[meta-virtualization] [sumo] [PATCH v2] docker: CVE-2018-10892
Sinan Kaya
okaya at kernel.org
Tue Oct 9 21:18:24 PDT 2018
* CVE-2018-10892
Docker does not block /proc/acpi pathnames. The flaw allows an attacker to
modify host's hardware like enabling/disabling Bluetooth or turning up/down
keyboard brightness.
Affects < 18.03.01
CVE: CVE-2018-10892
Ref: https://access.redhat.com/security/cve/cve-2018-10892
Signed-off-by: Sinan Kaya <okaya at kernel.org>
---
recipes-containers/docker/docker_git.bb | 2 ++
.../docker/files/CVE-2018-10892.patch | 34 +++++++++++++++++++
2 files changed, 36 insertions(+)
create mode 100644 recipes-containers/docker/files/CVE-2018-10892.patch
diff --git a/recipes-containers/docker/docker_git.bb b/recipes-containers/docker/docker_git.bb
index e055a4f..7c7bd4c 100644
--- a/recipes-containers/docker/docker_git.bb
+++ b/recipes-containers/docker/docker_git.bb
@@ -30,6 +30,8 @@ SRC_URI = "\
file://0001-libnetwork-use-GO-instead-of-go.patch \
"
+SRC_URI_append_docker += "CVE-2018-10892.patch"
+
# Apache-2.0 for docker
LICENSE = "Apache-2.0"
LIC_FILES_CHKSUM = "file://src/import/LICENSE;md5=9740d093a080530b5c5c6573df9af45a"
diff --git a/recipes-containers/docker/files/CVE-2018-10892.patch b/recipes-containers/docker/files/CVE-2018-10892.patch
new file mode 100644
index 0000000..60d0496
--- /dev/null
+++ b/recipes-containers/docker/files/CVE-2018-10892.patch
@@ -0,0 +1,34 @@
+From af52f266ea15e6000ed057b13d62d27ddd5441a0 Mon Sep 17 00:00:00 2001
+From: Antonio Murdaca <runcom at redhat.com>
+Date: Thu, 5 Jul 2018 17:06:08 +0200
+Subject: [PATCH] Add /proc/acpi to masked paths
+
+The deafult OCI linux spec in oci/defaults{_linux}.go in Docker/Moby
+from 1.11 to current upstream master does not block /proc/acpi pathnames
+allowing attackers to modify host's hardware like enabling/disabling
+bluetooth or turning up/down keyboard brightness. SELinux prevents all
+of this if enabled.
+
+Signed-off-by: Antonio Murdaca <runcom at redhat.com>
+CVE: CVE-2018-10892
+Upstream-Status: Backport [https://github.com/moby/moby/pull/37404/commits/569b9702a59804617e1cd3611fbbe953e4247b3e]
+Signed-off-by: Sinan Kaya<okaya at kernel.org>
+---
+ oci/defaults.go | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/oci/defaults.go b/oci/defaults.go
+index 4145412dd..992157b0f 100644
+--- a/oci/defaults.go
++++ b/oci/defaults.go
+@@ -114,6 +114,7 @@ func DefaultLinuxSpec() specs.Spec {
+
+ s.Linux = &specs.Linux{
+ MaskedPaths: []string{
++ "/proc/acpi",
+ "/proc/kcore",
+ "/proc/keys",
+ "/proc/latency_stats",
+--
+2.19.0
+
--
2.19.0
More information about the meta-virtualization
mailing list