From a21c7468bce244225f1eaea0e52b68ebd8f399ea Mon Sep 17 00:00:00 2001 From: Funda Wang Date: Sat, 30 Nov 2024 10:21:13 +0800 Subject: [PATCH] fix CVE-2024-36620, CVE-2024-36621, CVE-2024-36623 (cherry picked from commit c0b254900730351d4f70590eb6692ae88c4523ab) --- ...018.patch => 1001-fix-cve-2024-29018.patch | 0 ...473.patch => 1002-fix-cve-2024-32473.patch | 0 ...1003-add-loongarch64-seccomp-support.patch | 0 ...ker-swarm-run-failed-for-loongarch64.patch | 0 ...4-41110.patch => 1005-CVE-2024-41110.patch | 0 ...work-osl-test-TestAddRemoveInterface.patch | 0 ...-Created-field-from-ImageInspect-res.patch | 0 ...gration-Add-container-output-utility.patch | 0 ...Don-t-check-source-exists-with-Creat.patch | 0 1010-fix-CVE-2024-36621.patch | 76 +++++++++++++++++++ 1011-fix-CVE-2024-36620.patch | 33 ++++++++ 1012-fix-CVE-2024-36623.patch | 45 +++++++++++ ...n-declaration-without-a-prototype-is.patch | 0 moby.spec | 47 +++++++----- 14 files changed, 180 insertions(+), 21 deletions(-) rename 0001-fix-cve-2024-29018.patch => 1001-fix-cve-2024-29018.patch (100%) rename 0002-fix-cve-2024-32473.patch => 1002-fix-cve-2024-32473.patch (100%) rename 0003-add-loongarch64-seccomp-support.patch => 1003-add-loongarch64-seccomp-support.patch (100%) rename 0004-fix-docker-swarm-run-failed-for-loongarch64.patch => 1004-fix-docker-swarm-run-failed-for-loongarch64.patch (100%) rename 0005-CVE-2024-41110.patch => 1005-CVE-2024-41110.patch (100%) rename 0007-fix-libnetwork-osl-test-TestAddRemoveInterface.patch => 1006-fix-libnetwork-osl-test-TestAddRemoveInterface.patch (100%) rename 0008-api-omit-missing-Created-field-from-ImageInspect-res.patch => 1007-api-omit-missing-Created-field-from-ImageInspect-res.patch (100%) rename 0009-integration-Add-container-output-utility.patch => 1008-integration-Add-container-output-utility.patch (100%) rename 0010-mounts-validate-Don-t-check-source-exists-with-Creat.patch => 1009-mounts-validate-Don-t-check-source-exists-with-Creat.patch (100%) create mode 100644 1010-fix-CVE-2024-36621.patch create mode 100644 1011-fix-CVE-2024-36620.patch create mode 100644 1012-fix-CVE-2024-36623.patch rename 0006-tini.c-a-function-declaration-without-a-prototype-is.patch => 2001-tini.c-a-function-declaration-without-a-prototype-is.patch (100%) diff --git a/0001-fix-cve-2024-29018.patch b/1001-fix-cve-2024-29018.patch similarity index 100% rename from 0001-fix-cve-2024-29018.patch rename to 1001-fix-cve-2024-29018.patch diff --git a/0002-fix-cve-2024-32473.patch b/1002-fix-cve-2024-32473.patch similarity index 100% rename from 0002-fix-cve-2024-32473.patch rename to 1002-fix-cve-2024-32473.patch diff --git a/0003-add-loongarch64-seccomp-support.patch b/1003-add-loongarch64-seccomp-support.patch similarity index 100% rename from 0003-add-loongarch64-seccomp-support.patch rename to 1003-add-loongarch64-seccomp-support.patch diff --git a/0004-fix-docker-swarm-run-failed-for-loongarch64.patch b/1004-fix-docker-swarm-run-failed-for-loongarch64.patch similarity index 100% rename from 0004-fix-docker-swarm-run-failed-for-loongarch64.patch rename to 1004-fix-docker-swarm-run-failed-for-loongarch64.patch diff --git a/0005-CVE-2024-41110.patch b/1005-CVE-2024-41110.patch similarity index 100% rename from 0005-CVE-2024-41110.patch rename to 1005-CVE-2024-41110.patch diff --git a/0007-fix-libnetwork-osl-test-TestAddRemoveInterface.patch