* CVE-2018-10892 Docker does not block /proc/acpi pathnames. The flaw allows an attacker to modify host's hardware like enabling/disabling Bluetooth or turning up/down keyboard brightness.
Affects < 18.03.01 CVE: CVE-2018-10892 Ref: https://access.redhat.com/security/cve/cve-2018-10892 Signed-off-by: Sinan Kaya <[email protected]> --- recipes-containers/docker/docker_git.bb | 2 ++ .../docker/files/CVE-2018-10892.patch | 34 +++++++++++++++++++ 2 files changed, 36 insertions(+) create mode 100644 recipes-containers/docker/files/CVE-2018-10892.patch diff --git a/recipes-containers/docker/docker_git.bb b/recipes-containers/docker/docker_git.bb index e055a4f..7c7bd4c 100644 --- a/recipes-containers/docker/docker_git.bb +++ b/recipes-containers/docker/docker_git.bb @@ -30,6 +30,8 @@ SRC_URI = "\ file://0001-libnetwork-use-GO-instead-of-go.patch \ " +SRC_URI_append_docker += "CVE-2018-10892.patch" + # Apache-2.0 for docker LICENSE = "Apache-2.0" LIC_FILES_CHKSUM = "file://src/import/LICENSE;md5=9740d093a080530b5c5c6573df9af45a" diff --git a/recipes-containers/docker/files/CVE-2018-10892.patch b/recipes-containers/docker/files/CVE-2018-10892.patch new file mode 100644 index 0000000..60d0496 --- /dev/null +++ b/recipes-containers/docker/files/CVE-2018-10892.patch @@ -0,0 +1,34 @@ +From af52f266ea15e6000ed057b13d62d27ddd5441a0 Mon Sep 17 00:00:00 2001 +From: Antonio Murdaca <[email protected]> +Date: Thu, 5 Jul 2018 17:06:08 +0200 +Subject: [PATCH] Add /proc/acpi to masked paths + +The deafult OCI linux spec in oci/defaults{_linux}.go in Docker/Moby +from 1.11 to current upstream master does not block /proc/acpi pathnames +allowing attackers to modify host's hardware like enabling/disabling +bluetooth or turning up/down keyboard brightness. SELinux prevents all +of this if enabled. + +Signed-off-by: Antonio Murdaca <[email protected]> +CVE: CVE-2018-10892 +Upstream-Status: Backport [https://github.com/moby/moby/pull/37404/commits/569b9702a59804617e1cd3611fbbe953e4247b3e] +Signed-off-by: Sinan Kaya<[email protected]> +--- + oci/defaults.go | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/oci/defaults.go b/oci/defaults.go +index 4145412dd..992157b0f 100644 +--- a/oci/defaults.go ++++ b/oci/defaults.go +@@ -114,6 +114,7 @@ func DefaultLinuxSpec() specs.Spec { + + s.Linux = &specs.Linux{ + MaskedPaths: []string{ ++ "/proc/acpi", + "/proc/kcore", + "/proc/keys", + "/proc/latency_stats", +-- +2.19.0 + -- 2.19.0 -- _______________________________________________ meta-virtualization mailing list [email protected] https://lists.yoctoproject.org/listinfo/meta-virtualization
