Debian Bug report logs -
#1019601
docker.io: CVE-2022-36109
Reported by: Moritz Mühlenhoff <jmm@inutil.org>
Date: Mon, 12 Sep 2022 20:39:17 UTC
Severity: important
Tags: security, upstream
Found in version docker.io/20.10.17+dfsg1-1
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Go Packaging Team <team+pkg-go@tracker.debian.org>
:
Bug#1019601
; Package src:docker.io
.
(Mon, 12 Sep 2022 20:39:20 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Go Packaging Team <team+pkg-go@tracker.debian.org>
.
(Mon, 12 Sep 2022 20:39:20 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: docker.io
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for docker.io.
CVE-2022-36109[0]:
| Moby is an open-source project created by Docker to enable software
| containerization. A bug was found in Moby (Docker Engine) where
| supplementary groups are not set up properly. If an attacker has
| direct access to a container and manipulates their supplementary group
| access, they may be able to use supplementary group access to bypass
| primary group restrictions in some cases, potentially gaining access
| to sensitive information or gaining the ability to execute code in
| that container. This bug is fixed in Moby (Docker Engine) 20.10.18.
| Running containers should be stopped and restarted for the permissions
| to be fixed. For users unable to upgrade, this problem can be worked
| around by not using the `"USER $USERNAME"` Dockerfile instruction.
| Instead by calling `ENTRYPOINT ["su", "-", "user"]` the supplementary
| groups will be set up properly.
https://github.com/moby/moby/security/advisories/GHSA-rc4r-wh4q-q6c4
https://github.com/moby/moby/commit/de7af816e76a7fd3fbf06bffa6832959289fba32
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-36109
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36109
Please adjust the affected versions in the BTS as needed.
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Tue, 13 Sep 2022 04:24:08 GMT) (full text, mbox, link).
Marked as found in versions docker.io/20.10.17+dfsg1-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Tue, 13 Sep 2022 04:24:08 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Tue Sep 13 13:20:37 2022;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.