From: Félix Piédallu <[email protected]>
This reverts commit 78abd77b8695705e6e55266745c838bb665486de.
Security fixes are backported in v25.0.9.
---
recipes-containers/docker/docker-moby_git.bb | 2 -
.../docker/files/CVE-2024-41110_1.patch | 177 ---------------------
.../docker/files/CVE-2024-41110_2.patch | 99 ------------
3 files changed, 278 deletions(-)
diff --git a/recipes-containers/docker/docker-moby_git.bb
b/recipes-containers/docker/docker-moby_git.bb
index b1b2cbb5..1331930e 100644
--- a/recipes-containers/docker/docker-moby_git.bb
+++ b/recipes-containers/docker/docker-moby_git.bb
@@ -59,8 +59,6 @@ SRC_URI = "\
file://CVE-2024-36620.patch;patchdir=src/import \
file://CVE-2024-36621.patch;patchdir=src/import \
file://CVE-2024-29018.patch;patchdir=src/import \
- file://CVE-2024-41110_1.patch;patchdir=src/import \
- file://CVE-2024-41110_2.patch;patchdir=src/import \
"
DOCKER_COMMIT = "${SRCREV_moby}"
diff --git a/recipes-containers/docker/files/CVE-2024-41110_1.patch
b/recipes-containers/docker/files/CVE-2024-41110_1.patch
deleted file mode 100644
index 7f74348a..00000000
--- a/recipes-containers/docker/files/CVE-2024-41110_1.patch
+++ /dev/null
@@ -1,177 +0,0 @@
-From 88c4b7690840044ce15489699294ec7c5dadf5dd Mon Sep 17 00:00:00 2001
-From: Jameson Hyde <[email protected]>
-Date: Mon, 26 Nov 2018 14:15:22 -0500
-Subject: [PATCH] Authz plugin security fixes for 0-length content and path
- validation Signed-off-by: Jameson Hyde <[email protected]>
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-fix comments
-
-(cherry picked from commit 9659c3a52bac57e615b5fb49b0652baca448643e)
-Signed-off-by: Paweł Gronowski <[email protected]>
-(cherry picked from commit 2ac8a479c53d9b8e67c55f1e283da9d85d2b3415)
-Signed-off-by: Paweł Gronowski <[email protected]>
-
-Upstream-Status: Backport from
[https://github.com/moby/moby/commit/88c4b7690840044ce15489699294ec7c5dadf5dd]
-CVE: CVE-2024-41110
-Signed-off-by: Siddharth Doshi <[email protected]>
----
- pkg/authorization/authz.go | 38 ++++++++++++++++++---
- pkg/authorization/authz_unix_test.go | 49 ++++++++++++++++++++++++++--
- 2 files changed, 80 insertions(+), 7 deletions(-)
-
-diff --git a/pkg/authorization/authz.go b/pkg/authorization/authz.go
-index 1eb44315dd..4c2e90b251 100644
---- a/pkg/authorization/authz.go
-+++ b/pkg/authorization/authz.go
-@@ -8,6 +8,8 @@ import (
- "io"
- "mime"
- "net/http"
-+ "net/url"
-+ "regexp"
- "strings"
-
- "github.com/containerd/log"
-@@ -53,10 +55,23 @@ type Ctx struct {
- authReq *Request
- }
-
-+func isChunked(r *http.Request) bool {
-+ // RFC 7230 specifies that content length is to be ignored if
Transfer-Encoding is chunked
-+ if strings.ToLower(r.Header.Get("Transfer-Encoding")) == "chunked" {
-+ return true
-+ }
-+ for _, v := range r.TransferEncoding {
-+ if 0 == strings.Compare(strings.ToLower(v), "chunked") {
-+ return true
-+ }
-+ }
-+ return false
-+}
-+
- // AuthZRequest authorized the request to the docker daemon using authZ
plugins
- func (ctx *Ctx) AuthZRequest(w http.ResponseWriter, r *http.Request) error {
- var body []byte
-- if sendBody(ctx.requestURI, r.Header) && r.ContentLength > 0 &&
r.ContentLength < maxBodySize {
-+ if sendBody(ctx.requestURI, r.Header) && (r.ContentLength > 0 ||
isChunked(r)) && r.ContentLength < maxBodySize {
- var err error
- body, r.Body, err = drainBody(r.Body)
- if err != nil {
-@@ -109,7 +124,6 @@ func (ctx *Ctx) AuthZResponse(rm ResponseModifier, r
*http.Request) error {
- if sendBody(ctx.requestURI, rm.Header()) {
- ctx.authReq.ResponseBody = rm.RawBody()
- }
--
- for _, plugin := range ctx.plugins {
- log.G(context.TODO()).Debugf("AuthZ response using plugin %s",
plugin.Name())
-
-@@ -147,10 +161,26 @@ func drainBody(body io.ReadCloser) ([]byte,
io.ReadCloser, error) {
- return nil, newBody, err
- }
-
-+func isAuthEndpoint(urlPath string) (bool, error) {
-+ // eg
www.test.com/v1.24/auth/optional?optional1=something&optional2=something
(version optional)
-+ matched, err := regexp.MatchString(`^[^\/]+\/(v\d[\d\.]*\/)?auth.*`,
urlPath)
-+ if err != nil {
-+ return false, err
-+ }
-+ return matched, nil
-+}
-+
- // sendBody returns true when request/response body should be sent to
AuthZPlugin
--func sendBody(url string, header http.Header) bool {
-+func sendBody(inURL string, header http.Header) bool {
-+ u, err := url.Parse(inURL)
-+ // Assume no if the URL cannot be parsed - an empty request will still
be forwarded to the plugin and should be rejected
-+ if err != nil {
-+ return false
-+ }
-+
- // Skip body for auth endpoint
-- if strings.HasSuffix(url, "/auth") {
-+ isAuth, err := isAuthEndpoint(u.Path)
-+ if isAuth || err != nil {
- return false
- }
-
-diff --git a/pkg/authorization/authz_unix_test.go
b/pkg/authorization/authz_unix_test.go
-index c9b18d96e9..275f1dd3d0 100644
---- a/pkg/authorization/authz_unix_test.go
-+++ b/pkg/authorization/authz_unix_test.go
-@@ -174,8 +174,8 @@ func TestDrainBody(t *testing.T) {
-
- func TestSendBody(t *testing.T) {
- var (
-- url = "nothing.com"
- testcases = []struct {
-+ url string
- contentType string
- expected bool
- }{
-@@ -219,15 +219,58 @@ func TestSendBody(t *testing.T) {
- contentType: "",
- expected: false,
- },
-+ {
-+ url: "nothing.com/auth",
-+ contentType: "",
-+ expected: false,
-+ },
-+ {
-+ url: "nothing.com/auth",
-+ contentType: "application/json;charset=UTF8",
-+ expected: false,
-+ },
-+ {
-+ url: "nothing.com/auth?p1=test",
-+ contentType: "application/json;charset=UTF8",
-+ expected: false,
-+ },
-+ {
-+ url: "nothing.com/test?p1=/auth",
-+ contentType: "application/json;charset=UTF8",
-+ expected: true,
-+ },
-+ {
-+ url: "nothing.com/something/auth",
-+ contentType: "application/json;charset=UTF8",
-+ expected: true,
-+ },
-+ {
-+ url: "nothing.com/auth/test",
-+ contentType: "application/json;charset=UTF8",
-+ expected: false,
-+ },
-+ {
-+ url: "nothing.com/v1.24/auth/test",
-+ contentType: "application/json;charset=UTF8",
-+ expected: false,
-+ },
-+ {
-+ url: "nothing.com/v1/auth/test",
-+ contentType: "application/json;charset=UTF8",
-+ expected: false,
-+ },
- }
- )
-
- for _, testcase := range testcases {
- header := http.Header{}
- header.Set("Content-Type", testcase.contentType)
-+ if testcase.url == "" {
-+ testcase.url = "nothing.com"
-+ }
-
-- if b := sendBody(url, header); b != testcase.expected {
-- t.Fatalf("Unexpected Content-Type; Expected: %t,
Actual: %t", testcase.expected, b)
-+ if b := sendBody(testcase.url, header); b != testcase.expected {
-+ t.Fatalf("sendBody failed: url: %s, content-type: %s;
Expected: %t, Actual: %t", testcase.url, testcase.contentType,
testcase.expected, b)
- }
- }
- }
---
-2.44.4
-
diff --git a/recipes-containers/docker/files/CVE-2024-41110_2.patch
b/recipes-containers/docker/files/CVE-2024-41110_2.patch
deleted file mode 100644
index 48f21b52..00000000
--- a/recipes-containers/docker/files/CVE-2024-41110_2.patch
+++ /dev/null
@@ -1,99 +0,0 @@
-From 8fc313c00169d14f1712d5661306d9e0c8838257 Mon Sep 17 00:00:00 2001
-From: Jameson Hyde <[email protected]>