b/1006-fix-libnetwork-osl-test-TestAddRemoveInterface.patch similarity index 100% rename from 0007-fix-libnetwork-osl-test-TestAddRemoveInterface.patch rename to 1006-fix-libnetwork-osl-test-TestAddRemoveInterface.patch diff --git a/0008-api-omit-missing-Created-field-from-ImageInspect-res.patch b/1007-api-omit-missing-Created-field-from-ImageInspect-res.patch similarity index 100% rename from 0008-api-omit-missing-Created-field-from-ImageInspect-res.patch rename to 1007-api-omit-missing-Created-field-from-ImageInspect-res.patch diff --git a/0009-integration-Add-container-output-utility.patch b/1008-integration-Add-container-output-utility.patch similarity index 100% rename from 0009-integration-Add-container-output-utility.patch rename to 1008-integration-Add-container-output-utility.patch diff --git a/0010-mounts-validate-Don-t-check-source-exists-with-Creat.patch b/1009-mounts-validate-Don-t-check-source-exists-with-Creat.patch similarity index 100% rename from 0010-mounts-validate-Don-t-check-source-exists-with-Creat.patch rename to 1009-mounts-validate-Don-t-check-source-exists-with-Creat.patch diff --git a/1010-fix-CVE-2024-36621.patch b/1010-fix-CVE-2024-36621.patch new file mode 100644 index 0000000..2f9fe88 --- /dev/null +++ b/1010-fix-CVE-2024-36621.patch @@ -0,0 +1,76 @@ +From 37545cc644344dcb576cba67eb7b6f51a463d31e Mon Sep 17 00:00:00 2001 +From: Tonis Tiigi +Date: Wed, 6 Mar 2024 23:11:32 -0800 +Subject: [PATCH] builder-next: fix missing lock in ensurelayer + +When this was called concurrently from the moby image +exporter there could be a data race where a layer was +written to the refs map when it was already there. + +In that case the reference count got mixed up and on +release only one of these layers was actually released. + +Signed-off-by: Tonis Tiigi +--- + .../builder-next/adapters/snapshot/layer.go | 3 +++ + .../adapters/snapshot/snapshot.go | 19 +++++++++++-------- + 2 files changed, 14 insertions(+), 8 deletions(-) + +diff --git a/builder/builder-next/adapters/snapshot/layer.go b/builder/builder-next/adapters/snapshot/layer.go +index 73120ea70b2ee..fc83058339c7b 100644 +--- a/builder/builder-next/adapters/snapshot/layer.go ++++ b/builder/builder-next/adapters/snapshot/layer.go +@@ -22,6 +22,9 @@ func (s *snapshotter) GetDiffIDs(ctx context.Context, key string) ([]layer.DiffI + } + + func (s *snapshotter) EnsureLayer(ctx context.Context, key string) ([]layer.DiffID, error) { ++ s.layerCreateLocker.Lock(key) ++ defer s.layerCreateLocker.Unlock(key) ++ + diffIDs, err := s.GetDiffIDs(ctx, key) + if err != nil { + return nil, err +diff --git a/builder/builder-next/adapters/snapshot/snapshot.go b/builder/builder-next/adapters/snapshot/snapshot.go +index a0d28ad984ba4..510ffefb49406 100644 +--- a/builder/builder-next/adapters/snapshot/snapshot.go ++++ b/builder/builder-next/adapters/snapshot/snapshot.go +@@ -17,6 +17,7 @@ import ( + "github.com/moby/buildkit/identity" + "github.com/moby/buildkit/snapshot" + "github.com/moby/buildkit/util/leaseutil" ++ "github.com/moby/locker" + "github.com/opencontainers/go-digest" + "github.com/pkg/errors" + bolt "go.etcd.io/bbolt" +@@ -51,10 +52,11 @@ type checksumCalculator interface { + type snapshotter struct { + opt Opt + +- refs map[string]layer.Layer +- db *bolt.DB +- mu sync.Mutex +- reg graphIDRegistrar ++ refs map[string]layer.Layer ++ db *bolt.DB ++ mu