| Thread Previous • Date Previous • Date Next • Thread Next |
** Changed in: runc (Ubuntu Yakkety)
Status: Fix Committed => Won't Fix
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1675288
Title:
security fix to runc in docker-1.12.3 wasn't picked
Status in runc package in Ubuntu:
Fix Released
Status in runc source package in Xenial:
Fix Released
Status in runc source package in Yakkety:
Won't Fix
Bug description:
[Impact]
https://github.com/docker/docker/issues/27590#issuecomment-255241013
The steps are very clear, it's very easy to recur, so I don't repeat
here.
The CVE link: https://cve.mitre.org/cgi-
bin/cvename.cgi?name=CVE-2016-8867
[Test case]
$ tmp=$(mktemp -d)
$ cd $tmp
$ cat > Dockerfile << EOF
FROM debian
RUN useradd example
RUN id
USER example
RUN id
RUN cat /etc/shadow
CMD /bin/bash
EOF
$ docker build --no-cache -t example .
The 'cat /etc/shadow' in the Dockerfile should fail.
[Regression potential]
We're fixing this by moving to the exact commit of runc the docker 1.12.6 release expects, so there shouldn't be any issues. In addition https://wiki.ubuntu.com/DockerUpdates applies.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/runc/+bug/1675288/+subscriptions
| Thread Previous • Date Previous • Date Next • Thread Next |
