← Back to team overview

group.of.nepali.translators team mailing list archive

[Bug 1675288] Re: security fix to runc in docker-1.12.3 wasn't picked

 

** Changed in: runc (Ubuntu Yakkety)
       Status: Fix Committed => Won't Fix

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1675288

Title:
  security fix to runc in docker-1.12.3 wasn't picked

Status in runc package in Ubuntu:
  Fix Released
Status in runc source package in Xenial:
  Fix Released
Status in runc source package in Yakkety:
  Won't Fix

Bug description:
  [Impact]
  https://github.com/docker/docker/issues/27590#issuecomment-255241013

  The steps are very clear, it's very easy to recur, so I don't repeat
  here.

  The CVE link: https://cve.mitre.org/cgi-
  bin/cvename.cgi?name=CVE-2016-8867

  [Test case]
  $ tmp=$(mktemp -d)
  $ cd $tmp
  $ cat > Dockerfile << EOF
  FROM debian
  RUN useradd example
  RUN id
  USER example
  RUN id
  RUN cat /etc/shadow
  CMD /bin/bash
  EOF
  $ docker build --no-cache -t example .

  The 'cat /etc/shadow' in the Dockerfile should fail.

  [Regression potential]
  We're fixing this by moving to the exact commit of runc the docker 1.12.6 release expects, so there shouldn't be any issues. In addition https://wiki.ubuntu.com/DockerUpdates applies.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/runc/+bug/1675288/+subscriptions