confirmed
Changed in docker.io (Ubuntu Utopic):
status: New → Confirmed
James Page (james-page)
summary: - Critcial security vulnerabilties in docker < 1.3.2
+ Critcial security vulnerabilties in docker < 1.3.3
description: updated
James Page (james-page)
Changed in docker.io (Ubuntu Vivid):
status: Fix Released → Confirmed
Revision history for this message
James Page (james-page) wrote :

docker 1.3.3 was uploaded to Debian unstable ~4 hrs ago - as soon as launchpad notices, I'll merge into vivid.

James Page (james-page)
Changed in docker.io (Ubuntu Vivid):
assignee: nobody → James Page (james-page)
status: Confirmed → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package docker.io - 1.3.3~dfsg1-1ubuntu1

---------------
docker.io (1.3.3~dfsg1-1ubuntu1) vivid; urgency=medium

  * Merge from Debian unstable (LP: #1396572), remaining changes:
    - d/p/sync-apparmor-with-lxc.patch: Update AppArmor policy to be
      in sync with LXC.

docker.io (1.3.3~dfsg1-1) unstable; urgency=medium

  [ Tianon Gravi ]
  * Update to 1.3.3 upstream release (Closes: #772909)
    - Fix for CVE-2014-9356 (Path traversal during processing of absolute
      symlinks)
    - Fix for CVE-2014-9357 (Escalation of privileges during decompression of
      LZMA (.xz) archives)
    - Fix for CVE-2014-9358 (Path traversal and spoofing opportunities presented
      through image identifiers)
  * Fix bashism in nuke-graph-directory.sh (Closes: #772261)

  [ Didier Roche ]
  * Support starting systemd service without /etc/default/docker
    (Closes: #770293)
 -- James Page <email address hidden> Fri, 19 Dec 2014 14:32:31 +0000

Changed in docker.io (Ubuntu Vivid):
status: In Progress → Fix Released
Revision history for this message
James Page (james-page) wrote :

Security updates blocked by bug 1404300

Revision history for this message
James Page (james-page) wrote :

Revised packages included the fix for bug 1404300 are in:

 https://launchpad.net/~james-page/+archive/ubuntu/docker

I've requested the security team review.

Revision history for this message
Tyler Hicks (tyhicks) wrote :

Hi James - I took a quick look at the proposed updates to docker.io in 14.04 and 14.10. What you're proposing would update docker from version 1.0.1 on 14.04, and version 1.2.0 on 14.10, to version 1.3.3. That's not how we typically do security updates in our stable releases. We backport the specific patches that fix security issues.

A Micro Release Exception (MRE) is required for what you're proposing. I read the Tech Board thread and don't see where one was granted for docker.

Can you please backport only the security fixes to the packages in 14.04 and 14.10 and then re-ping the Security Team for sponsoring the updated packages into the security pocket? Thanks!

Revision history for this message
Dustin Kirkland  (kirkland) wrote : Re: [Bug 1396572] Re: Critcial security vulnerabilties in docker < 1.3.3

Hey Tyler,

We do have a standing exception to update Docker's major versions in 14.04.

:-Dustin

On Thu, Jan 22, 2015 at 1:44 PM, Tyler Hicks <email address hidden> wrote:
> Hi James - I took a quick look at the proposed updates to docker.io in
> 14.04 and 14.10. What you're proposing would update docker from version
> 1.0.1 on 14.04, and version 1.2.0 on 14.10, to version 1.3.3. That's not
> how we typically do security updates in our stable releases. We backport
> the specific patches that fix security issues.
>
> A Micro Release Exception (MRE) is required for what you're proposing. I
> read the Tech Board thread and don't see where one was granted for
> docker.
>
> Can you please backport only the security fixes to the packages in 14.04
> and 14.10 and then re-ping the Security Team for sponsoring the updated
> packages into the security pocket? Thanks!
>
> --
> You received this bug notification because you are a member of Docker
> Ubuntu Maintainers, which is subscribed to docker.io in Ubuntu.
> https://bugs.launchpad.net/bugs/1396572
>
> Title:
> Critcial security vulnerabilties in docker < 1.3.3
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/docker.io/+bug/1396572/+subscriptions

Revision history for this message
James Page (james-page) wrote :

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 23/01/15 02:18, Dustin Kirkland  wrote:
> We do have a standing exception to update Docker's major versions
> in 14.04.

