fix CVE-2021-41092

fix #I5D1C0 fix CVE-2021-41092
2022-06-29 14:52:33 +08:00 · 2022-06-29 14:52:33 +08:00 · 777a2b05b8
commit 777a2b05b8
parent 69f6dc243f
5 changed files with 140 additions and 3 deletions
--- a/2
+++ b/2
@ -1 +1 @@
-18.09.0.305
+18.09.0.306
--- a/docker.spec
+++ b/docker.spec
@ -1,6 +1,6 @@
 Name: docker-engine
 Version: 18.09.0
-Release: 305
+Release: 306
 Summary: The open-source application container engine
 Group: Tools/Docker

@ -212,6 +212,12 @@ fi
 %endif

 %changelog
+* Wed Jun 29 2022 zjw<zhongjiawei1@huawei.com> - 18.09.0-306
+- Type:CVE
+- CVE:CVE-2021-41092
+- SUG:NA
+- DESC:fix CVE-2021-41092
+
 * Wed Jun 29 2022 zjw<zhongjiawei1@huawei.com> - 18.09.0-305
 - Type:CVE
 - CVE:CVE-2021-41091
--- a/2
+++ b/2
@ -1 +1 @@
-029c7f52dc3f16cce2166542761c84b953edf5d1
+1d79dce8b3c1b71f07ef5ad31adfe8026080311f
--- a/patch/0228-docker-registry-ensure-default-auth-config-has-address.patch
+++ b/patch/0228-docker-registry-ensure-default-auth-config-has-address.patch
@ -0,0 +1,130 @@
+From 47b9fb37236351afc0c2e58c109a70c1432096ff Mon Sep 17 00:00:00 2001
+From: zhongjiawei <zhongjiawei1@huawei.com>
+Date: Thu, 9 Jun 2022 10:50:43 +0800
+Subject: [PATCH]  docker: registry: ensure default auth config has address
+
+Conflict:cli/command/registry.go,cli/command/registry/login.go
+Reference:https://github.com/docker/cli/commit/893e52cf4ba4b048d72e99748e0f86b2767c6c6b
+---
+ components/cli/cli/command/registry.go       | 12 ++++++++----
+ components/cli/cli/command/registry/login.go | 13 ++++++-------
+ components/cli/cli/command/registry_test.go  | 16 +++++++++++++++-
+ 3 files changed, 29 insertions(+), 12 deletions(-)
+
+diff --git a/components/cli/cli/command/registry.go b/components/cli/cli/command/registry.go
+index c12843693..74abbfc5f 100644
+--- a/components/cli/cli/command/registry.go
+++ b/components/cli/cli/command/registry.go
+@@ -58,11 +58,11 @@ func RegistryAuthenticationPrivilegedFunc(cli Cli, index *registrytypes.IndexInf
+ 		if err != nil {
+ 			fmt.Fprintf(cli.Err(), "Unable to retrieve stored credentials for %s, error: %s.\n", indexServer, err)
+ 		}
+-		err = ConfigureAuth(cli, "", "", authConfig, isDefaultRegistry)
+		err = ConfigureAuth(cli, "", "", &authConfig, isDefaultRegistry)
+ 		if err != nil {
+ 			return "", err
+ 		}
+-		return EncodeAuthToBase64(*authConfig)
+		return EncodeAuthToBase64(authConfig)
+ 	}
+ }
+ 
+@@ -81,7 +81,7 @@ func ResolveAuthConfig(ctx context.Context, cli Cli, index *registrytypes.IndexI
+ 
+ // GetDefaultAuthConfig gets the default auth config given a serverAddress
+ // If credentials for given serverAddress exists in the credential store, the configuration will be populated with values in it
+-func GetDefaultAuthConfig(cli Cli, checkCredStore bool, serverAddress string, isDefaultRegistry bool) (*types.AuthConfig, error) {
+func GetDefaultAuthConfig(cli Cli, checkCredStore bool, serverAddress string, isDefaultRegistry bool) (types.AuthConfig, error) {
+ 	if !isDefaultRegistry {
+ 		serverAddress = registry.ConvertToHostname(serverAddress)
+ 	}
+@@ -89,12 +89,16 @@ func GetDefaultAuthConfig(cli Cli, checkCredStore bool, serverAddress string, is
+ 	var err error
+ 	if checkCredStore {
+ 		authconfig, err = cli.ConfigFile().GetAuthConfig(serverAddress)
+		if err != nil {
+			return types.AuthConfig{ServerAddress: serverAddress,}, err
+		}
+ 	} else {
+ 		authconfig = types.AuthConfig{}
+ 	}
+ 	authconfig.ServerAddress = serverAddress
+ 	authconfig.IdentityToken = ""
+-	return &authconfig, err
+	res := types.AuthConfig(authconfig)
+	return res, err
+ }
+ 
+ // ConfigureAuth handles prompting of user's username and password if needed
