Fluid Attacks Database

Description

Arbitrary Code Execution Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build in a Dockerfile in an LZMA (.xz) archive, related to the chroot for archive extraction.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
go	github.com/docker/docker	>=0 <1.3.3	1.3.3
debian 13	docker.io	>=0 <1.3.3~dfsg1-1	1.3.3~dfsg1-1
debian 11	docker.io	>=0 <1.3.3~dfsg1-1	1.3.3~dfsg1-1
debian 14	docker.io	>=0 <1.3.3~dfsg1-1	1.3.3~dfsg1-1
debian 12	docker.io	>=0 <1.3.3~dfsg1-1	1.3.3~dfsg1-1

Aliases

1. CVE-2014-93572. NVD-2014-93573. OSV-2014-93574. OSV-DEBIAN-2014-93575. GCVE-2014-93576. SECURITY-TRACKER-CVE-2014-9357

References

1. https://github.com/docker/docker/compare/aef842e7dfb534aba22c3c911de525ce9ac12b72...313a1b7620910e47d888f8b0a6a5eb06ad9c1ff22. https://github.com/moby/moby/blob/master/CHANGELOG.md#133-2014-12-113. https://groups.google.com/forum/#!msg/docker-user/nFAz-B-n4Bw/0wr3wvLsnUwJ4. https://groups.google.com/forum/#%21msg/docker-user/nFAz-B-n4Bw/0wr3wvLsnUwJ5. https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-93576. http://www.securityfocus.com/archive/1/534215/100/0/threaded