Bug 909712 (CVE-2014-9356) - VUL-0: CVE-2014-9356: docker: Path traversal during processing of absolute symlinks
Summary: VUL-0: CVE-2014-9356: docker: Path traversal during processing of absolute sy...
Status: RESOLVED FIXED
: 909747 (view as bug list)
Alias: CVE-2014-9356
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P5 - None : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/111525/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-12-12 13:49 UTC by Alexander Bergmann
Modified: 2018-12-14 15:10 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2014-12-12 13:49:16 UTC 
rh#1172761

A problem was reported by Docker Inc. whereby a malicious image could overwrite arbitrary portions of the host filesystem by including absolute symlinks. From the upstream report:

"Path traversal attacks are possible in the processing of absolute symlinks. In checking symlinks for traversals, only relative links were considered. This allowed path traversals to exist where they should have otherwise been prevented. This was exploitable via both archive extraction and through volume mounts.

This vulnerability allowed malicious images or builds from malicious Dockerfiles to write files to the host system and escape containerization, leading to privilege escalation."

CVE-2014-9356 was assigned to this issue.


References:
https://groups.google.com/forum/#!topic/docker-user/nFAz-B-n4Bw
https://bugzilla.redhat.com/show_bug.cgi?id=1172761
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9356
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9356
Comment 1 Flavio Castelli 2014-12-12 16:27:02 UTC 
*** Bug 909747 has been marked as a duplicate of this bug. ***
Comment 3 Bernhard Wiedemann 2014-12-12 17:00:27 UTC 
This is an autogenerated message for OBS integration:
This bug (909712) was mentioned in
https://build.opensuse.org/request/show/265019 13.2 / docker
Comment 6 Marcus Meissner 2014-12-18 18:01:41 UTC 
accpted to sle12 and 13.2, do not forget factory please
Comment 7 Flavio Castelli 2014-12-19 12:57:09 UTC 
Fixed.
Comment 8 Bernhard Wiedemann 2014-12-19 13:01:15 UTC 
This is an autogenerated message for OBS integration:
This bug (909712) was mentioned in
https://build.opensuse.org/request/show/265920 Factory / docker
Comment 9 Swamp Workflow Management 2014-12-27 21:07:55 UTC 
openSUSE-SU-2014:1722-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 909709,909710,909712
CVE References: CVE-2014-9356,CVE-2014-9357,CVE-2014-9358
Sources used:
openSUSE 13.2 (src):    docker-1.4.0-13.1
Comment 10 Swamp Workflow Management 2015-01-19 16:05:11 UTC 
SUSE-SU-2015:0082-1: An update that solves three vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 909709,909710,909712,913211,913213
CVE References: CVE-2014-9356,CVE-2014-9357,CVE-2014-9358
Sources used:
SUSE Linux Enterprise Server 12 (src):    docker-1.4.1-16.1