Bug 1143409 - (CVE-2019-14271) VUL-1: CVE-2019-14271: docker: code injection can occur when the nsswitch facility dynamically loads a library inside a chroot that contains the contents of the container
(CVE-2019-14271)
VUL-1: CVE-2019-14271: docker: code injection can occur when the nsswitch fac...
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Security
Current
Other Other
: P4 - Low : Normal (vote)
: ---
Assigned To: Containers Team
Security Team bot
https://smash.suse.de/issue/238236/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-07-30 09:55 UTC by Alexandros Toptsoglou
Modified: 2019-09-04 06:19 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandros Toptsoglou 2019-07-30 09:55:54 UTC
CVE-2019-14271

In Docker 19.03.x before 19.03.1 linked against the GNU C Library (aka glibc),
code injection can occur when the nsswitch facility dynamically loads a library
inside a chroot that contains the contents of the container.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14271
http://www.cvedetails.com/cve/CVE-2019-14271/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14271
https://docs.docker.com/engine/release-notes/
https://github.com/moby/moby/issues/39449
Comment 1 Alexandros Toptsoglou 2019-07-30 09:58:06 UTC
Affects only version 19.03.0
Comment 2 Aleksa Sarai 2019-07-31 06:59:41 UTC
I've already submitted the v19.03.1 update to Factory (and it's been merged already) as well as SLE. Since this bug was opened after submission, I'll add the reference for future package updates (since the CVE is referenced in the changelog already).
Comment 3 Swamp Workflow Management 2019-08-13 16:11:29 UTC
SUSE-SU-2019:2117-1: An update that solves four vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1100331,1121967,1138920,1139649,1142160,1142413,1143409
CVE References: CVE-2018-10892,CVE-2019-13509,CVE-2019-14271,CVE-2019-5736
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    containerd-1.2.6-5.16.1, containerd-kubic-1.2.6-5.16.1, docker-19.03.1_ce-6.26.2, docker-kubic-19.03.1_ce-6.26.2, docker-runc-kubic-1.0.0rc8+gitr3826_425e105d5a03-6.21.2, golang-github-docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-4.15.1, golang-github-docker-libnetwork-kubic-0.7.0.1+gitr2800_fc5a7d91d54c-4.15.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    containerd-1.2.6-5.16.1, docker-19.03.1_ce-6.26.2, golang-github-docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-4.15.1
SUSE Linux Enterprise Module for Containers 15-SP1 (src):    containerd-1.2.6-5.16.1, docker-19.03.1_ce-6.26.2, docker-runc-1.0.0rc8+gitr3826_425e105d5a03-6.21.2, golang-github-docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-4.15.1
SUSE Linux Enterprise Module for Containers 15 (src):    containerd-1.2.6-5.16.1, docker-19.03.1_ce-6.26.2, docker-runc-1.0.0rc8+gitr3826_425e105d5a03-6.21.2, golang-github-docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-4.15.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 4 Swamp Workflow Management 2019-08-13 16:13:52 UTC
SUSE-SU-2019:2119-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1100331,1121967,1142160,1142413,1143409
CVE References: CVE-2018-10892,CVE-2019-13509,CVE-2019-14271,CVE-2019-5736
Sources used:
SUSE OpenStack Cloud 6-LTSS (src):    containerd-1.2.6-16.23.1, docker-19.03.1_ce-98.46.1, docker-runc-1.0.0rc8+gitr3826_425e105d5a03-1.29.1, golang-github-docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-25.1
SUSE Linux Enterprise Module for Containers 12 (src):    containerd-1.2.6-16.23.1, docker-19.03.1_ce-98.46.1, docker-runc-1.0.0rc8+gitr3826_425e105d5a03-1.29.1, golang-github-docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-25.1
SUSE CaaS Platform 3.0 (src):    containerd-kubic-1.2.6-16.23.1, docker-kubic-19.03.1_ce-98.46.1, docker-runc-kubic-1.0.0rc8+gitr3826_425e105d5a03-1.29.1, golang-github-docker-libnetwork-kubic-0.7.0.1+gitr2800_fc5a7d91d54c-25.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 5 Swamp Workflow Management 2019-08-29 22:14:24 UTC
openSUSE-SU-2019:2021-1: An update that solves four vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1100331,1121967,1138920,1139649,1142160,1142413,1143409
CVE References: CVE-2018-10892,CVE-2019-13509,CVE-2019-14271,CVE-2019-5736
Sources used:
openSUSE Leap 15.1 (src):    containerd-1.2.6-lp151.2.6.1, docker-19.03.1_ce-lp151.2.12.1, docker-runc-1.0.0rc8+gitr3826_425e105d5a03-lp151.3.6.1, golang-github-docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-lp151.2.6.1
openSUSE Leap 15.0 (src):    containerd-1.2.6-lp150.4.17.1, docker-19.03.1_ce-lp150.5.27.1, docker-runc-1.0.0rc8+gitr3826_425e105d5a03-lp150.5.25.1, golang-github-docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-lp150.3.18.1
Comment 6 Marcus Meissner 2019-09-04 06:19:13 UTC
released