group.of.nepali.translators team mailing list archive

[Launchpad Bug Tracker <1675288@xxxxxxxxxxxxxxxxxx>]

This bug was fixed in the package runc -
1.0.0~rc2+docker1.12.6-0ubuntu1~16.04.1

---------------
runc (1.0.0~rc2+docker1.12.6-0ubuntu1~16.04.1) xenial; urgency=medium

  * Backport to Xenial. (LP: #1675288)

 -- Michael Hudson-Doyle <michael.hudson@xxxxxxxxxx>  Tue, 28 Mar 2017
13:49:34 +1300

** Changed in: runc (Ubuntu Xenial)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1675288

Title:
  security fix to runc in docker-1.12.3 wasn't picked

Status in runc package in Ubuntu:
  Fix Released
Status in runc source package in Xenial:
  Fix Released
Status in runc source package in Yakkety:
  Fix Committed

Bug description:
  [Impact]
  https://github.com/docker/docker/issues/27590#issuecomment-255241013

  The steps are very clear, it's very easy to recur, so I don't repeat
  here.

  The CVE link: https://cve.mitre.org/cgi-
  bin/cvename.cgi?name=CVE-2016-8867

  [Test case]
  $ tmp=$(mktemp -d)
  $ cd $tmp
  $ cat > Dockerfile << EOF
  FROM debian
  RUN useradd example
  RUN id
  USER example
  RUN id
  RUN cat /etc/shadow
  CMD /bin/bash
  EOF
  $ docker build --no-cache -t example .

  The 'cat /etc/shadow' in the Dockerfile should fail.

  [Regression potential]
  We're fixing this by moving to the exact commit of runc the docker 1.12.6 release expects, so there shouldn't be any issues. In addition https://wiki.ubuntu.com/DockerUpdates applies.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/runc/+bug/1675288/+subscriptions