It was found that Docker 1.12.2 did not correctly apply user permissions in containers Upstream bug: https://github.com/docker/docker/issues/27590 Upstream patch: https://github.com/docker/docker/pull/27610/commits/d60a3418d0268745dff38947bc8c929fbd24f837
This seems to be the actual fix attempt: https://github.com/opencontainers/runc/commit/a83f5bac28554fa0fd49bc1559a3c79f5907348f The fix looks correct. It deals with an embedded ')', as long as newer kernel versions do not add more non-escaped free-text fields at the end which could contain another ')'.
No, the actual fix was to revert the commit which introduced ambient capabilities in runc afaict (I don't have the link handy). The runc version we use in projectatomic/runc in branch docker-1.12.3 contains the actual fix. That commit is just a fix for a panic afaict (?)
(In reply to Antonio Murdaca from comment #2) > No, the actual fix was to revert the commit which introduced ambient > capabilities in runc afaict (I don't have the link handy). > > The runc version we use in projectatomic/runc in branch docker-1.12.3 > contains the actual fix. > > That commit is just a fix for a panic afaict (?) Ohh, that might be the case. I thought it might cause the process start time to be misidentified, which could be a security problem in itself because PID and start time are sometimes (ab)used as a unique ID.
I'm not sure if this is the right place to report this, but CentOS 7.7.1908 still has this problem (with docker-common-1.13.1-108.git4ef4b30.el7.centos.x86_64). Using the test described in https://bugs.gentoo.org/show_bug.cgi?id=CVE-2016-8867 : $ docker run --user 1000:1000 fedora sh -c 'capsh --print; echo; ls /root' Current: = cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap+eip Bounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap Ambient set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap Securebits: 00/0x0/1'b0 secure-noroot: no (unlocked) secure-no-suid-fixup: no (unlocked) secure-keep-caps: no (unlocked) secure-no-ambient-raise: no (unlocked) uid=1000(???) gid=1000(???) groups= anaconda-ks.cfg anaconda-post-nochroot.log anaconda-post.log original-ks.cfg Whereas the expected outcome (as run on e.g. Fedora 31 with moby-engine-18.09.8-2.ce.git0dd43dd.fc31.x86_64) is: $ docker run --user 1000:1000 fedora sh -c 'capsh --print; echo; ls /root' Current: = cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap+i Bounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap Ambient set = Securebits: 00/0x0/1'b0 secure-noroot: no (unlocked) secure-no-suid-fixup: no (unlocked) secure-keep-caps: no (unlocked) secure-no-ambient-raise: no (unlocked) uid=1000(???) gid=1000(???) groups= ls: cannot open directory '/root': Permission denied "Note the lack of "+eip" for capabilities and that filesystem permissions now work." (from https://bugs.gentoo.org/show_bug.cgi?id=CVE-2016-8867)
It appears I just hit a docker version having this issue: * docker-1.13.1-103.git7f2769b.el7.centos.x86_64 (a little older) behaves correctly * docker-1.13.1-108.git4ef4b30.el7.centos.x86_64 (the one I reported) is faulty * docker-1.13.1-109.gitcccb291.el7.centos.x86_64 (the latest version) already has it fixed again Sorry to have bothered you.
A bit of history related to this CVE. The following runc commit added ambient capability support: https://github.com/opencontainers/runc/commit/4e179bddcaae964084e0afeda36ac68408f39c4b The above runc change was pulled to docker in version 1.12.2: https://github.com/moby/moby/compare/v1.12.1...v1.12.2 https://github.com/moby/moby/commit/3377b4b9b755082070c942cb2a73cec869f063ca https://github.com/opencontainers/runc/compare/cc29e3dded8e27ba8f65738f40d251c885030a28...02f8fa7863dd3f82909a73e2061897828460d52f This is the fix that was applied in docker 1.12.3: https://github.com/moby/moby/compare/v1.12.2...v1.12.3 https://github.com/moby/moby/commit/d60a3418d0268745dff38947bc8c929fbd24f837 https://github.com/opencontainers/runc/compare/02f8fa7863dd3f82909a73e2061897828460d52f...f59ba3cdd76fdc08c004f42aa915996f6f420899 This pulled in the following runc commit that reverts addition of ambient capability support: https://github.com/opencontainers/runc/commit/6cda437855f57d5ea515e007bdc53e3e9dc29cab In runc, ambient capability support was made optional via this commit: https://github.com/opencontainers/runc/commit/603c151e6c2a4a37c7fae887960d9cf46a105266 and the build flag was removed again via: https://github.com/opencontainers/runc/commit/4f903a21c480443e8dbfc65b083fd05891501c67
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Extras Via RHSA-2020:2653 https://access.redhat.com/errata/RHSA-2020:2653
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2016-8867
Statement: This issue only affected a single version of the docker packages as shipped with Red Hat Enterprise Linux 7 Extras - docker-1.13.1-108.git4ef4b30.el7. This version was released on January 8th 2020 via erratum RHBA-2020:0053 and the problem was corrected in version docker-1.13.1-109.gitcccb291.el7_7 released on February 4th 2020 via erratum RHBA-2020:0427. This CVE is listed as fixed in erratum RHSA-2020:2653 released on June 23rd 2020. However, the erratum RHSA-2020:2653 does not provide any new or improved fix compared to RHBA-2020:0427 and it was released to ensure proper visibility of the problem to users and security scanning tools, as the fix was originally releases via a non-security bug fix erratum. The current version of OpenShift Container Platform (OCP) 3.11 is not affected because it installs the latest package from the Red Hat Enterprise Linux 7 Extras repository. If on an earlier version of OCP 3.11 be sure to update to a docker package later than 1.13.1-108.git4ef4b30.el7.