Bug 1167505 (CVE-2014-6407)

Summary: CVE-2014-6407 docker: symbolic and hardlink issues leading to privilege escalation
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: admiller, carnil, dwalsh, fweimer, golang-updates, hushan.jia, jchaloup, jperrin, jrusnack, lsm5, lsm5, lsu, mattdm, mgoldman, miminar, s, thrcka, tjay, vbatts, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: docker 1.3.2 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-12-10 21:48:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1167507, 1167508    
Bug Blocks: 1133085, 1167510    

Description Murray McAllister 2014-11-25 00:15:30 UTC 
The following flaw has been fixed in Docker 1.3.2:

""
The Docker engine, up to and including version 1.3.1, was vulnerable to
extracting files to arbitrary paths on the host during ‘docker pull’ and
‘docker load’ operations. This was caused by symlink and hardlink
traversals present in Docker's image extraction. This vulnerability could
be leveraged to perform remote code execution and privilege escalation.

Docker 1.3.2 remedies this vulnerability. Additional checks have been added
to pkg/archive and image extraction is now performed in a chroot. No
remediation is available for older versions of Docker and users are advised
to upgrade.
""

Acknowledgements:

Red Hat would like to thank the Docker project for reporting these issues. Upstream acknowledges Florian Weimer of Red Hat Product Security and independent researcher Tõnis Tiigi as the original reporters.

Reference:

http://seclists.org/oss-sec/2014/q4/781
Comment 1 Murray McAllister 2014-11-25 00:20:17 UTC 
Created docker-io tracking bugs for this issue:

Affects: fedora-all [bug 1167507]
Affects: epel-6 [bug 1167508]
Comment 2 Trevor Jay 2014-11-25 01:20:54 UTC 
Statement:

This issue affects the versions of Docker as shipped with Red Hat Enterprise Linux 7. However, this flaw is not known to be exploitable under any supported scenario. A future update may address this issue.

Red Hat does not support or recommend running untrusted images.
Comment 3 Florian Weimer 2014-11-25 09:11:26 UTC 
*** Bug 1133084 has been marked as a duplicate of this bug. ***
Comment 4 Fedora Update System 2014-12-03 17:16:22 UTC 
docker-io-1.3.2-2.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Trevor Jay 2014-12-10 21:42:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extras

Via RHBA-2014:1977 https://rhn.redhat.com/errata/RHBA-2014-1977.html