Debian Bug report logs -
#908055
docker.io: CVE-2017-14992
Reported by: Antoine Beaupre <anarcat@orangeseeds.org>
Date: Wed, 5 Sep 2018 14:36:05 UTC
Severity: grave
Tags: security, upstream
Fixed in version docker.io/17.12.1+dfsg-1
Done: Shengjing Zhu <zhsj@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Dmitry Smirnov <onlyjob@debian.org>:
Bug#908055; Package docker.io.
(Wed, 05 Sep 2018 14:36:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Antoine Beaupre <anarcat@orangeseeds.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Dmitry Smirnov <onlyjob@debian.org>.
(Wed, 05 Sep 2018 14:36:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: docker.io
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security
Control: clone -1 -2
Control: reassign -2 golang-github-vbatts-tar-split
Hi,
The following vulnerability was published for docker.io.
CVE-2017-14992[0]:
| Lack of content verification in Docker-CE (Also known as Moby)
| versions 1.12.6-0, 1.10.3, 17.03.0, 17.03.1, 17.03.2, 17.06.0,
| 17.06.1, 17.06.2, 17.09.0, and earlier allows a remote attacker to
| cause a Denial of Service via a crafted image layer payload, aka gzip
| bombing.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-14992
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14992
Please adjust the affected versions in the BTS as needed.
[signature.asc (application/pgp-signature, inline)]
Bug 908055 cloned as bug 908056
Request was from Antoine Beaupre <anarcat@orangeseeds.org>
to submit@bugs.debian.org.
(Wed, 05 Sep 2018 14:36:07 GMT) (full text, mbox, link).
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 05 Sep 2018 14:57:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Dmitry Smirnov <onlyjob@debian.org>:
Bug#908055; Package docker.io.
(Wed, 05 Sep 2018 15:27:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Shengjing Zhu <zsj950618@gmail.com>:
Extra info received and forwarded to list. Copy sent to Dmitry Smirnov <onlyjob@debian.org>.
(Wed, 05 Sep 2018 15:27:02 GMT) (full text, mbox, link).
Message #14 received at 908055@bugs.debian.org (full text, mbox, reply):
Dear docker.io maintainer,
I'm not sure why the Built-Using field in docker.io doesn't contain
golang-github-vbatts-tar-split. Maybe dh-golang can't deal with the
docker.io repo. Not sure it's whose bug...
Since the version in unstable/testing is not uploaded with
source-only, so the buildd doesn't have buildinfo for amd64. But I
guess it was built with golang-github-vbatts-tar-split 0.10.2-1(which
was uploaded at 2017-11-30). Thus the docker.io version in
testing/unstable is not affected by this security issue.
--
Regards,
Shengjing Zhu
Marked as fixed in versions docker.io/17.12.1+dfsg-1.
Request was from Dmitry Smirnov <onlyjob@debian.org>
to control@bugs.debian.org.
(Wed, 05 Sep 2018 21:51:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Dmitry Smirnov <onlyjob@debian.org>:
Bug#908055; Package docker.io.
(Thu, 06 Sep 2018 01:45:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Arnaud Rebillout <arnaud.rebillout@collabora.com>:
Extra info received and forwarded to list. Copy sent to Dmitry Smirnov <onlyjob@debian.org>.
(Thu, 06 Sep 2018 01:45:03 GMT) (full text, mbox, link).
Message #21 received at 908055@bugs.debian.org (full text, mbox, reply):
On 09/05/2018 10:22 PM, Shengjing Zhu wrote:
> Dear docker.io maintainer,
>
> I'm not sure why the Built-Using field in docker.io doesn't contain
> golang-github-vbatts-tar-split. Maybe dh-golang can't deal with the
> docker.io repo. Not sure it's whose bug...
Built-Using is supposed to reflect the build dependencies, isn't it?
A quick look at the docker.io package in experiemental: there's around
130 build dependencies in debian/control, and only 33 packages in the
Built-Using field of the binary package... So there seem to be a
problem. A quick look at consul, another "big" package, also shows
surprising numbers, around 50 build dependencies, and only ... 33
packages again in Built-Using!
Information forwarded
to debian-bugs-dist@lists.debian.org, Dmitry Smirnov <onlyjob@debian.org>:
Bug#908055; Package docker.io.
(Thu, 06 Sep 2018 02:36:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Shengjing Zhu <zsj950618@gmail.com>:
Extra info received and forwarded to list. Copy sent to Dmitry Smirnov <onlyjob@debian.org>.
(Thu, 06 Sep 2018 02:36:03 GMT) (full text, mbox, link).
Message #26 received at 908055@bugs.debian.org (full text, mbox, reply):
On Thu, Sep 6, 2018 at 9:40 AM Arnaud Rebillout
<arnaud.rebillout@collabora.com> wrote:
>
>
> On 09/05/2018 10:22 PM, Shengjing Zhu wrote:
> > Dear docker.io maintainer,
> >
> > I'm not sure why the Built-Using field in docker.io doesn't contain
> > golang-github-vbatts-tar-split. Maybe dh-golang can't deal with the
> > docker.io repo. Not sure it's whose bug...
>
> Built-Using is supposed to reflect the build dependencies, isn't it?
>
Yes, not only packages listed in Build-Depends, but also the indirect depends.
Implementation details in dh-golang is: it runs `go list {{ .Dep }}` ,
to get all the dependencies.
https://sources.debian.org/src/dh-golang/1.35/script/dh_golang/#L73
I guess the manual manipulation of DH_GOPKG in d/rules comfuses dh-golang.
--
Regards,
Shengjing Zhu
Information forwarded
to debian-bugs-dist@lists.debian.org, Dmitry Smirnov <onlyjob@debian.org>:
Bug#908055; Package docker.io.
(Mon, 10 Sep 2018 06:21:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Dmitry Smirnov <onlyjob@debian.org>.
(Mon, 10 Sep 2018 06:21:02 GMT) (full text, mbox, link).
Message #31 received at 908055@bugs.debian.org (full text, mbox, reply):
Hi Dmitry,
On Mon, Sep 10, 2018 at 09:23:59AM +1000, Dmitry Smirnov wrote:
> On Thursday, 6 September 2018 2:19:24 PM AEST Salvatore Bonaccorso wrote:
> > > > fixed 908055 17.12.1+dfsg-1
> >
> > Is this the first version which was using the fixed
> > golang-github-vbatts-tar-split?
>
> Yes it is. I've confirmed that by examining the build log.
Perfect, thanks for confirming!
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Dmitry Smirnov <onlyjob@debian.org>:
Bug#908055; Package docker.io.
(Fri, 01 Feb 2019 01:15:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Arnaud Rebillout <arnaud.rebillout@collabora.com>:
Extra info received and forwarded to list. Copy sent to Dmitry Smirnov <onlyjob@debian.org>.
(Fri, 01 Feb 2019 01:15:03 GMT) (full text, mbox, link).
Message #36 received at 908055@bugs.debian.org (full text, mbox, reply):
On Mon, 10 Sep 2018 08:18:56 +0200 Salvatore Bonaccorso
<carnil@debian.org> wrote:
> Hi Dmitry,
>
> On Mon, Sep 10, 2018 at 09:23:59AM +1000, Dmitry Smirnov wrote:
> > On Thursday, 6 September 2018 2:19:24 PM AEST Salvatore Bonaccorso
wrote:
> > > > > fixed 908055 17.12.1+dfsg-1
> > >
> > > Is this the first version which was using the fixed
> > > golang-github-vbatts-tar-split?
> >
> > Yes it is. I've confirmed that by examining the build log.
>
> Perfect, thanks for confirming!
>
> Regards,
> Salvatore
>
If I understand, this bug is fixed? Should we close it?
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#908055; Package docker.io.
(Fri, 01 Feb 2019 02:03:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Dmitry Smirnov <onlyjob@debian.org>:
Extra info received and forwarded to list.
(Fri, 01 Feb 2019 02:03:04 GMT) (full text, mbox, link).
Message #41 received at 908055@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Friday, 1 February 2019 12:13:01 PM AEDT Arnaud Rebillout wrote:
> If I understand, this bug is fixed? Should we close it?
Yes, I think it should be closed.
There is no actionable tasks are left for maintainers to do...
--
All the best,
Dmitry Smirnov.
---
No person, no idea, and no religion deserves to be illegal to insult,
not even the Church of Emacs.
-- Richard Stallman
[signature.asc (application/pgp-signature, inline)]
Reply sent
to Shengjing Zhu <zhsj@debian.org>:
You have taken responsibility.
(Mon, 10 Jun 2019 11:45:04 GMT) (full text, mbox, link).
Notification sent
to Antoine Beaupre <anarcat@orangeseeds.org>:
Bug acknowledged by developer.
(Mon, 10 Jun 2019 11:45:04 GMT) (full text, mbox, link).
Message #46 received at 908055-done@bugs.debian.org (full text, mbox, reply):
Not sure why this bug is fixed, but not closed. Try closing it...
--
Shengjing Zhu
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:04:52 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon