[sumo] [meta-virtualization] [PATCH v1] docker: CVE-2018-10892

[sumo] [meta-virtualization] [PATCH v1] docker: CVE-2018-10892

[Sinan Kaya]

* CVE-2018-10892
Docker does not block /proc/acpi pathnames. The flaw allows an attacker to
modify host's hardware like enabling/disabling Bluetooth or turning up/down
keyboard brightness.

Affects < 18.03.01

CVE: CVE-2018-10892
Ref: https://access.redhat.com/security/cve/cve-2018-10892
Signed-off-by: Sinan Kaya <okaya@kernel.org>
---
  recipes-containers/docker/docker_git.bb       |  2 ++
  .../docker/files/CVE-2018-10892.patch         | 34 +++++++++++++++++++
  2 files changed, 36 insertions(+)
  create mode 100644 recipes-containers/docker/files/CVE-2018-10892.patch

diff --git a/recipes-containers/docker/docker_git.bb 
b/recipes-containers/docker/docker_git.bb
index e055a4f..7c7bd4c 100644
--- a/recipes-containers/docker/docker_git.bb
+++ b/recipes-containers/docker/docker_git.bb
@@ -30,6 +30,8 @@ SRC_URI = "\
          file://0001-libnetwork-use-GO-instead-of-go.patch \
  	"

+SRC_URI_append_docker += "CVE-2018-10892.patch"
+
  # Apache-2.0 for docker
  LICENSE = "Apache-2.0"
  LIC_FILES_CHKSUM = 
"file://src/import/LICENSE;md5=9740d093a080530b5c5c6573df9af45a"
diff --git a/recipes-containers/docker/files/CVE-2018-10892.patch 
b/recipes-containers/docker/files/CVE-2018-10892.patch
new file mode 100644
index 0000000..60d0496
--- /dev/null
+++ b/recipes-containers/docker/files/CVE-2018-10892.patch
@@ -0,0 +1,34 @@
+From af52f266ea15e6000ed057b13d62d27ddd5441a0 Mon Sep 17 00:00:00 2001
+From: Antonio Murdaca <runcom@redhat.com>
+Date: Thu, 5 Jul 2018 17:06:08 +0200
+Subject: [PATCH] Add /proc/acpi to masked paths
+
+The deafult OCI linux spec in oci/defaults{_linux}.go in Docker/Moby
+from 1.11 to current upstream master does not block /proc/acpi pathnames
+allowing attackers to modify host's hardware like enabling/disabling
+bluetooth or turning up/down keyboard brightness. SELinux prevents all
+of this if enabled.
+
+Signed-off-by: Antonio Murdaca <runcom@redhat.com>
+CVE: CVE-2018-10892
+Upstream-Status: Backport 
[https://github.com/moby/moby/pull/37404/commits/569b9702a59804617e1cd3611fbbe953e4247b3e]
+Signed-off-by: Sinan Kaya<okaya@kernel.org>
+---
+ oci/defaults.go | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/oci/defaults.go b/oci/defaults.go
+index 4145412dd..992157b0f 100644
+--- a/oci/defaults.go
++++ b/oci/defaults.go
+@@ -114,6 +114,7 @@ func DefaultLinuxSpec() specs.Spec {
+
+ 	s.Linux = &specs.Linux{
+ 		MaskedPaths: []string{
++			"/proc/acpi",
+ 			"/proc/kcore",
+ 			"/proc/keys",
+ 			"/proc/latency_stats",
+--
+2.19.0
+
-- 
2.19.0

Re: [sumo] [meta-virtualization] [PATCH v1] docker: CVE-2018-10892

[Bruce Ashfield]

Wrong list.

This needs to go to the meta-virtualization mailing list.

Bruce
On Thu, Oct 4, 2018 at 11:48 PM Sinan Kaya <okaya@kernel.org> wrote:
>
> * CVE-2018-10892
> Docker does not block /proc/acpi pathnames. The flaw allows an attacker to
> modify host's hardware like enabling/disabling Bluetooth or turning up/down
> keyboard brightness.
>
> Affects < 18.03.01
>
> CVE: CVE-2018-10892
> Ref: https://access.redhat.com/security/cve/cve-2018-10892
> Signed-off-by: Sinan Kaya <okaya@kernel.org>
> ---
>   recipes-containers/docker/docker_git.bb       |  2 ++
>   .../docker/files/CVE-2018-10892.patch         | 34 +++++++++++++++++++
>   2 files changed, 36 insertions(+)
>   create mode 100644 recipes-containers/docker/files/CVE-2018-10892.patch
>
> diff --git a/recipes-containers/docker/docker_git.bb
> b/recipes-containers/docker/docker_git.bb
> index e055a4f..7c7bd4c 100644
> --- a/recipes-containers/docker/docker_git.bb
> +++ b/recipes-containers/docker/docker_git.bb
> @@ -30,6 +30,8 @@ SRC_URI = "\
>           file://0001-libnetwork-use-GO-instead-of-go.patch \
>         "
>
> +SRC_URI_append_docker += "CVE-2018-10892.patch"
> +
>   # Apache-2.0 for docker
>   LICENSE = "Apache-2.0"
>   LIC_FILES_CHKSUM =
> "file://src/import/LICENSE;md5=9740d093a080530b5c5c6573df9af45a"
> diff --git a/recipes-containers/docker/files/CVE-2018-10892.patch
> b/recipes-containers/docker/files/CVE-2018-10892.patch
> new file mode 100644
> index 0000000..60d0496
> --- /dev/null
> +++ b/recipes-containers/docker/files/CVE-2018-10892.patch
> @@ -0,0 +1,34 @@
> +From af52f266ea15e6000ed057b13d62d27ddd5441a0 Mon Sep 17 00:00:00 2001
> +From: Antonio Murdaca <runcom@redhat.com>
> +Date: Thu, 5 Jul 2018 17:06:08 +0200
> +Subject: [PATCH] Add /proc/acpi to masked paths
> +
> +The deafult OCI linux spec in oci/defaults{_linux}.go in Docker/Moby
> +from 1.11 to current upstream master does not block /proc/acpi pathnames
> +allowing attackers to modify host's hardware like enabling/disabling
> +bluetooth or turning up/down keyboard brightness. SELinux prevents all
> +of this if enabled.
> +
> +Signed-off-by: Antonio Murdaca <runcom@redhat.com>
> +CVE: CVE-2018-10892
> +Upstream-Status: Backport
> [https://github.com/moby/moby/pull/37404/commits/569b9702a59804617e1cd3611fbbe953e4247b3e]
> +Signed-off-by: Sinan Kaya<okaya@kernel.org>
> +---
> + oci/defaults.go | 1 +
> + 1 file changed, 1 insertion(+)
> +
> +diff --git a/oci/defaults.go b/oci/defaults.go
> +index 4145412dd..992157b0f 100644
> +--- a/oci/defaults.go
> ++++ b/oci/defaults.go
> +@@ -114,6 +114,7 @@ func DefaultLinuxSpec() specs.Spec {
> +
> +       s.Linux = &specs.Linux{
> +               MaskedPaths: []string{
> ++                      "/proc/acpi",
> +                       "/proc/kcore",
> +                       "/proc/keys",
> +                       "/proc/latency_stats",
> +--
> +2.19.0
> +
> --
> 2.19.0
>
> --
> _______________________________________________
> Openembedded-devel mailing list
> Openembedded-devel@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-devel



-- 
"Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end"

Re: [sumo] [meta-virtualization] [PATCH v1] docker: CVE-2018-10892

[Sinan Kaya]

On 10/5/2018 11:41 AM, Bruce Ashfield wrote:
> Wrong list.
> 
> This needs to go to the meta-virtualization mailing list.

Thanks for the heads up. Is there a document somewhere saying which
patch needs to go to which list?

This is the second time I screwed up.

Re: [sumo] [meta-virtualization] [PATCH v1] docker: CVE-2018-10892

[akuster808]

Sinan,


On 10/05/2018 08:55 AM, Sinan Kaya wrote:
> On 10/5/2018 11:41 AM, Bruce Ashfield wrote:
>> Wrong list.
>>
>> This needs to go to the meta-virtualization mailing list.
>
> Thanks for the heads up. Is there a document somewhere saying which
> patch needs to go to which list?

Every Layer should have  a README. That README should include where to
send patches.

|Maintenance ----------- Send pull requests, patches, comments or
questions to meta-virtualization@yoctoproject.org Maintainer: Bruce
Ashfield <bruce.ashfield@gmail.com> When sending single patches, please
using something like: $ git send-email -1 -M --to
meta-virtualization@yoctoproject.org
--subject-prefix='meta-virtualization][PATCH' The mailing list you will
need to subscribe to Hope this helps. - Armin |

>
> This is the second time I screwed up.

