Debian Bug report logs -
#900140
docker.io: CVE-2017-16539: The DefaultLinuxSpec function does not block /proc/scsi pathnames
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Tim Potter <tpot@hpe.com>:
Bug#900140; Package src:docker.io.
(Sat, 26 May 2018 18:33:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Tim Potter <tpot@hpe.com>.
(Sat, 26 May 2018 18:33:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: docker.io
Version: 1.13.1~ds2-3
Severity: grave
Tags: patch security upstream
Forwarded: https://github.com/moby/moby/pull/35399
Hi,
The following vulnerability was published for docker.io.
CVE-2017-16539[0]:
| The DefaultLinuxSpec function in oci/defaults.go in Docker Moby through
| 17.03.2-ce does not block /proc/scsi pathnames, which allows attackers
| to trigger data loss (when certain older Linux kernels are used) by
| leveraging Docker container access to write a "scsi
| remove-single-device" line to /proc/scsi/scsi, aka SCSI MICDROP.
There is upstream issue in [1] and the fixed slightly changes for us
for the version in unstable. Red Hat has fixed the issue fuer their
docker-1.12.1 and docker-1.13.1, cf. [2].
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-16539
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16539
[1] https://github.com/moby/moby/pull/35399
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1516205
[3] https://github.com/moby/moby/pull/35399/commits/a21ecdf3c8a343a7c94e4c4d01b178c87ca7aaa1
Regards,
Salvatore
Changed Bug title to 'docker.io: CVE-2017-16539: The DefaultLinuxSpec function does not block /proc/scsi pathnames' from 'docker.io: CVE-2017-16539: he DefaultLinuxSpec function does not block /proc/scsi pathnames'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 26 May 2018 18:39:03 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream.
Request was from debian-bts-link@lists.debian.org
to control@bugs.debian.org.
(Thu, 31 May 2018 17:43:09 GMT) (full text, mbox, link).
Reply sent
to Dmitry Smirnov <onlyjob@debian.org>:
You have taken responsibility.
(Sat, 09 Jun 2018 05:39:06 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 09 Jun 2018 05:39:06 GMT) (full text, mbox, link).
Message #14 received at 900140-close@bugs.debian.org (full text, mbox, reply):
Source: docker.io
Source-Version: 1.13.1~ds3-1
We believe that the bug you reported is fixed in the latest version of
docker.io, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 900140@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Dmitry Smirnov <onlyjob@debian.org> (supplier of updated docker.io package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 09 Jun 2018 14:50:13 +1000
Source: docker.io
Binary: docker.io vim-syntax-docker golang-github-docker-docker-dev golang-docker-dev docker-doc
Architecture: source all amd64
Version: 1.13.1~ds3-1
Distribution: unstable
Urgency: medium
Maintainer: Tim Potter <tpot@hpe.com>
Changed-By: Dmitry Smirnov <onlyjob@debian.org>
Description:
docker-doc - Linux container runtime -- documentation
docker.io - Linux container runtime
golang-docker-dev - Transitional package for golang-github-docker-docker-dev
golang-github-docker-docker-dev - Externally reusable Go packages included with Docker
vim-syntax-docker - Docker container engine - Vim highlighting syntax files
Closes: 853258 900140
Changes:
docker.io (1.13.1~ds3-1) unstable; urgency=medium
.
* Team upload.
.
[ Tianon Gravi ]
* Remove gccgo support.
Removed upstream in commit eda90f63446253f97d2011926555306f2417d208
(https://github.com/moby/moby/pull/25978)
* Update upstream-version-gitcommits with more upstream versions
.
[ Dmitry Smirnov ]
* New patch to fix CVE-2017-16539 (Closes: #900140).
* New patch to remove 10 seconds delay on purge (Closes: #853258).
* debhelper to version 11; compat to version 10.
* copyright format URL to HTTPS; bump copyright years.
* Standards-Version: 4.1.4.
* Vcs URLs to Salsa.
* Included "cliconfig" to -dev package (used by "gitlab-runner").
* Included "reference" and "registry" into -dev package (used by "nomad").
* Removed obsolete "golang-github-docker-engine-api-dev" from Build-Depends.
* Use more private libraries to fix build and break circular dependencies:
+ github.com/docker/swarmkit
+ github.com/docker/libnetwork
+ github.com/docker/go-events
+ github.com/docker/go-metrics
* Removed Upstart .conf file.
* rules:
+ better clean, remove generated file(s).
+ fixed "sirupsen/logrus" imports.