Not yet we don't - please see the discussion on the technical-board ML.

- --
James Page
Ubuntu and Debian Developer
<email address hidden>
<email address hidden>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJUwfQXAAoJEL/srsug59jDZM8P/1OhOToyz9CXNu+61U7EMbDx
ES77+kIkEsDXnLxR4MMM87EeD2/O62rXjPgNGsV7Netu5vgcrsBcoYeVoyTcA//9
dGYgMVT5HdJK9HoW8iBxH5PYzWi6uduosBzwoGSCJveaOTqIIF40PDtAq0HfXF0E
MfKT7psK5N2GK8ex+klLL8buY2qnOYKfpmbftHuBrUGXSSN0oktx2P57Oew7po2m
9ef8SCBqdrhSCFsMTXiwP2cYh2C2Fr/lk1D5fnVe//ichh3oZjLKIKJ1/E42lX7+
7y98frGvnOGFldHslscrvExyTdByRcCjKSmHemnMiYeJ2yVbr3d3bWN5r9Rg4aJR
lmvUjvfwACBlpiNVAEI6xl7NokqMUzbL/LECxATKayRFmmamxE1njinfckgQDohM
YtM+QFhLddcJxvt3k2A3gc6j0kd/bz7vRdrBNN7Pg7MBPmx8CuwJNMu/QxTZtOCM
8l3YcnrB2SBsaRDpc7ip4sCzt21T9kEHgbmkb4kEU43KBOlSPwk5m52CmsFBqwx/
cxfujlnLvyhibp2h1OfYjGSdTxCwEdX6LQJYvh3So1p+41bvr353U2vH4flfa1gM
JNE1r/RjSkPc+OGVZ2IAlNnBcwlrzLuCqvrvKkHbmE0Ap/pe/v/2iUtbbFA6IX9H
xTxfc4XF3Tytdv33Qza7
=ztG+
-----END PGP SIGNATURE-----

Revision history for this message
Dustin Kirkland  (kirkland) wrote :

Doh. Sorry. I misspoke.

Revision history for this message
Steve Beattie (sbeattie) wrote :

At this time, there's no action for the Ubuntu Security Sponsors team to take, so I'm unsubscribing that team from this bug. When the Technical Board grants the MRE for docker, please resubscribe the team, and we'll take action on it then.

Thanks!

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package docker.io - 1.6.2~dfsg1-1ubuntu4~14.04.1

---------------
docker.io (1.6.2~dfsg1-1ubuntu4~14.04.1) trusty; urgency=medium

  * Backport to Ubuntu 14.04 (LP: #1454719).
  * Disabled
    - d/p/lxc.autodev-support.patch to minimise regression risk as
      it is not relevant for the version of LXC on Trusty (1.0.3-0ubuntu3).
    - d/p/update-go.net-golang.org.patch: there has been a url
      canonical name change upstream, but keeping this patch on involves
      backporting golang to 1.4 which is undesirable for this backport
      (golang-go.net-dev needs golang-x-text, which does not build
      successfully without a 1.4 backport).
    - Wily related fixes:
      + d/p/golang-1.5-wily.patch to fix FTBFS with golang-1.5 build on wily
      + d/p/ppc64el-wily.patch to fix ppc64le FTBFS on wily (LP: #1488668)
      + d/p/libcontainer_arm64_syscall_dup2_to_dup3-c_changes.patch (LP: #1488669)
      + d/p/libcontainer_arm64_syscall_dup2_to_dup3-golang_changes.patch (LP: #1488669)
      + d/rules to build with golang-go on arm64 (LP: #1488669)
      + d/control to build with golang-go on arm64 (LP: #1488669)
  * Reverted:
    d/rules: http://anonscm.debian.org/cgit/docker/docker.io.git/diff/?id=b1458f5
    commit to preserve docker.io symlink.

 -- Pierre-André MOREY <email address hidden> Tue, 22 Sep 2015 13:47:53 +0200

Changed in docker.io (Ubuntu Trusty):
status: Confirmed → Fix Released
Revision history for this message
Rolf Leggewie (r0lf) wrote :

utopic has seen the end of its life and is no longer receiving any updates. Marking the utopic task for this ticket as "Won't Fix".

Changed in docker.io (Ubuntu Utopic):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.