Bug#1034886: closed by Moritz Muehlenhoff (Re: Bug#1034886: docker.io: CVE-2022-37708)
Hi, On Thu, Apr 27, 2023 at 01:18:03PM +, Debian Bug Tracking System wrote: > This is an automatic notification regarding your Bug report > which was filed against the src:docker.io package: > > #1034886: docker.io: CVE-2022-37708 > > It has been closed by Moritz Muehlenhoff . > > Their explanation is attached below along with your original report. > If this explanation is unsatisfactory and you have not received a > better one in a separate message then please contact Moritz Muehlenhoff > by > replying to this email. > > > -- > 1034886: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034886 > Debian Bug Tracking System > Contact ow...@bugs.debian.org with problems > From: Moritz Muehlenhoff > User-Agent: Mutt/1.10.1 (2018-07-13) > Date: Thu, 27 Apr 2023 15:14:47 +0200 > To: Shengjing Zhu > Cc: 1034886-d...@bugs.debian.org, Tianon Gravi > Subject: Re: Bug#1034886: docker.io: CVE-2022-37708 > Message-ID: <20230427131447.ga31...@inutil.org> > > On Thu, Apr 27, 2023 at 04:21:21AM +0800, Shengjing Zhu wrote: > > On Thu, Apr 27, 2023 at 1:39 AM Moritz Mühlenhoff wrote: > > > > > > Source: docker.io > > > X-Debbugs-CC: t...@security.debian.org > > > Severity: important > > > Tags: security > > > > > > Hi, > > > > > > The following vulnerability was published for docker.io. > > > > > > CVE-2022-37708[0]: > > > | Docker version 20.10.15, build fd82621 is vulnerable to Insecure > > > | Permissions. Unauthorized users outside the Docker container can > > > | access any files within the Docker container. > > > > > > The only reference here seems to be > > > upstream: https://github.com/thekevinday/docker_lightman_exploit > > > > > > Not sure if this was reported upstream > > > > I have talked to Tianon on 2023-02-28, and we concluded that it's not > > a security issue, just working as expected. > > Yeah, it's hard to understand why this got a CVE assigned. > > > Tianon said he will ask someone inside the Docker company. Not sure if > > they have successfully invalidated this CVE. > > Sounds good, in the mean time I'll record it as a non-issue in the Security > Tracker (independent of whether Docker Inc rejects it or not). We can also > simply close the bug. FWIW, the CVE got rejected. Regards, Salvatore
Bug#1034886: docker.io: CVE-2022-37708
On Tue, 2 May 2023 at 16:25, Tianon Gravi wrote: > > I have talked to Tianon on 2023-02-28, and we concluded that it's not > > a security issue, just working as expected. > > > > Tianon said he will ask someone inside the Docker company. Not sure if > > they have successfully invalidated this CVE. > > My colleague disputed it, but we apparently never heard back about the > dispute. 路 As of yesterday, it's officially "rejected": https://www.cve.org/CVERecord?id=CVE-2022-37708 ♥, - Tianon 4096R / B42F 6819 007F 00F8 8E36 4FD4 036A 9C25 BF35 7DD4
Bug#1034886: docker.io: CVE-2022-37708
On Wed, 26 Apr 2023 at 13:21, Shengjing Zhu wrote: > On Thu, Apr 27, 2023 at 1:39 AM Moritz Mühlenhoff wrote: > > > > Source: docker.io > > X-Debbugs-CC: t...@security.debian.org > > Severity: important > > Tags: security > > > > Hi, > > > > The following vulnerability was published for docker.io. > > > > CVE-2022-37708[0]: > > | Docker version 20.10.15, build fd82621 is vulnerable to Insecure > > | Permissions. Unauthorized users outside the Docker container can > > | access any files within the Docker container. > > > > The only reference here seems to be > > upstream: https://github.com/thekevinday/docker_lightman_exploit > > > > Not sure if this was reported upstream > > I have talked to Tianon on 2023-02-28, and we concluded that it's not > a security issue, just working as expected. > > Tianon said he will ask someone inside the Docker company. Not sure if > they have successfully invalidated this CVE. My colleague disputed it, but we apparently never heard back about the dispute. 路 ♥, - Tianon 4096R / B42F 6819 007F 00F8 8E36 4FD4 036A 9C25 BF35 7DD4
Bug#1034886: docker.io: CVE-2022-37708
On Thu, Apr 27, 2023 at 1:39 AM Moritz Mühlenhoff wrote: > > Source: docker.io > X-Debbugs-CC: t...@security.debian.org > Severity: important > Tags: security > > Hi, > > The following vulnerability was published for docker.io. > > CVE-2022-37708[0]: > | Docker version 20.10.15, build fd82621 is vulnerable to Insecure > | Permissions. Unauthorized users outside the Docker container can > | access any files within the Docker container. > > The only reference here seems to be > upstream: https://github.com/thekevinday/docker_lightman_exploit > > Not sure if this was reported upstream I have talked to Tianon on 2023-02-28, and we concluded that it's not a security issue, just working as expected. Tianon said he will ask someone inside the Docker company. Not sure if they have successfully invalidated this CVE. -- Shengjing Zhu
Bug#1034886: docker.io: CVE-2022-37708
Source: docker.io X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for docker.io. CVE-2022-37708[0]: | Docker version 20.10.15, build fd82621 is vulnerable to Insecure | Permissions. Unauthorized users outside the Docker container can | access any files within the Docker container. The only reference here seems to be upstream: https://github.com/thekevinday/docker_lightman_exploit Not sure if this was reported upstream If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-37708 https://www.cve.org/CVERecord?id=CVE-2022-37708 Please adjust the affected versions in the BTS as needed.