sync.Mutex ++ reg graphIDRegistrar ++ layerCreateLocker *locker.Locker + } + + // NewSnapshotter creates a new snapshotter +@@ -71,10 +73,11 @@ func NewSnapshotter(opt Opt, prevLM leases.Manager, ns string) (snapshot.Snapsho + } + + s := &snapshotter{ +- opt: opt, +- db: db, +- refs: map[string]layer.Layer{}, +- reg: reg, ++ opt: opt, ++ db: db, ++ refs: map[string]layer.Layer{}, ++ reg: reg, ++ layerCreateLocker: locker.New(), + } + + slm := newLeaseManager(s, prevLM) diff --git a/1011-fix-CVE-2024-36620.patch b/1011-fix-CVE-2024-36620.patch new file mode 100644 index 0000000..2f2ca22 --- /dev/null +++ b/1011-fix-CVE-2024-36620.patch @@ -0,0 +1,33 @@ +From ab570ab3d62038b3d26f96a9bb585d0b6095b9b4 Mon Sep 17 00:00:00 2001 +From: Christopher Petito <47751006+krissetto@users.noreply.github.com> +Date: Fri, 19 Apr 2024 10:44:30 +0000 +Subject: [PATCH] nil dereference fix on image history Created value + +Issue was caused by the changes here https://github.com/moby/moby/pull/45504 +First released in v25.0.0-beta.1 + +Signed-off-by: Christopher Petito <47751006+krissetto@users.noreply.github.com> +--- + daemon/images/image_history.go | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/daemon/images/image_history.go b/daemon/images/image_history.go +index 1617f8be62906..f621ceae13bc6 100644 +--- a/daemon/images/image_history.go ++++ b/daemon/images/image_history.go +@@ -43,9 +43,14 @@ func (i *ImageService) ImageHistory(ctx context.Context, name string) ([]*image. + layerCounter++ + } + ++ var created int64 ++ if h.Created != nil { ++ created = h.Created.Unix() ++ } ++ + history = append([]*image.HistoryResponseItem{{ + ID: "", +- Created: h.Created.Unix(), ++ Created: created, + CreatedBy: h.CreatedBy, + Comment: h.Comment, + Size: layerSize, diff --git a/1012-fix-CVE-2024-36623.patch b/1012-fix-CVE-2024-36623.patch new file mode 100644 index 0000000..6018f33 --- /dev/null +++ b/1012-fix-CVE-2024-36623.patch @@ -0,0 +1,45 @@ +From 5689dabfb357b673abdb4391eef426f297d7d1bb Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pawe=C5=82=20Gronowski?= +Date: Thu, 22 Feb 2024 18:01:40 +0100 +Subject: [PATCH] pkg/streamformatter: Make `progressOutput` concurrency safe +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Sync access to the underlying `io.Writer` with a mutex. + +Signed-off-by: Paweł Gronowski +--- + pkg/streamformatter/streamformatter.go | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/pkg/streamformatter/streamformatter.go b/pkg/streamformatter/streamformatter.go +index b0456e580dc9d..098df6b5236b9 100644 +--- a/pkg/streamformatter/streamformatter.go ++++ b/pkg/streamformatter/streamformatter.go +@@ -5,6 +5,7 @@ import ( + "encoding/json" + "fmt" + "io" ++ "sync" + + "github.com/docker/docker/pkg/jsonmessage" + "github.com/docker/docker/pkg/progress" +@@ -109,6 +110,7 @@ type progressOutput struct { + sf formatProgress + out io.Writer + newLines bool ++ mu sync.Mutex + } + + // WriteProgress formats progress information from a ProgressReader. +@@ -120,6 +122,9 @@ func (out *progressOutput) WriteProgress(prog progress.Progress) error { + jsonProgress := jsonmessage.JSONProgress{Current: prog.Current, Total: prog.Total, HideCounts: prog.HideCounts, Units: prog.Units} + formatted = out.sf.formatProgress(prog.ID, prog.Action, &jsonProgress, prog.Aux) + } ++ ++ out.mu.Lock() ++ defer out.mu.Unlock() + _, err := out.out.Write(formatted) + if err != nil { + return err diff --git a/0006-tini.c-a-function-declaration-without-a-prototype-is.patch b/2001-tini.c-a-function-declaration-without-a-prototype-is.patch similarity index 100% rename from 0006-tini.c-a-function-declaration-without-a-prototype-is.patch rename to 2001-tini.c-a-function-declaration-without-a-prototype-is.patch diff --git a/moby.spec b/moby.spec index 7e580c8..1e4c00d 100644 --- a/moby.spec +++ b/moby.spec @@ -7,7 +7,7 @@ Name: moby Version: 25.0.3 -Release: 21 +Release: 22 Summary: The open-source application container engine License: Apache-2.0 URL: https://www.docker.com @@ -20,16 +20,22 @@ Source2: tini-0.19.0.tar.gz Source3: docker.service Source4: docker.socket Source5: docker.sysconfig -Patch0001: 0001-fix-cve-2024-29018.patch -Patch0002: 0002-fix-cve-2024-32473.patch -Patch0003: 0003-add-loongarch64-seccomp-support.patch -Patch0004: 0004-fix-docker-swarm-run-failed-for-loongarch64.patch -Patch0005: 0005-CVE-2024-41110.patch -Patch0006: 0006-tini.c-a-function-declaration-without-a-prototype-is.patch -Patch0007: 0007-fix-libnetwork-osl-test-TestAddRemoveInterface.patch -Patch0008: 0008-api-omit-missing-Created-field-from-ImageInspect-res.patch -Patch0009: 0009-integration-Add-container-output-utility.patch -Patch0010: 0010-mounts-validate-Don-t-check-source-exists-with-Creat.patch +# Patch 0001-0999 for cli +# Patch 1001-1999 for moby +Patch1001: 1001-fix-cve-2024-29018.patch +Patch1002: 1002-fix-cve-2024-32473.patch +Patch1003: 1003-add-loongarch64-seccomp-support.patch +Patch1004: 1004-fix-docker-swarm-run-failed-for-loongarch64.patch +Patch1005: 1005-CVE-2024-41110.patch +Patch1006: 1006-fix-libnetwork-osl-test-TestAddRemoveInterface.patch +Patch1007: 1007-api-omit-missing-Created-field-from-ImageInspect-res.patch +Patch1008: 1008-integration-Add-container-output-utility.patch +Patch1009: 1009-mounts-validate-Don-t-check-source-exists-with-Creat.patch +Patch1010: 1010-fix-CVE-2024-36621.patch +Patch1011: 1011-fix-CVE-2024-36620.patch +Patch1012: 1012-fix-CVE-2024-36623.patch +# Patch 2001-2999 for tini +Patch2001: 2001-tini.c-a-function-declaration-without-a-prototype-is.patch Requires(meta): %{name}-engine = %{version}-%{release} Requires(meta): %{name}-client = %{version}-%{release} @@ -108,18 +114,11 @@ Proxy used for docker port mapping. %prep %setup -q -n %{_source_client} +%autopatch -p1 -m 0001 -M 0999 %setup -q -T -n %{_source_engine} -b 1 -%patch 0001 -p1 -%patch 0002 -p1 -%patch 0003 -p1 -%patch 0004 -p1 -%patch 0005 -p1 -%patch 0007 -p1 -%patch 0008 -p1 -%patch 0009 -p1 -%patch 0010 -p1 +%autopatch -p1 -m 1001 -M 1999 %setup -q -T -n %{_source_docker_init} -b 2 -%patch 0006 -p1 +%autopatch -p1 -m 2001 -M 2999 %build export GO111MODULE=off @@ -128,6 +127,8 @@ export DOCKER_GITCOMMIT=%{_gitcommit_engine} export DOCKER_BUILDTAGS="exclude_graphdriver_btrfs" pushd %{_builddir}/%{_source_engine} +CGO_CFLAGS="%{build_cflags}" \ +CGO_LDFLAGS="%{build_ldflags}" \ AUTO_GOPATH=1 VERSION=%{version} PRODUCT=docker hack/make.sh dynbinary popd @@ -224,6 +225,10 @@ fi %systemd_postun_with_restart docker.service %changelog +* Sat Nov 30 2024 Funda Wang - 25.0.3-22 +- fix CVE-2024-36620, CVE-2024-36621, CVE-2024-36623 +- reorganize patches so that they could be applied automatically + * Fri Nov 29 2024 Funda Wang - 25.0.3-21 - convert patches into unix format -- Gitee