-Date: Sat, 1 Dec 2018 11:25:49 -0500
-Subject: [PATCH 2/2] If url includes scheme, urlPath will drop hostname, which
- would not match the auth check
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Signed-off-by: Jameson Hyde <[email protected]>
-(cherry picked from commit 754fb8d9d03895ae3ab60d2ad778152b0d835206)
-Signed-off-by: Paweł Gronowski <[email protected]>
-(cherry picked from commit 5282cb25d09db924fa92fdb8fb7a9bd20bb845b7)
-Signed-off-by: Paweł Gronowski <[email protected]>
-
-Upstream-Status: Backport from
[https://github.com/moby/moby/commit/7ff423cc1c991d8dc0a7b5d1d93e1cf3efaac169]
-CVE: CVE-2024-41110
-Signed-off-by: Siddharth Doshi <[email protected]>
----
- pkg/authorization/authz.go | 6 ++---
- pkg/authorization/authz_unix_test.go | 35 ++++++++++++++++++++++++++++
- 2 files changed, 38 insertions(+), 3 deletions(-)
-
-diff --git a/pkg/authorization/authz.go b/pkg/authorization/authz.go
-index 4c2e90b251..d568a2b597 100644
---- a/pkg/authorization/authz.go
-+++ b/pkg/authorization/authz.go
-@@ -57,11 +57,11 @@ type Ctx struct {
-
- func isChunked(r *http.Request) bool {
- // RFC 7230 specifies that content length is to be ignored if
Transfer-Encoding is chunked
-- if strings.ToLower(r.Header.Get("Transfer-Encoding")) == "chunked" {
-+ if strings.EqualFold(r.Header.Get("Transfer-Encoding"), "chunked") {
- return true
- }
- for _, v := range r.TransferEncoding {
-- if 0 == strings.Compare(strings.ToLower(v), "chunked") {
-+ if strings.EqualFold(v, "chunked") {
- return true
- }
- }
-@@ -163,7 +163,7 @@ func drainBody(body io.ReadCloser) ([]byte, io.ReadCloser,
error) {
-
- func isAuthEndpoint(urlPath string) (bool, error) {
- // eg
www.test.com/v1.24/auth/optional?optional1=something&optional2=something
(version optional)
-- matched, err := regexp.MatchString(`^[^\/]+\/(v\d[\d\.]*\/)?auth.*`,
urlPath)
-+ matched, err := regexp.MatchString(`^[^\/]*\/(v\d[\d\.]*\/)?auth.*`,
urlPath)
- if err != nil {
- return false, err
- }
-diff --git a/pkg/authorization/authz_unix_test.go
b/pkg/authorization/authz_unix_test.go
-index 275f1dd3d0..66b4d20452 100644
---- a/pkg/authorization/authz_unix_test.go
-+++ b/pkg/authorization/authz_unix_test.go
-@@ -259,6 +259,41 @@ func TestSendBody(t *testing.T) {
- contentType: "application/json;charset=UTF8",
- expected: false,
- },
-+ {
-+ url: "www.nothing.com/v1.24/auth/test",
-+ contentType: "application/json;charset=UTF8",
-+ expected: false,
-+ },
-+ {
-+ url:
"https://www.nothing.com/v1.24/auth/test";,
-+ contentType: "application/json;charset=UTF8",
-+ expected: false,
-+ },
-+ {
-+ url:
"http://nothing.com/v1.24/auth/test";,
-+ contentType: "application/json;charset=UTF8",
-+ expected: false,
-+ },
-+ {
-+ url: "www.nothing.com/test?p1=/auth",
-+ contentType: "application/json;charset=UTF8",
-+ expected: true,
-+ },
-+ {
-+ url:
"http://www.nothing.com/test?p1=/auth";,
-+ contentType: "application/json;charset=UTF8",
-+ expected: true,
-+ },
-+ {
-+ url: "www.nothing.com/something/auth",
-+ contentType: "application/json;charset=UTF8",
-+ expected: true,
-+ },
-+ {
-+ url:
"https://www.nothing.com/something/auth";,
-+ contentType: "application/json;charset=UTF8",
-+ expected: true,
-+ },
- }
- )
-
---
-2.44.4
-
--
2.52.0
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#9607):
https://lists.yoctoproject.org/g/meta-virtualization/message/9607
Mute This Topic: https://lists.yoctoproject.org/mt/117959929/21656
Group Owner: [email protected]
Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
