docker2aci: infinite loop in deps walking(CVE-2016-8579)

[张开翔 <zhangkaixiang () 360 cn>]

Hello,

It was found that docker2aci fall into an infinite loop while traversing the dependency ancestry of a malformed image 
file.
,this flaw may cause excessive CPU cycles & resources consume on the host. The happens because no essential check for 
duplicated
image ID found in  getAncestry() in docker2aci,


CVE-2016-8579 was assigned to this flaw by cve-assign () mitre org<mailto:cve-assign () mitre org>. Here the reply from 
CVE Assignment Team:

docker2aci is apparently a library [...] and we almost always recognize

the potential for an unattended use case for any library.

[...]

Someone can call the ConvertSavedFile function from an arbitrary

application. [...] It might be automated with cron or a similar unattended

tool that runs in an unrestricted (non-container) environment. Thus,

there is an availability impact because no human is around to notice

the CPU usage.



Use CVE-2016-8579.


References:

https://github.com/appc/docker2aci/issues/203(issue)

https://github.com/lucab/docker2aci/commit/54331ec7020e102935c31096f336d31f6400064f(patch)

Please, use it in the public communications regarding this flaw.


Best regards,

Kaixiang Zhang of Gear Team, Qihoo 360