Date: Fri, 14 Oct 2016 02:53:13 +0000 From: 张开翔 <zhangkaixiang@....cn> To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com> Subject: docker2aci: infinite loop in deps walking(CVE-2016-8579) Hello, It was found that docker2aci fall into an infinite loop while traversing the dependency ancestry of a malformed image file. ,this flaw may cause excessive CPU cycles & resources consume on the host. The happens because no essential check for duplicated image ID found in getAncestry() in docker2aci, CVE-2016-8579 was assigned to this flaw by cve-assign@...re.org<mailto:cve-assign@...re.org>. Here the reply from CVE Assignment Team: docker2aci is apparently a library [...] and we almost always recognize the potential for an unattended use case for any library. [...] Someone can call the ConvertSavedFile function from an arbitrary application. [...] It might be automated with cron or a similar unattended tool that runs in an unrestricted (non-container) environment. Thus, there is an availability impact because no human is around to notice the CPU usage. Use CVE-2016-8579. References: https://github.com/appc/docker2aci/issues/203(issue) https://github.com/lucab/docker2aci/commit/54331ec7020e102935c31096f336d31f6400064f(patch) Please, use it in the public communications regarding this flaw. Best regards, Kaixiang Zhang of Gear Team, Qihoo 360
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