Package: docker.io Version: 26.1.5+dfsg1-9+b9 Severity: grave Tags: security Justification: user security hole X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
I acquired the image quay.io/ansible-community/test-image:debian-13-trixie which is basically a trixie with some things preinstalled so it can be used for testing Ansible collections. When I run the latter… $ ansible-test integration --docker quay.io/ansible-community/test-image:debian-13-trixie --python 3.13 --docker-privileged -v $mytestname … I get messages from the systemd running inside the image (!) in my host kernel log (dmesg) (!), and it switches X11 off temporarily (!!!!). I probably need to explain the latter. I normally log in on the emulated text console, then do things like start the network (select the WLAN to use), then run “exec startx”. This makes it so that when I press Ctrl-Alt-F2 it switches to the second text console, and Ctrl-Alt-F1 switches back to the first one which X11 is now overlaying (used to be that startx runs the X server on Ctrl-Alt-F7 instead and Ctrl-Alt-F1 showed the X server’s output). When I start these tests, the text console “below” the X server is shown. I switch to Ctrl-Alt-F2 and back to Ctrl-Alt-F1 and get my X session back, but this is… majorly confusing. If I run… $ docker run --privileged --rm -it quay.io/ansible-community/test-image:debian-13-trixie … I get more systemd logs in my host syslog, even about things like it changing sysctls like kernel.core_pattern. I’m not sure what the exact amount of bleed-through (isolation failure) is, as I’m not normally a Docker user and no kernel or container expert, but this is definitely something someone ought to look into. If it’s not an exploitable issue (other than syslog/klog spoofing), feel free to downgrade severity. FWIW, without --privileged I just get… | Failed to set RLIMIT_CORE: Operation not permitted | Failed to mount tmpfs (type tmpfs) on /run (MS_NOSUID|MS_NODEV|MS_STRICTATIME "mode=0755,size=20%,nr_inodes=800k"): Operation not permitted | [!!!!!!] Failed to mount API filesystems. | Exiting PID 1... … but in my (admittedly limited) exposure to Docker on buster/bullseye I’ve never seen things like that happen even with it. -- System Information: Debian Release: 13.0 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'proposed-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 6.12.41+deb13-amd64 (SMP w/16 CPU threads; PREEMPT) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: sysvinit (via /sbin/init) Versions of packages docker.io depends on: ii adduser 3.152 ii containerd 1.7.24~ds1-6+b4 ii init-system-helpers 1.68 ii iptables 1.8.11-2 ii libc6 2.41-12 ii libsystemd0 257.7-1 ii runc 1.1.15+ds1-2+b4 ii sysvinit-utils 3.14-4 ii tini 0.19.0-3+b3 Versions of packages docker.io recommends: pn apparmor <none> ii ca-bundle [ca-certificates] 20190604 pn dbus-user-session <none> ii docker-cli 26.1.5+dfsg1-9+b9 ii git 1:2.47.2-0.2 ii needrestart 3.11-1 ii xz-utils 5.8.1-1 Versions of packages docker.io suggests: pn aufs-tools <none> pn btrfs-progs <none> pn cgroupfs-mount <none> pn debootstrap <none> pn docker-doc <none> ii e2fsprogs 1.47.2-3+b3 pn rinse <none> pn rootlesskit <none> pn xfsprogs <none> pn zfs-fuse | zfsutils-linux <none> -- no debconf information