Re: [sumo] [meta-virtualization] [PATCH v1] docker: CVE-2018-10892

[Sinan Kaya]

On 10/5/2018 12:00 PM, akuster808 wrote:
> Sinan,
> 
> 
> On 10/05/2018 08:55 AM, Sinan Kaya wrote:
>> On 10/5/2018 11:41 AM, Bruce Ashfield wrote:
>>> Wrong list.
>>>
>>> This needs to go to the meta-virtualization mailing list.
>>
>> Thanks for the heads up. Is there a document somewhere saying which
>> patch needs to go to which list?
> 
> Every Layer should have  a README. That README should include where to
> send patches.
> 
> |Maintenance ----------- Send pull requests, patches, comments or
> questions to meta-virtualization@yoctoproject.org Maintainer: Bruce
> Ashfield <bruce.ashfield@gmail.com> When sending single patches, please
> using something like: $ git send-email -1 -M --to
> meta-virtualization@yoctoproject.org
> --subject-prefix='meta-virtualization][PATCH' The mailing list you will
> need to subscribe to Hope this helps. - Armin |
> 
>>
>> This is the second time I screwed up.
> 
> 

Got it. I just needed to know where to look.

[sumo] [PATCH v1] docker: CVE-2018-10892

[Sinan Kaya]

* CVE-2018-10892
Docker does not block /proc/acpi pathnames. The flaw allows an attacker to
modify host's hardware like enabling/disabling Bluetooth or turning up/down
keyboard brightness.

Affects < 18.03.01

CVE: CVE-2018-10892
Ref: https://access.redhat.com/security/cve/cve-2018-10892
Signed-off-by: Sinan Kaya <okaya@kernel.org>
---
  recipes-containers/docker/docker_git.bb       |  2 ++
  .../docker/files/CVE-2018-10892.patch         | 34 +++++++++++++++++++
  2 files changed, 36 insertions(+)
  create mode 100644 recipes-containers/docker/files/CVE-2018-10892.patch

diff --git a/recipes-containers/docker/docker_git.bb 
b/recipes-containers/docker/docker_git.bb
index e055a4f..7c7bd4c 100644
--- a/recipes-containers/docker/docker_git.bb
+++ b/recipes-containers/docker/docker_git.bb
@@ -30,6 +30,8 @@ SRC_URI = "\
          file://0001-libnetwork-use-GO-instead-of-go.patch \
  	"

+SRC_URI_append_docker += "CVE-2018-10892.patch"
+
  # Apache-2.0 for docker
  LICENSE = "Apache-2.0"
  LIC_FILES_CHKSUM = 
"file://src/import/LICENSE;md5=9740d093a080530b5c5c6573df9af45a"
diff --git a/recipes-containers/docker/files/CVE-2018-10892.patch 
b/recipes-containers/docker/files/CVE-2018-10892.patch
new file mode 100644
index 0000000..60d0496
--- /dev/null
+++ b/recipes-containers/docker/files/CVE-2018-10892.patch
@@ -0,0 +1,34 @@
+From af52f266ea15e6000ed057b13d62d27ddd5441a0 Mon Sep 17 00:00:00 2001
+From: Antonio Murdaca <runcom@redhat.com>
+Date: Thu, 5 Jul 2018 17:06:08 +0200
+Subject: [PATCH] Add /proc/acpi to masked paths
+
+The deafult OCI linux spec in oci/defaults{_linux}.go in Docker/Moby
+from 1.11 to current upstream master does not block /proc/acpi pathnames
+allowing attackers to modify host's hardware like enabling/disabling
+bluetooth or turning up/down keyboard brightness. SELinux prevents all
+of this if enabled.
+
+Signed-off-by: Antonio Murdaca <runcom@redhat.com>
+CVE: CVE-2018-10892
+Upstream-Status: Backport 
[https://github.com/moby/moby/pull/37404/commits/569b9702a59804617e1cd3611fbbe953e4247b3e]
+Signed-off-by: Sinan Kaya<okaya@kernel.org>
+---
+ oci/defaults.go | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/oci/defaults.go b/oci/defaults.go
+index 4145412dd..992157b0f 100644
+--- a/oci/defaults.go
++++ b/oci/defaults.go
+@@ -114,6 +114,7 @@ func DefaultLinuxSpec() specs.Spec {
+
+ 	s.Linux = &specs.Linux{
+ 		MaskedPaths: []string{
++			"/proc/acpi",
+ 			"/proc/kcore",
+ 			"/proc/keys",
+ 			"/proc/latency_stats",
+--
+2.19.0
+
-- 
2.19.0

Re: [sumo] [PATCH v1] docker: CVE-2018-10892

[Bruce Ashfield]

Your patch is coming through corrupted:

----
Applying: docker: CVE-2018-10892
/home/bruce/poky/meta-virtualization/.git/rebase-apply/patch:44:
trailing whitespace.
Upstream-Status: Backport
fatal: corrupt patch at line 45
Patch failed at 0001 docker: CVE-2018-10892
The copy of the patch that failed is found in:
   /home/bruce/poky/meta-virtualization/.git/rebase-apply/patch
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
----

Check your MTA and how you are sending the patch to the list.