+ DH_GOLANG_GO_GENERATE = 1
Checksums-Sha1:
469f036431187e01825085b3364b3beed4d88980 6518 docker.io_1.13.1~ds3-1.dsc
37e9a9e97615963c6a5bc5616b8df29b258c7502 3677546 docker.io_1.13.1~ds3.orig.tar.gz
eaa705dcfa3e67ba2a9663ddacf7d1b546efb78a 40148 docker.io_1.13.1~ds3-1.debian.tar.xz
e2cdfb12aa0731d39b3128df2ab4f8a0e29d3201 658020 docker-doc_1.13.1~ds3-1_all.deb
e26be5cfdf03f8ee72e9aa914c74d878d752c7f5 642948 docker.io-dbgsym_1.13.1~ds3-1_amd64.deb
2b41eff5a5cfa4e5e2c82cd533e6844c9b43ec53 23071 docker.io_1.13.1~ds3-1_amd64.buildinfo
3587d20ff6495d388ad0b9323e3b30cc50ed807d 11142936 docker.io_1.13.1~ds3-1_amd64.deb
52e123c30308867162afe440f2955bc07d740fa8 63280 golang-docker-dev_1.13.1~ds3-1_all.deb
dc9eaca4d2a6f6d9aa2dd558190466979e4416a1 475868 golang-github-docker-docker-dev_1.13.1~ds3-1_all.deb
119bf62aa9e2ff1c1df5c0f38eeea2bf2752b263 64492 vim-syntax-docker_1.13.1~ds3-1_all.deb
Checksums-Sha256:
5cd63ed90edf6afd7feb87fa222027399040e61175a26e05b2081184ad5929b7 6518 docker.io_1.13.1~ds3-1.dsc
29710879ec6a9caa7fd9952d38d4229f32d691832800d5493dc254691f812307 3677546 docker.io_1.13.1~ds3.orig.tar.gz
687f878d2418e3418f6a497d908c653a4063ee29d1bf6d9ca70b184fac267d63 40148 docker.io_1.13.1~ds3-1.debian.tar.xz
2a9fb0645c7e2189ffe95383266e782af6838bc99b6f3fbc88cf0fdfec2f5b4b 658020 docker-doc_1.13.1~ds3-1_all.deb
9053061800c44c4f9e6abe2c9f116fdcacee533c54f4fa17dd808f7062ebb833 642948 docker.io-dbgsym_1.13.1~ds3-1_amd64.deb
5f04e9b2fd203557b85715585fef153bea603d7524f591c9d00d03eb9caead3a 23071 docker.io_1.13.1~ds3-1_amd64.buildinfo
16b4ee22d4c83a17a4964c9f0df1947ee53f023446fcd184a1c96876d3e89401 11142936 docker.io_1.13.1~ds3-1_amd64.deb
11bae8234c7286a3b264b6b95f6c0e146befdb05138aa75c8713d56d3c57d674 63280 golang-docker-dev_1.13.1~ds3-1_all.deb
ac67b71dfabf8d927e94d48c06321254fdec53897f469c0f4bcc4da6027346b6 475868 golang-github-docker-docker-dev_1.13.1~ds3-1_all.deb
b99dba06e4fc8035302a49b1d8639c16b06a690782e461510cbdadcc7b2ed5d4 64492 vim-syntax-docker_1.13.1~ds3-1_all.deb
Files:
fe053575cdaef20abb1103521d08f193 6518 admin optional docker.io_1.13.1~ds3-1.dsc
05f21ca14f3f54b85ea3bf14b98f8224 3677546 admin optional docker.io_1.13.1~ds3.orig.tar.gz
83021d7ffed168ce10e6024c2e8a3877 40148 admin optional docker.io_1.13.1~ds3-1.debian.tar.xz
3a313863e3ea5db76d61895bd5f763f6 658020 doc optional docker-doc_1.13.1~ds3-1_all.deb
67996c1487da4d27f55ebac9ef3e278c 642948 debug optional docker.io-dbgsym_1.13.1~ds3-1_amd64.deb
94fdd24971316b1d27c28329de1d604b 23071 admin optional docker.io_1.13.1~ds3-1_amd64.buildinfo
dae14e35c01afcbaa25982e41f91f9be 11142936 admin optional docker.io_1.13.1~ds3-1_amd64.deb
e0a078adc998a33565c2e768fa9efbc7 63280 oldlibs optional golang-docker-dev_1.13.1~ds3-1_all.deb
bc24ddac2ae376599fe0bec9c0946717 475868 admin optional golang-github-docker-docker-dev_1.13.1~ds3-1_all.deb
2184b93e205a104bbe96528d45c04c6c 64492 admin optional vim-syntax-docker_1.13.1~ds3-1_all.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEULx8+TnSDCcqawZWUra72VOWjRsFAlsbX1QACgkQUra72VOW
jRu4Eg//at/GrtAh8EXJX56tCHfScztkSS7GbMwcz43mcnmNbzplfYSHhVVPzO2j
EMhKEgwMhXTcWdvyWsJ5TYIddrgJnS0E4b03rII+liReODgXpTtyKUeIOby4lC2v
dKrcnP0UeD7rpA7FRCNVDrMTokerkwKGuJLTSO5oxh4b9utcukpsGJQ05EG45Jk1
EUZ/ZFCLLNEFa61SpDXlICqGyzaYBh61IbpKiP/MlolCzuQs35+wnCwjYMgedx2h
x8Nu3VTiOBRjTS4kwLPNS3LlO/fzSKhDONp0kE37iFjytu6T58QPxuBD02XRjDeY
eUSskGQL4tQrdv4m3kUZRHNP4hHdJo19RothL2LlNIVVIZI6gWmVXDjksnOOYHys
Nb3wsjuX+Sb1KUy0GtjT5wN7gky3F41Jn2onUjiN8rix/eDwNrIl/oN8+o/at6Cm
8AOx0QbrkcifsXhgniXa+q5hbqdVyai/qqO9NNARp3ZYwGLZUjrYJ+bzzWnw8WRT
+HaIjBYQdcGAsGzlbctXJWWlu3fOkek4NN6oqIjrZUM1WPAawoIeXUPsrrHitr/e
0SBoX4o+ZD4nF0N3HBlhbS5wF4CWFrC2zGHdgoD57g7CU4HUZSE4qo7Q36AbXZIL
E0Zr8yVpLm9Hxntr/89Qk/6o/VDDY/ue5cFZaIeLWkMO6zmnBG8=
=151h
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 18 Jul 2018 07:28:32 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:33:25 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon