A flaw was found in the way the Docker service unpacked images or builds after a "docker pull". An attacker could use this flaw to provide a malicious image or build that, when unpacked, would escalate their privileges on the system.
Docker Inc. has discovered an issue whereby a malicious image could execute arbitrary code when being unpacked automatically after a "docker pull". From the Docker Inc report:
"It has been discovered that the introduction of chroot for archive extraction in Docker 1.3.2 had introduced a privilege escalation vulnerability. Malicious images or builds from malicious Dockerfiles could escalate privileges and execute arbitrary code as a root user on the Docker host by providing a malicious ‘xz’ binary.
We are releasing Docker 1.3.3 to address this vulnerability. Only Docker 1.3.2 is vulnerable. Users are highly encouraged to upgrade."
This issue affects the versions of Docker as shipped with Red Hat Enterprise Linux 7. However, this flaw is not known to be exploitable under any supported scenario. A future update may address this issue.
Red Hat does not support or recommend running untrusted images.
Created docker-io tracking bugs for this issue:
Affects: fedora-all [bug 1173324]
Affects: epel-6 [bug 1173325]
Red Hat would like to thank Docker Inc. for reporting this issue.
docker-io-1.4.0-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
docker-io-1.4.1-6.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
docker-io-1.4.1-3.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in the following products:
RHEL Extras for RHEL-7
Via RHSA-2015:0623 https://rhn.redhat.com/errata/RHSA-2015-0623.html