Bruce

On Fri, Oct 5, 2018 at 12:33 PM Sinan Kaya <okaya@kernel.org> wrote:
>
> * CVE-2018-10892
> Docker does not block /proc/acpi pathnames. The flaw allows an attacker to
> modify host's hardware like enabling/disabling Bluetooth or turning up/down
> keyboard brightness.
>
> Affects < 18.03.01
>
> CVE: CVE-2018-10892
> Ref: https://access.redhat.com/security/cve/cve-2018-10892
> Signed-off-by: Sinan Kaya <okaya@kernel.org>
> ---
>   recipes-containers/docker/docker_git.bb       |  2 ++
>   .../docker/files/CVE-2018-10892.patch         | 34 +++++++++++++++++++
>   2 files changed, 36 insertions(+)
>   create mode 100644 recipes-containers/docker/files/CVE-2018-10892.patch
>
> diff --git a/recipes-containers/docker/docker_git.bb
> b/recipes-containers/docker/docker_git.bb
> index e055a4f..7c7bd4c 100644
> --- a/recipes-containers/docker/docker_git.bb
> +++ b/recipes-containers/docker/docker_git.bb
> @@ -30,6 +30,8 @@ SRC_URI = "\
>           file://0001-libnetwork-use-GO-instead-of-go.patch \
>         "
>
> +SRC_URI_append_docker += "CVE-2018-10892.patch"
> +
>   # Apache-2.0 for docker
>   LICENSE = "Apache-2.0"
>   LIC_FILES_CHKSUM =
> "file://src/import/LICENSE;md5=9740d093a080530b5c5c6573df9af45a"
> diff --git a/recipes-containers/docker/files/CVE-2018-10892.patch
> b/recipes-containers/docker/files/CVE-2018-10892.patch
> new file mode 100644
> index 0000000..60d0496
> --- /dev/null
> +++ b/recipes-containers/docker/files/CVE-2018-10892.patch
> @@ -0,0 +1,34 @@
> +From af52f266ea15e6000ed057b13d62d27ddd5441a0 Mon Sep 17 00:00:00 2001
> +From: Antonio Murdaca <runcom@redhat.com>
> +Date: Thu, 5 Jul 2018 17:06:08 +0200
> +Subject: [PATCH] Add /proc/acpi to masked paths
> +
> +The deafult OCI linux spec in oci/defaults{_linux}.go in Docker/Moby
> +from 1.11 to current upstream master does not block /proc/acpi pathnames
> +allowing attackers to modify host's hardware like enabling/disabling
> +bluetooth or turning up/down keyboard brightness. SELinux prevents all
> +of this if enabled.
> +
> +Signed-off-by: Antonio Murdaca <runcom@redhat.com>
> +CVE: CVE-2018-10892
> +Upstream-Status: Backport
> [https://github.com/moby/moby/pull/37404/commits/569b9702a59804617e1cd3611fbbe953e4247b3e]
> +Signed-off-by: Sinan Kaya<okaya@kernel.org>
> +---
> + oci/defaults.go | 1 +
> + 1 file changed, 1 insertion(+)
> +
> +diff --git a/oci/defaults.go b/oci/defaults.go
> +index 4145412dd..992157b0f 100644
> +--- a/oci/defaults.go
> ++++ b/oci/defaults.go
> +@@ -114,6 +114,7 @@ func DefaultLinuxSpec() specs.Spec {
> +
> +       s.Linux = &specs.Linux{
> +               MaskedPaths: []string{
> ++                      "/proc/acpi",
> +                       "/proc/kcore",
> +                       "/proc/keys",
> +                       "/proc/latency_stats",
> +--
> +2.19.0
> +
> --
> 2.19.0
>
> --
> _______________________________________________
> meta-virtualization mailing list
> meta-virtualization@yoctoproject.org
> https://lists.yoctoproject.org/listinfo/meta-virtualization



-- 
"Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end"