Bug#1034886: closed by Moritz Muehlenhoff (Re: Bug#1034886: docker.io: CVE-2022-37708)

Fri, 12 May 2023 12:45:14 -0700 

Hi,

On Thu, Apr 27, 2023 at 01:18:03PM +0000, Debian Bug Tracking System wrote:
> This is an automatic notification regarding your Bug report
> which was filed against the src:docker.io package:
> 
> #1034886: docker.io: CVE-2022-37708
> 
> It has been closed by Moritz Muehlenhoff <j...@inutil.org>.
> 
> Their explanation is attached below along with your original report.
> If this explanation is unsatisfactory and you have not received a
> better one in a separate message then please contact Moritz Muehlenhoff 
> <j...@inutil.org> by
> replying to this email.
> 
> 
> -- 
> 1034886: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034886
> Debian Bug Tracking System
> Contact ow...@bugs.debian.org with problems

> From: Moritz Muehlenhoff <j...@inutil.org>
> User-Agent: Mutt/1.10.1 (2018-07-13)
> Date: Thu, 27 Apr 2023 15:14:47 +0200
> To: Shengjing Zhu <z...@debian.org>
> Cc: 1034886-d...@bugs.debian.org, Tianon Gravi <tia...@debian.org>
> Subject: Re: Bug#1034886: docker.io: CVE-2022-37708
> Message-ID: <20230427131447.ga31...@inutil.org>
> 
> On Thu, Apr 27, 2023 at 04:21:21AM +0800, Shengjing Zhu wrote:
> > On Thu, Apr 27, 2023 at 1:39 AM Moritz Mühlenhoff <j...@inutil.org> wrote:
> > >
> > > Source: docker.io
> > > X-Debbugs-CC: t...@security.debian.org
> > > Severity: important
> > > Tags: security
> > >
> > > Hi,
> > >
> > > The following vulnerability was published for docker.io.
> > >
> > > CVE-2022-37708[0]:
> > > | Docker version 20.10.15, build fd82621 is vulnerable to Insecure
> > > | Permissions. Unauthorized users outside the Docker container can
> > > | access any files within the Docker container.
> > >
> > > The only reference here seems to be
> > > upstream: https://github.com/thekevinday/docker_lightman_exploit
> > >
> > > Not sure if this was reported upstream
> > 
> > I have talked to Tianon on 2023-02-28, and we concluded that it's not
> > a security issue, just working as expected.
> 
> Yeah, it's hard to understand why this got a CVE assigned. 
> 
> > Tianon said he will ask someone inside the Docker company. Not sure if
> > they have successfully invalidated this CVE.
> 
> Sounds good, in the mean time I'll record it as a non-issue in the Security
> Tracker (independent of whether Docker Inc rejects it or not). We can also
> simply close the bug.

FWIW, the CVE got rejected.

Regards,
Salvatore

Reply via email to