

Critical Vulnerability in Docker versions - mike-cardwell
http://www.openwall.com/lists/oss-security/2014/11/24/5

======
preillyme
The Docker engine, up to and including version 1.3.1, was vulnerable to
extracting files to arbitrary paths on the host during ‘docker pull’ and
‘docker load’ operations. This was caused by symlink and hardlink traversals
present in Docker's image extraction. This vulnerability could be leveraged to
perform remote code execution and privilege escalation.

Docker 1.3.2 remedies this vulnerability. Additional checks have been added to
pkg/archive and image extraction is now performed in a chroot. No remediation
is available for older versions of Docker and users are advised to upgrade.

Related vulnerabilities discovered by Florian Weimer of Red Hat Product
Security and independent researcher, Tõnis Tiigi.

------
preillyme
Docker versions 1.3.0 through 1.3.1 allowed security options to be applied to
images, allowing images to modify the default run profile of containers
executing these images. This vulnerability could allow a malicious image
creator to loosen the restrictions applied to a container’s processes,
potentially facilitating a break-out.

Docker 1.3.2 remedies this vulnerability. Security options applied to images
are no longer consumed by the Docker engine and will be ignored. Users are
advised to upgrade.

------
preillyme
Besides the above CVEs, the 1.3.2 release allows administrators to pass a
CIDR-formatted range of addresses for '—insecure-registry'. In addition,
allowing a cleartext registry to exist on localhost is now default behavior.
This change was made due to user feedback following the changes made in 1.3.1
to resolve CVE-2014-5277.

------
preillyme
I love that in
[https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-6408](https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-6408)
Trevor Jay says, "Red Hat does not support or recommend running untrusted
images".

