[CentOS-devel] docker, CVE-2019-13139 and announcements for updates in extras

Fri Jun 4 15:17:26 UTC 2021
Stefan Puiu <stefan.puiu at gmail.com>

Hi Jonathan,

On Fri, Jun 4, 2021 at 4:07 PM Jonathan Billings <billings at negate.org> wrote:
> On Fri, Jun 04, 2021 at 03:22:09PM +0300, Stefan Puiu wrote:
> > For a while now, the tool has been complaining that the version of
> > docker we ship is vulnerable to CVE-2019-13139. As far as I can tell,
> > we have a version that includes the fix, based on the Red Hat
> > advisory: https://access.redhat.com/errata/RHBA-2019:3092 says we need
> > docker-1.13.1-104.git4ef4b30, and we have 204.git0be3e21.
> They don't understand that
> docker-1.13.1-204.git0be3e21 > docker-1.13.1-104.git4ef4b30 ?
> You could point out that CentOS is a rebuild of RHEL so any RHBAs
> posted for a particular version of RHEL7 applies to the same version
> in CentOS 7.

I pointed both things (the newer version and CentOS being a RHEL
rebuild) to them, so far it seems they weren't convinced.

> > I'm trying to work with the tool vendor to sort this out. As a
> > developer, I think checking the code is the best way; I've found the
> > Docker RH fork on github, which has a RHEL branch that seems to be
> > used in both CentOS and RHEL
> > (https://github.com/projectatomic/docker/tree/docker-1.13.1-rhel).
> https://git.centos.org/rpms/docker/ is where the RPM SPECs, patches
> and related files are posted.  For example, the one in Extras is:
> https://git.centos.org/rpms/docker/tree/c7-extras and you can see the
> commit to import the 104 release here:
> https://git.centos.org/rpms/docker/c/bcf506d56383fd92ea5e3516f8950c43f44079eb?branch=c7-extras
> You can look at the commit history for the package:
> https://git.centos.org/rpms/docker/commits/c7-extras
> Interestingly, the r104 looks like it failed automatic debranding, and
> it didn't get properly debranded until Johnny Hughes manually did it
> in r108.  But I doubt that makes any difference in your issue,
> although it might have changed any announcements at the time.

I had found the c7-extras branch, I should've probably mentioned that
in the first place. It's there that I found the github link; see for
example the SPECS/docker.spec change, there is this line:

# docker
%global git_docker https://github.com/projectatomic/docker
- %global commit_docker 7f2769b9e0572f62730d91e79e674efd59b7e234
+ %global commit_docker 4ef4b30c57f05be26c9387ef0828e86c2ed543b8

So I just went to the github link and searched for the new commit.
Probably from there (or from the list of branches) I found the RHEL /
CentOS branch.

> > However, probably the tool people have some kind of different process
> > in place. So my question is: is it reasonable to expect any bugfix or
> > security update fetched from RHEL to CentOS to come with an
> > announcement on the centos-announce mailing list? Is there a filter
> > for some packages? I see docker is in extras, not in CentOS-Base,
> > maybe updates to those are not announced?
> I don't see any posts to any lists during the timeframe that it was
> imported and published by CentOS.  I'd honestly like to know if
> there's any particular rules for how centos-announce posts get
> generated too.  I imagine that now that the Stream releases precede
> the RHEL package releases, there might be a different set of rules?
> I tried to find something in the wiki but apparently I searched too
> many times and it told me to not search so frequently.  Google didn't
> show anything though.

I've downloaded the archives of centos-announce since January 2019 and
grepped for 'docker'. I only see multiple announcements for pcp, which
includes a pcp-pmda-docker RPM, and a reference to Dockerhub. Nothing
about docker itself.

$ zgrep -i docker 20*
2021-March.txt.gz:- We are still in discussions on how to push these
properly to Dockerhub.

I also think clarifying the process would help.