Wrong list. This needs to go to the meta-virtualization mailing list.
Bruce On Thu, Oct 4, 2018 at 11:48 PM Sinan Kaya <ok...@kernel.org> wrote: > > * CVE-2018-10892 > Docker does not block /proc/acpi pathnames. The flaw allows an attacker to > modify host's hardware like enabling/disabling Bluetooth or turning up/down > keyboard brightness. > > Affects < 18.03.01 > > CVE: CVE-2018-10892 > Ref: https://access.redhat.com/security/cve/cve-2018-10892 > Signed-off-by: Sinan Kaya <ok...@kernel.org> > --- > recipes-containers/docker/docker_git.bb | 2 ++ > .../docker/files/CVE-2018-10892.patch | 34 +++++++++++++++++++ > 2 files changed, 36 insertions(+) > create mode 100644 recipes-containers/docker/files/CVE-2018-10892.patch > > diff --git a/recipes-containers/docker/docker_git.bb > b/recipes-containers/docker/docker_git.bb > index e055a4f..7c7bd4c 100644 > --- a/recipes-containers/docker/docker_git.bb > +++ b/recipes-containers/docker/docker_git.bb > @@ -30,6 +30,8 @@ SRC_URI = "\ > file://0001-libnetwork-use-GO-instead-of-go.patch \ > " > > +SRC_URI_append_docker += "CVE-2018-10892.patch" > + > # Apache-2.0 for docker > LICENSE = "Apache-2.0" > LIC_FILES_CHKSUM = > "file://src/import/LICENSE;md5=9740d093a080530b5c5c6573df9af45a" > diff --git a/recipes-containers/docker/files/CVE-2018-10892.patch > b/recipes-containers/docker/files/CVE-2018-10892.patch > new file mode 100644 > index 0000000..60d0496 > --- /dev/null > +++ b/recipes-containers/docker/files/CVE-2018-10892.patch > @@ -0,0 +1,34 @@ > +From af52f266ea15e6000ed057b13d62d27ddd5441a0 Mon Sep 17 00:00:00 2001 > +From: Antonio Murdaca <run...@redhat.com> > +Date: Thu, 5 Jul 2018 17:06:08 +0200 > +Subject: [PATCH] Add /proc/acpi to masked paths > + > +The deafult OCI linux spec in oci/defaults{_linux}.go in Docker/Moby > +from 1.11 to current upstream master does not block /proc/acpi pathnames > +allowing attackers to modify host's hardware like enabling/disabling > +bluetooth or turning up/down keyboard brightness. SELinux prevents all > +of this if enabled. > + > +Signed-off-by: Antonio Murdaca <run...@redhat.com> > +CVE: CVE-2018-10892 > +Upstream-Status: Backport > [https://github.com/moby/moby/pull/37404/commits/569b9702a59804617e1cd3611fbbe953e4247b3e] > +Signed-off-by: Sinan Kaya<ok...@kernel.org> > +--- > + oci/defaults.go | 1 + > + 1 file changed, 1 insertion(+) > + > +diff --git a/oci/defaults.go b/oci/defaults.go > +index 4145412dd..992157b0f 100644 > +--- a/oci/defaults.go > ++++ b/oci/defaults.go > +@@ -114,6 +114,7 @@ func DefaultLinuxSpec() specs.Spec { > + > + s.Linux = &specs.Linux{ > + MaskedPaths: []string{ > ++ "/proc/acpi", > + "/proc/kcore", > + "/proc/keys", > + "/proc/latency_stats", > +-- > +2.19.0 > + > -- > 2.19.0 > > -- > _______________________________________________ > Openembedded-devel mailing list > Openembedded-devel@lists.openembedded.org > http://lists.openembedded.org/mailman/listinfo/openembedded-devel -- "Thou shalt not follow the NULL pointer, for chaos and madness await thee at its end" -- _______________________________________________ Openembedded-devel mailing list Openembedded-devel@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-devel