** Changed in: runc (Ubuntu Yakkety)
Status: Fix Committed => Won't Fix
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1675288
Title:
security fix to runc in docker-1.12.3 wasn't picked
Status in runc package in Ubuntu:
Fix Released
Status in runc source package in Xenial:
Fix Released
Status in runc source package in Yakkety:
Won't Fix
Bug description:
[Impact]
https://github.com/docker/docker/issues/27590#issuecomment-255241013
The steps are very clear, it's very easy to recur, so I don't repeat
here.
The CVE link: https://cve.mitre.org/cgi-
bin/cvename.cgi?name=CVE-2016-8867
[Test case]
$ tmp=$(mktemp -d)
$ cd $tmp
$ cat > Dockerfile << EOF
FROM debian
RUN useradd example
RUN id
USER example
RUN id
RUN cat /etc/shadow
CMD /bin/bash
EOF
$ docker build --no-cache -t example .
The 'cat /etc/shadow' in the Dockerfile should fail.
[Regression potential]
We're fixing this by moving to the exact commit of runc the docker 1.12.6
release expects, so there shouldn't be any issues. In addition
https://wiki.ubuntu.com/DockerUpdates applies.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/runc/+bug/1675288/+subscriptions
_______________________________________________
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help : https://help.launchpad.net/ListHelp
