** Description changed: + [Impact] https://github.com/docker/docker/issues/27590#issuecomment-255241013 The steps are very clear, it's very easy to recur, so I don't repeat here. The CVE link: https://cve.mitre.org/cgi- bin/cvename.cgi?name=CVE-2016-8867 + + [Test case] + $ tmp=$(mktemp -d) + $ cd $tmp + $ cat > Dockerfile << EOF + FROM debian + RUN useradd example + RUN id + USER example + RUN id + RUN cat /etc/shadow + CMD /bin/bash + EOF + $ docker build --no-cache -t example . + + The 'cat /etc/shadow' in the Dockerfile should fail. + + [Regression potential] + We're fixing this by moving to the exact commit of runc the docker 1.12.6 release expects, so there shouldn't be any issues. In addition https://wiki.ubuntu.com/DockerUpdates applies.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1675288 Title: security fix to runc in docker-1.12.3 wasn't picked To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/runc/+bug/1675288/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
