CVE-2016-8867

NameCVE-2016-8867
DescriptionDocker Engine 1.12.2 enabled ambient capabilities with misconfigured capability policies. This allowed malicious images to bypass user permissions to access files within the container filesystem or mounted volumes.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
docker.io (PTS)buster, buster (security)18.09.1+dfsg1-7.1+deb10u3fixed
bullseye20.10.5+dfsg1-1+deb11u2fixed
bookworm20.10.24+dfsg1-1fixed
sid, trixie20.10.25+dfsg1-3fixed
runc (PTS)buster1.0.0~rc6+dfsg1-3fixed
buster (security)1.0.0~rc6+dfsg1-3+deb10u3fixed
bullseye (security), bullseye1.0.0~rc93+ds1-5+deb11u3fixed
bookworm, bookworm (security)1.1.5+ds1-1+deb12u1fixed
sid, trixie1.1.12+ds1-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
docker.iosource(unstable)(not affected)
runcsource(unstable)(not affected)

Notes

- docker.io <not-affected> (Not built from/with a runc with "ambient capabilities")
- runc <not-affected> ("ambient capabilities" introduced later, cf bug #853240)
https://github.com/docker/docker/issues/27590
docker: https://github.com/docker/docker/pull/27610/commits/d60a3418d0268745dff38947bc8c929fbd24f837 (1.12.3)
runc: https://github.com/opencontainers/runc/commit/a83f5bac28554fa0fd49bc1559a3c79f5907348f
docker.io not directly affected but will need to be updated to include new runc version
runc: "ambient capabilities" functionality added upstream with https://github.com/opencontainers/runc/pull/1086
and later changes.
The actual fix seem to be to revert the commit which introduced ambient capabilities
in runc.

Search for package or bug name: Reporting problems