+diff --git a/components/cli/cli/command/registry/login.go b/components/cli/cli/command/registry/login.go
+index f4f57398b..f86076c5e 100644
+--- a/components/cli/cli/command/registry/login.go
+++ b/components/cli/cli/command/registry/login.go
+@@ -111,23 +111,22 @@ func runLogin(dockerCli command.Cli, opts loginOptions) error { //nolint: gocycl
+ 	}
+ 
+ 	var err error
+-	var authConfig *types.AuthConfig
+ 	var response registrytypes.AuthenticateOKBody
+ 	isDefaultRegistry := serverAddress == authServer
+-	authConfig, err = command.GetDefaultAuthConfig(dockerCli, opts.user == "" && opts.password == "", serverAddress, isDefaultRegistry)
+	authConfig, err := command.GetDefaultAuthConfig(dockerCli, opts.user == "" && opts.password == "", serverAddress, isDefaultRegistry)
+ 	if err == nil && authConfig.Username != "" && authConfig.Password != "" {
+-		response, err = loginWithCredStoreCreds(ctx, dockerCli, authConfig)
+		response, err = loginWithCredStoreCreds(ctx, dockerCli, &authConfig)
+ 	}
+ 	if err != nil || authConfig.Username == "" || authConfig.Password == "" {
+-		err = command.ConfigureAuth(dockerCli, opts.user, opts.password, authConfig, isDefaultRegistry)
+		err = command.ConfigureAuth(dockerCli, opts.user, opts.password, &authConfig, isDefaultRegistry)
+ 		if err != nil {
+ 			return err
+ 		}
+ 
+-		response, err = clnt.RegistryLogin(ctx, *authConfig)
+		response, err = clnt.RegistryLogin(ctx, authConfig)
+ 		if err != nil && client.IsErrConnectionFailed(err) {
+ 			// If the server isn't responding (yet) attempt to login purely client side
+-			response, err = loginClientSide(ctx, *authConfig)
+			response, err = loginClientSide(ctx, authConfig)
+ 		}
+ 		// If we (still) have an error, give up
+ 		if err != nil {
+@@ -149,7 +148,7 @@ func runLogin(dockerCli command.Cli, opts loginOptions) error { //nolint: gocycl
+ 		}
+ 	}
+ 
+-	if err := creds.Store(*authConfig); err != nil {
+	if err := creds.Store(types.AuthConfig(authConfig)); err != nil {
+ 		return errors.Errorf("Error saving credentials: %v", err)
+ 	}
+ 
+diff --git a/components/cli/cli/command/registry_test.go b/components/cli/cli/command/registry_test.go
+index 966db86b9..a4a7fe184 100644
+--- a/components/cli/cli/command/registry_test.go
+++ b/components/cli/cli/command/registry_test.go
+@@ -144,7 +144,21 @@ func TestGetDefaultAuthConfig(t *testing.T) {
+ 			assert.Check(t, is.Equal(tc.expectedErr, err.Error()))
+ 		} else {
+ 			assert.NilError(t, err)
+-			assert.Check(t, is.DeepEqual(tc.expectedAuthConfig, *authconfig))
+			assert.Check(t, is.DeepEqual(tc.expectedAuthConfig, authconfig))
+ 		}
+ 	}
+ }
+
+func TestGetDefaultAuthConfig_HelperError(t *testing.T) {
+	cli := test.NewFakeCli(&fakeClient{})
+	errBuf := new(bytes.Buffer)
+	cli.SetErr(errBuf)
+	cli.ConfigFile().CredentialsStore = "fake-does-not-exist"
+	serverAddress := "test-server-address"
+	expectedAuthConfig := types.AuthConfig{
+		ServerAddress: serverAddress,
+	}
+	authconfig, err := GetDefaultAuthConfig(cli, true, serverAddress, serverAddress == "https://index.docker.io/v1/")
+	assert.Check(t, is.DeepEqual(expectedAuthConfig, authconfig))
+	assert.Check(t, is.ErrorContains(err, "docker-credential-fake-does-not-exist"))
+}
+-- 
+2.30.0
+
--- a/series.conf
+++ b/series.conf
@ -225,4 +225,5 @@ patch/0224-fix-rwlayer-umountd-after-container-restart.patch
 patch/0225-docker-close-channel-in-write-side-to-avoid-panic-in.patch
 patch/0226-docker-chrootarchive-don-t-create-parent-dirs-outside-of-ch.patch
 patch/0227-docker-Lock-down-docker-root-dir-perms.patch
+patch/0228-docker-registry-ensure-default-auth-config-has-address.patch
 #end