From 777a2b05b8565e1ac354e7fa9cfb7e256e0f1c96 Mon Sep 17 00:00:00 2001 From: zhongjiawei Date: Wed, 29 Jun 2022 14:52:33 +0800 Subject: [PATCH] fix CVE-2021-41092 fix #I5D1C0 fix CVE-2021-41092 --- VERSION-openeuler | 2 +- docker.spec | 8 +- git-commit | 2 +- ...sure-default-auth-config-has-address.patch | 130 ++++++++++++++++++ series.conf | 1 + 5 files changed, 140 insertions(+), 3 deletions(-) create mode 100644 patch/0228-docker-registry-ensure-default-auth-config-has-address.patch diff --git a/VERSION-openeuler b/VERSION-openeuler index 79bc945..d7576ff 100644 --- a/VERSION-openeuler +++ b/VERSION-openeuler @@ -1 +1 @@ -18.09.0.305 +18.09.0.306 diff --git a/docker.spec b/docker.spec index addc953..85f3b87 100644 --- a/docker.spec +++ b/docker.spec @@ -1,6 +1,6 @@ Name: docker-engine Version: 18.09.0 -Release: 305 +Release: 306 Summary: The open-source application container engine Group: Tools/Docker @@ -212,6 +212,12 @@ fi %endif %changelog +* Wed Jun 29 2022 zjw - 18.09.0-306 +- Type:CVE +- CVE:CVE-2021-41092 +- SUG:NA +- DESC:fix CVE-2021-41092 + * Wed Jun 29 2022 zjw - 18.09.0-305 - Type:CVE - CVE:CVE-2021-41091 diff --git a/git-commit b/git-commit index 3fce8a4..44f0e7c 100644 --- a/git-commit +++ b/git-commit @@ -1 +1 @@ -029c7f52dc3f16cce2166542761c84b953edf5d1 +1d79dce8b3c1b71f07ef5ad31adfe8026080311f diff --git a/patch/0228-docker-registry-ensure-default-auth-config-has-address.patch b/patch/0228-docker-registry-ensure-default-auth-config-has-address.patch new file mode 100644 index 0000000..bb2da5a --- /dev/null +++ b/patch/0228-docker-registry-ensure-default-auth-config-has-address.patch @@ -0,0 +1,130 @@ +From 47b9fb37236351afc0c2e58c109a70c1432096ff Mon Sep 17 00:00:00 2001 +From: zhongjiawei +Date: Thu, 9 Jun 2022 10:50:43 +0800 +Subject: [PATCH] docker: registry: ensure default auth config has address + +Conflict:cli/command/registry.go,cli/command/registry/login.go +Reference:https://github.com/docker/cli/commit/893e52cf4ba4b048d72e99748e0f86b2767c6c6b +--- + components/cli/cli/command/registry.go | 12 ++++++++---- + components/cli/cli/command/registry/login.go | 13 ++++++------- + components/cli/cli/command/registry_test.go | 16 +++++++++++++++- + 3 files changed, 29 insertions(+), 12 deletions(-) + +diff --git a/components/cli/cli/command/registry.go b/components/cli/cli/command/registry.go +index c12843693..74abbfc5f 100644 +--- a/components/cli/cli/command/registry.go ++++ b/components/cli/cli/command/registry.go +@@ -58,11 +58,11 @@ func RegistryAuthenticationPrivilegedFunc(cli Cli, index *registrytypes.IndexInf + if err != nil { + fmt.Fprintf(cli.Err(), "Unable to retrieve stored credentials for %s, error: %s.\n", indexServer, err) + } +- err = ConfigureAuth(cli, "", "", authConfig, isDefaultRegistry) ++ err = ConfigureAuth(cli, "", "", &authConfig, isDefaultRegistry) + if err != nil { + return "", err + } +- return EncodeAuthToBase64(*authConfig) ++ return EncodeAuthToBase64(authConfig) + } + } + +@@ -81,7 +81,7 @@ func ResolveAuthConfig(ctx context.Context, cli Cli, index *registrytypes.IndexI + + // GetDefaultAuthConfig gets the default auth config given a serverAddress + // If credentials for given serverAddress exists in the credential store, the configuration will be populated with values in it +-func GetDefaultAuthConfig(cli Cli, checkCredStore bool, serverAddress string, isDefaultRegistry bool) (*types.AuthConfig, error) { ++func GetDefaultAuthConfig(cli Cli, checkCredStore bool, serverAddress string, isDefaultRegistry bool) (types.AuthConfig, error) { + if !isDefaultRegistry { + serverAddress = registry.ConvertToHostname(serverAddress) + } +@@ -89,12 +89,16 @@ func GetDefaultAuthConfig(cli Cli, checkCredStore bool, serverAddress string, is + var err error + if checkCredStore { + authconfig, err = cli.ConfigFile().GetAuthConfig(serverAddress) ++ if err != nil { ++ return types.AuthConfig{ServerAddress: serverAddress,}, err ++ } + } else { + authconfig = types.AuthConfig{} + } + authconfig.ServerAddress = serverAddress + authconfig.IdentityToken = "" +- return &authconfig, err ++ res := types.AuthConfig(authconfig) ++ return res, err + } + + // ConfigureAuth handles prompting of user's username and password if needed +diff --git a/components/cli/cli/command/registry/login.go b/components/cli/cli/command/registry/login.go +index f4f57398b..f86076c5e 100644 +--- a/components/cli/cli/command/registry/login.go ++++ b/components/cli/cli/command/registry/login.go +@@ -111,23 +111,22 @@ func runLogin(dockerCli command.Cli, opts loginOptions) error { //nolint: gocycl + } + + var err error +- var authConfig *types.AuthConfig + var response registrytypes.AuthenticateOKBody + isDefaultRegistry := serverAddress == authServer +- authConfig, err = command.GetDefaultAuthConfig(dockerCli, opts.user == "" && opts.password == "", serverAddress, isDefaultRegistry) ++ authConfig, err := command.GetDefaultAuthConfig(dockerCli, opts.user == "" && opts.password == "", serverAddress, isDefaultRegistry) + if err == nil && authConfig.Username != "" && authConfig.Password != "" { +- response, err = loginWithCredStoreCreds(ctx, dockerCli, authConfig) ++ response, err = loginWithCredStoreCreds(ctx, dockerCli, &authConfig) + } + if err != nil || authConfig.Username == "" || authConfig.Password == "" { +- err = command.ConfigureAuth(dockerCli, opts.user, opts.password, authConfig, isDefaultRegistry) ++ err = command.ConfigureAuth(dockerCli, opts.user, opts.password, &authConfig, isDefaultRegistry) + if err != nil { + return err + } + +- response, err = clnt.RegistryLogin(ctx, *authConfig) ++ response, err = clnt.RegistryLogin(ctx, authConfig) + if err != nil && client.IsErrConnectionFailed(err) { + // If the server isn't responding (yet) attempt to login purely client side +- response, err = loginClientSide(ctx, *authConfig) ++ response, err = loginClientSide(ctx, authConfig) + } + // If we (still) have an error, give up + if err != nil { +@@ -149,7 +148,7 @@ func runLogin(dockerCli command.Cli, opts loginOptions) error { //nolint: gocycl + } + } + +- if err := creds.Store(*authConfig); err != nil { ++ if err := creds.Store(types.AuthConfig(authConfig)); err != nil { + return errors.Errorf("Error saving credentials: %v", err) + } + +diff --git a/components/cli/cli/command/registry_test.go b/components/cli/cli/command/registry_test.go +index 966db86b9..a4a7fe184 100644 +--- a/components/cli/cli/command/registry_test.go ++++ b/components/cli/cli/command/registry_test.go +@@ -144,7 +144,21 @@ func TestGetDefaultAuthConfig(t *testing.T) { + assert.Check(t, is.Equal(tc.expectedErr, err.Error())) + } else { + assert.NilError(t, err) +- assert.Check(t, is.DeepEqual(tc.expectedAuthConfig, *authconfig)) ++ assert.Check(t, is.DeepEqual(tc.expectedAuthConfig, authconfig)) + } + } + } ++ ++func TestGetDefaultAuthConfig_HelperError(t *testing.T) { ++ cli := test.NewFakeCli(&fakeClient{}) ++ errBuf := new(bytes.Buffer) ++ cli.SetErr(errBuf) ++ cli.ConfigFile().CredentialsStore = "fake-does-not-exist" ++ serverAddress := "test-server-address" ++ expectedAuthConfig := types.AuthConfig{ ++ ServerAddress: serverAddress, ++ } ++ authconfig, err := GetDefaultAuthConfig(cli, true, serverAddress, serverAddress == "https://index.docker.io/v1/") ++ assert.Check(t, is.DeepEqual(expectedAuthConfig, authconfig)) ++ assert.Check(t, is.ErrorContains(err, "docker-credential-fake-does-not-exist")) ++} +-- +2.30.0 + diff --git a/series.conf b/series.conf index de190ea..5033fa4 100644 --- a/series.conf +++ b/series.conf @@ -225,4 +225,5 @@ patch/0224-fix-rwlayer-umountd-after-container-restart.patch patch/0225-docker-close-channel-in-write-side-to-avoid-panic-in.patch patch/0226-docker-chrootarchive-don-t-create-parent-dirs-outside-of-ch.patch patch/0227-docker-Lock-down-docker-root-dir-perms.patch +patch/0228-docker-registry-ensure-default-auth-config-has-address.patch #end