Bug#962141: docker.io: CVE-2020-13401

Sun, 14 Jun 2020 14:43:02 -0700 

Hi security team / maintainers,

On Wed, 03 Jun 2020 20:58:53 +0200 Salvatore Bonaccorso <car...@debian.org> 
wrote:

Source: docker.io
Version: 19.03.7+dfsg1-3
Severity: important
Tags: security upstream

Hi,

The following vulnerability was published for docker.io.

CVE-2020-13401[0]:
| An issue was discovered in Docker Engine before 19.03.11. An attacker
| in a container, with the CAP_NET_RAW capability, can craft IPv6 router
| advertisements, and consequently spoof external IPv6 hosts, obtain
| sensitive information, or cause a denial of service.


I've prepared an update for buster-security (debdiff attached).
With the update accept_ra is correctly set to 0 for bridges Docker creates.


@Maintainers:
Do you want me push the patch to the Git repo for unstable or are you
planning to update to 19.03.11 anyway?

Cheers,
Felix

diff -Nru docker.io-18.09.1+dfsg1/debian/changelog 
docker.io-18.09.1+dfsg1/debian/changelog
--- docker.io-18.09.1+dfsg1/debian/changelog    2019-09-03 19:59:35.000000000 
+0200
+++ docker.io-18.09.1+dfsg1/debian/changelog    2020-06-14 22:12:29.000000000 
+0200
@@ -1,3 +1,9 @@
+docker.io (18.09.1+dfsg1-7.1+deb10u2) buster-security; urgency=medium
+
+  * Add upstream patch for CVE-2020-13401 (Closes: #962141)
+
+ -- Felix Geyer <fge...@debian.org>  Sun, 14 Jun 2020 22:12:29 +0200
+
 docker.io (18.09.1+dfsg1-7.1+deb10u1) buster-security; urgency=medium
 
   [ Arnaud Rebillout ]
diff -Nru 
docker.io-18.09.1+dfsg1/debian/patches/cve-2020-13401-disable-IPv6-router-advertisements.patch
 
docker.io-18.09.1+dfsg1/debian/patches/cve-2020-13401-disable-IPv6-router-advertisements.patch
--- 
docker.io-18.09.1+dfsg1/debian/patches/cve-2020-13401-disable-IPv6-router-advertisements.patch
      1970-01-01 01:00:00.000000000 +0100
+++ 
docker.io-18.09.1+dfsg1/debian/patches/cve-2020-13401-disable-IPv6-router-advertisements.patch
      2020-06-14 22:12:20.000000000 +0200
@@ -0,0 +1,65 @@
+From 153d0769a1181bf591a9637fd487a541ec7db1e6 Mon Sep 17 00:00:00 2001
+From: Samuel Karp <sk...@amazon.com>
+Date: Fri, 3 Apr 2020 16:23:18 -0700
+Subject: [PATCH] bridge: disable IPv6 router advertisements
+
+Signed-off-by: Samuel Karp <sk...@amazon.com>
+---
+ libnetwork/drivers/bridge/bridge.go       |  6 ++++++
+ libnetwork/drivers/bridge/setup_device.go | 19 +++++++++++++++++++
+ 2 files changed, 25 insertions(+)
+
+diff --git a/drivers/bridge/bridge.go b/drivers/bridge/bridge.go
+index b617ea7bc4..22ee29e238 100644
+--- a/libnetwork/drivers/bridge/bridge.go
++++ b/libnetwork/drivers/bridge/bridge.go
+@@ -679,6 +679,12 @@ func (d *driver) createNetwork(config 
*networkConfiguration) (err error) {
+       bridgeAlreadyExists := bridgeIface.exists()
+       if !bridgeAlreadyExists {
+               bridgeSetup.queueStep(setupDevice)
++              bridgeSetup.queueStep(setupDefaultSysctl)
++      }
++
++      // For the default bridge, set expected sysctls
++      if config.DefaultBridge {
++              bridgeSetup.queueStep(setupDefaultSysctl)
+       }
+ 
+       // Even if a bridge exists try to setup IPv4.
+diff --git a/drivers/bridge/setup_device.go b/drivers/bridge/setup_device.go
+index 548ad951df..1343305ae9 100644
+--- a/libnetwork/drivers/bridge/setup_device.go
++++ b/libnetwork/drivers/bridge/setup_device.go
+@@ -2,6 +2,9 @@ package bridge
+ 
+ import (
+       "fmt"
++      "io/ioutil"
++      "os"
++      "path/filepath"
+ 
+       "github.com/docker/docker/pkg/parsers/kernel"
+       "github.com/docker/libnetwork/netutils"
+@@ -49,6 +52,22 @@ func setupDevice(config *networkConfiguration, i 
*bridgeInterface) error {
+       return err
+ }
+ 
++func setupDefaultSysctl(config *networkConfiguration, i *bridgeInterface) 
error {
++      // Disable IPv6 router advertisements originating on the bridge
++      sysPath := filepath.Join("/proc/sys/net/ipv6/conf/", config.BridgeName, 
"accept_ra")
++      if _, err := os.Stat(sysPath); err != nil {
++              logrus.
++                      WithField("bridge", config.BridgeName).
++                      WithField("syspath", sysPath).
++                      Info("failed to read ipv6 
net.ipv6.conf.<bridge>.accept_ra")
++              return nil
++      }
++      if err := ioutil.WriteFile(sysPath, []byte{'0', '\n'}, 0644); err != 
nil {
++              return fmt.Errorf("libnetwork: Unable to disable IPv6 router 
advertisement: %v", err)
++      }
++      return nil
++}
++
+ // SetupDeviceUp ups the given bridge interface.
+ func setupDeviceUp(config *networkConfiguration, i *bridgeInterface) error {
+       err := i.nlh.LinkSetUp(i.Link)
diff -Nru docker.io-18.09.1+dfsg1/debian/patches/series 
docker.io-18.09.1+dfsg1/debian/patches/series
--- docker.io-18.09.1+dfsg1/debian/patches/series       2019-09-03 
17:25:39.000000000 +0200
+++ docker.io-18.09.1+dfsg1/debian/patches/series       2020-06-14 
22:12:29.000000000 +0200
@@ -20,6 +20,7 @@
 cve-2019-13509-03-DebugRequestMiddleware-unconditionally-scrub-data-field.patch
 cve-2019-13509-04-DebugRequestMiddleware-Remove-path-handling.patch
 cve-2019-14271-Initialize-nss-libraries-in-Glibc.patch
+cve-2020-13401-disable-IPv6-router-advertisements.patch
 
 engine-contrib-debootstrap-curl-follow-location.patch
 engine-test-noinstall.patch

Reply via email to