Docker Inc. has discovered an issue whereby a malicious image could execute arbitrary code when being unpacked automatically after a "docker pull". From the Docker Inc report: "It has been discovered that the introduction of chroot for archive extraction in Docker 1.3.2 had introduced a privilege escalation vulnerability. Malicious images or builds from malicious Dockerfiles could escalate privileges and execute arbitrary code as a root user on the Docker host by providing a malicious ‘xz’ binary. We are releasing Docker 1.3.3 to address this vulnerability. Only Docker 1.3.2 is vulnerable. Users are highly encouraged to upgrade."
Statement: This issue affects the versions of Docker as shipped with Red Hat Enterprise Linux 7. However, this flaw is not known to be exploitable under any supported scenario. A future update may address this issue. Red Hat does not support or recommend running untrusted images.
External References: https://groups.google.com/forum/#!topic/docker-user/nFAz-B-n4Bw
Created docker-io tracking bugs for this issue: Affects: fedora-all [bug 1173324] Affects: epel-6 [bug 1173325]
Acknowledgements: Red Hat would like to thank Docker Inc. for reporting this issue.
docker-io-1.4.0-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
docker-io-1.4.1-6.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
docker-io-1.4.1-3.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in the following products: RHEL Extras for RHEL-7 Via RHSA-2015:0623 https://rhn.redhat.com/errata/RHSA-2015-0623.html