diff options
author | Sinan Kaya <okaya@kernel.org> | 2018-10-10 04:18:24 +0000 |
---|---|---|
committer | Bruce Ashfield <bruce.ashfield@windriver.com> | 2018-10-11 14:10:45 -0400 |
commit | 4583c6331737c072fe23b77f2453bcce3d25f81e (patch) | |
tree | 329b748a29d28c25ed62f9dbb508f6da1377d9a7 | |
parent | dd32e94c88550d7629aa696acb565c1597954603 (diff) | |
download | meta-virtualization-4583c6331737c072fe23b77f2453bcce3d25f81e.tar.gz |
docker: CVE-2018-10892
* CVE-2018-10892
Docker does not block /proc/acpi pathnames. The flaw allows an attacker to
modify host's hardware like enabling/disabling Bluetooth or turning up/down
keyboard brightness.
Affects < 18.03.01
CVE: CVE-2018-10892
Ref: https://access.redhat.com/security/cve/cve-2018-10892
Signed-off-by: Sinan Kaya <okaya@kernel.org>
Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
-rw-r--r-- | recipes-containers/docker/docker_git.bb | 2 | ||||
-rw-r--r-- | recipes-containers/docker/files/CVE-2018-10892.patch | 34 |
2 files changed, 36 insertions, 0 deletions
diff --git a/recipes-containers/docker/docker_git.bb b/recipes-containers/docker/docker_git.bb index e055a4f6..7c7bd4c0 100644 --- a/recipes-containers/docker/docker_git.bb +++ b/recipes-containers/docker/docker_git.bb | |||
@@ -30,6 +30,8 @@ SRC_URI = "\ | |||
30 | file://0001-libnetwork-use-GO-instead-of-go.patch \ | 30 | file://0001-libnetwork-use-GO-instead-of-go.patch \ |
31 | " | 31 | " |
32 | 32 | ||
33 | SRC_URI_append_docker += "CVE-2018-10892.patch" | ||
34 | |||
33 | # Apache-2.0 for docker | 35 | # Apache-2.0 for docker |
34 | LICENSE = "Apache-2.0" | 36 | LICENSE = "Apache-2.0" |
35 | LIC_FILES_CHKSUM = "file://src/import/LICENSE;md5=9740d093a080530b5c5c6573df9af45a" | 37 | LIC_FILES_CHKSUM = "file://src/import/LICENSE;md5=9740d093a080530b5c5c6573df9af45a" |
diff --git a/recipes-containers/docker/files/CVE-2018-10892.patch b/recipes-containers/docker/files/CVE-2018-10892.patch new file mode 100644 index 00000000..60d04962 --- /dev/null +++ b/recipes-containers/docker/files/CVE-2018-10892.patch | |||
@@ -0,0 +1,34 @@ | |||
1 | From af52f266ea15e6000ed057b13d62d27ddd5441a0 Mon Sep 17 00:00:00 2001 | ||
2 | From: Antonio Murdaca <runcom@redhat.com> | ||
3 | Date: Thu, 5 Jul 2018 17:06:08 +0200 | ||
4 | Subject: [PATCH] Add /proc/acpi to masked paths | ||
5 | |||
6 | The deafult OCI linux spec in oci/defaults{_linux}.go in Docker/Moby | ||
7 | from 1.11 to current upstream master does not block /proc/acpi pathnames | ||
8 | allowing attackers to modify host's hardware like enabling/disabling | ||
9 | bluetooth or turning up/down keyboard brightness. SELinux prevents all | ||
10 | of this if enabled. | ||
11 | |||
12 | Signed-off-by: Antonio Murdaca <runcom@redhat.com> | ||
13 | CVE: CVE-2018-10892 | ||
14 | Upstream-Status: Backport [https://github.com/moby/moby/pull/37404/commits/569b9702a59804617e1cd3611fbbe953e4247b3e] | ||
15 | Signed-off-by: Sinan Kaya<okaya@kernel.org> | ||
16 | --- | ||
17 | oci/defaults.go | 1 + | ||
18 | 1 file changed, 1 insertion(+) | ||
19 | |||
20 | diff --git a/oci/defaults.go b/oci/defaults.go | ||
21 | index 4145412dd..992157b0f 100644 | ||
22 | --- a/oci/defaults.go | ||
23 | +++ b/oci/defaults.go | ||
24 | @@ -114,6 +114,7 @@ func DefaultLinuxSpec() specs.Spec { | ||
25 | |||
26 | s.Linux = &specs.Linux{ | ||
27 | MaskedPaths: []string{ | ||
28 | + "/proc/acpi", | ||
29 | "/proc/kcore", | ||
30 | "/proc/keys", | ||
31 | "/proc/latency_stats", | ||
32 | -- | ||
33 | 2.19.0 | ||
34 | |||