!306 [sync] PR-302: backport: fix CVE-2024-32473

From: @openeuler-sync-bot 
Reviewed-by: @zhangsong234 
Signed-off-by: @zhangsong234

VERSION-vendor

@@ -1 +1 @@
-18.09.0.335
+18.09.0.336

docker.spec

@@ -1,6 +1,6 @@
 Name: docker-engine
 Version: 18.09.0
-Release: 335
+Release: 336
 Epoch: 2
 Summary: The open-source application container engine
 Group: Tools/Docker
@@ -229,6 +229,12 @@ fi
 %endif
 
 %changelog
+* Wed May 08 2024 chenjiankun<chenjiankun1@huawei.com> - 18.09.0-336
+- Type:CVE
+- CVE:CVE-2024-32473
+- SUG:NA
+- DESC:fix CVE-2024-32473
+
 * Fri Apr 12 2024 chenjiankun<chenjiankun1@huawei.com> - 18.09.0-335
 - Type:CVE
 - CVE:CVE-2024-29018

git-commit

@@ -1 +1 @@
-caab42f59599671d0f2f9c94131443ab6dd61efd
+33f6ee35033ba46754532d87ae6800eca565cb26

patch/0275-backport-fix-CVE-2024-32473.patch

@@ -0,0 +1,60 @@
+From ed5ed46f0aee11f3e4e0fcc2b2ce391460bd4550 Mon Sep 17 00:00:00 2001
+From: chenjiankun <chenjiankun1@huawei.com>
+Date: Wed, 8 May 2024 10:03:36 +0800
+Subject: [PATCH] docker: Disable IPv6 for endpoints in '--ipv6=false' networks
+
+No IPAM IPv6 address is given to an interface in a network with
+'--ipv6=false', but the kernel would assign a link-local address and,
+in a macvlan/ipvlan network, the interface may get a SLAAC-assigned
+address.
+
+So, disable IPv6 on the interface to avoid that.
+
+Signed-off-by: Rob Murray <rob.murray@docker.com>
+
+Conflict:no
+Reference:https://github.com/moby/moby/commit/7cef0d9cd1cf221d8c0b7b7aeda69552649e0642
+
+---
+ .../docker/libnetwork/osl/interface_linux.go  | 21 ++++++++++++-------
+ 1 file changed, 14 insertions(+), 7 deletions(-)
+
+diff --git a/components/engine/vendor/github.com/docker/libnetwork/osl/interface_linux.go b/components/engine/vendor/github.com/docker/libnetwork/osl/interface_linux.go
+index a924af4bd..63d0e5650 100644
+--- a/components/engine/vendor/github.com/docker/libnetwork/osl/interface_linux.go
++++ b/components/engine/vendor/github.com/docker/libnetwork/osl/interface_linux.go
+@@ -377,17 +377,24 @@ func setInterfaceIP(nlh *netlink.Handle, iface netlink.Link, i *nwIface) error {
+ }
+ 
+ func setInterfaceIPv6(nlh *netlink.Handle, iface netlink.Link, i *nwIface) error {
+-	if i.AddressIPv6() == nil {
++	addr := i.AddressIPv6()
++	// IPv6 must be enabled on the interface if and only if the network is
++	// IPv6-enabled. For an interface on an IPv4-only network, if IPv6 isn't
++	// disabled, the interface will be put into IPv6 multicast groups making
++	// it unexpectedly susceptible to NDP cache poisoning, route injection, etc.
++	// (At present, there will always be a pre-configured IPv6 address if the
++	// network is IPv6-enabled.)
++	if err := setIPv6(i.ns.path, i.DstName(), addr != nil); err != nil {
++		return fmt.Errorf("failed to configure ipv6: %v", err)
++	}
++	if addr == nil {
+ 		return nil
+ 	}
+-	if err := checkRouteConflict(nlh, i.AddressIPv6(), netlink.FAMILY_V6); err != nil {
++	if err := checkRouteConflict(nlh, addr, netlink.FAMILY_V6); err != nil {
+ 		return err
+ 	}
+-	if err := setIPv6(i.ns.path, i.DstName(), true); err != nil {
+-		return fmt.Errorf("failed to enable ipv6: %v", err)
+-	}
+-	ipAddr := &netlink.Addr{IPNet: i.AddressIPv6(), Label: "", Flags: syscall.IFA_F_NODAD}
+-	return nlh.AddrAdd(iface, ipAddr)
++	nlAddr := &netlink.Addr{IPNet: addr, Label: "", Flags: syscall.IFA_F_NODAD}
++	return nlh.AddrAdd(iface, nlAddr)
+ }
+ 
+ func setInterfaceLinkLocalIPs(nlh *netlink.Handle, iface netlink.Link, i *nwIface) error {
+-- 
+2.33.0
+

series.conf

@@ -272,4 +272,5 @@ patch/0271-libnetwork-processEndpointDelete-Fix-deadlock-betwee.patch
 patch/0272-Fixes-41871-Update-daemon-daemon.go-resume-healthche.patch
 patch/0273-backport-fix-CVE-2024-24557.patch
 patch/0274-docker-fix-CVE-2024-29018.patch
+patch/0275-backport-fix-CVE-2024-32473.patch
 #end