packages/moby
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!75 [sync] PR-73: fix CVE-2024-41110

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @xu_lei_123 
Signed-off-by: @xu_lei_123
This commit is contained in:
openeuler-ci-bot 2024-07-26 06:16:14 +00:00 committed by Gitee
commit a9a30cbe24
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 215 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

206
backport-CVE-2024-41110.patch Normal file
View File

@ -0,0 +1,206 @@
From 9659c3a52bac57e615b5fb49b0652baca448643e Mon Dec 1 00:00:00 2001
From: Jameson Hyde <jameson.hyde@docker.com>
Date: Mon, 1 Dec 2018 09:57:10 +0800
Subject: [PATCH] Authz plugin security fixes for 0-length content and path validation
https://github.com/moby/moby/commit/65cc597cea28cdc25bea3b8a86384b4251872919
https://github.com/moby/moby/commit/42f40b1d6dd7562342f832b9cd2adf9e668eeb76
If url includes scheme, urlPath will drop hostname, which would not m…
…atch the auth check
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Eli Uriegas <eli.uriegas@docker.com>
---
pkg/authorization/authz.go | 38 +++++++++++--
pkg/authorization/authz_unix_test.go | 84 +++++++++++++++++++++++++++-
2 files changed, 115 insertions(+), 7 deletions(-)
diff --git a/pkg/authorization/authz.go b/pkg/authorization/authz.go
index 1eb4431..d568a2b 100644
--- a/pkg/authorization/authz.go
+++ b/pkg/authorization/authz.go
@@ -8,6 +8,8 @@ import (
"io"
"mime"
"net/http"
+ "net/url"
+ "regexp"
"strings"
"github.com/containerd/log"
@@ -53,10 +55,23 @@ type Ctx struct {
authReq *Request
}
+func isChunked(r *http.Request) bool {
+ // RFC 7230 specifies that content length is to be ignored if Transfer-Encoding is chunked
+ if strings.EqualFold(r.Header.Get("Transfer-Encoding"), "chunked") {
+ return true
+ }
+ for _, v := range r.TransferEncoding {
+ if strings.EqualFold(v, "chunked") {
+ return true
+ }
+ }
+ return false
+}
+
// AuthZRequest authorized the request to the docker daemon using authZ plugins
func (ctx *Ctx) AuthZRequest(w http.ResponseWriter, r *http.Request) error {
var body []byte
- if sendBody(ctx.requestURI, r.Header) && r.ContentLength > 0 && r.ContentLength < maxBodySize {
+ if sendBody(ctx.requestURI, r.Header) && (r.ContentLength > 0 || isChunked(r)) && r.ContentLength < maxBodySize {
var err error
body, r.Body, err = drainBody(r.Body)
if err != nil {
@@ -109,7 +124,6 @@ func (ctx *Ctx) AuthZResponse(rm ResponseModifier, r *http.Request) error {
if sendBody(ctx.requestURI, rm.Header()) {
ctx.authReq.ResponseBody = rm.RawBody()
}
-
for _, plugin := range ctx.plugins {
log.G(context.TODO()).Debugf("AuthZ response using plugin %s", plugin.Name())
@@ -147,10 +161,26 @@ func drainBody(body io.ReadCloser) ([]byte, io.ReadCloser, error) {
return nil, newBody, err
}
+func isAuthEndpoint(urlPath string) (bool, error) {
+ // eg www.test.com/v1.24/auth/optional?optional1=something&optional2=something (version optional)
+ matched, err := regexp.MatchString(`^[^\/]*\/(v\d[\d\.]*\/)?auth.*`, urlPath)
+ if err != nil {
+ return false, err
+ }
+ return matched, nil
+}
+
// sendBody returns true when request/response body should be sent to AuthZPlugin
-func sendBody(url string, header http.Header) bool {
+func sendBody(inURL string, header http.Header) bool {
+ u, err := url.Parse(inURL)
+ // Assume no if the URL cannot be parsed - an empty request will still be forwarded to the plugin and should be rejected
+ if err != nil {
+ return false
+ }
+
// Skip body for auth endpoint
- if strings.HasSuffix(url, "/auth") {
+ isAuth, err := isAuthEndpoint(u.Path)
+ if isAuth || err != nil {
return false
}
diff --git a/pkg/authorization/authz_unix_test.go b/pkg/authorization/authz_unix_test.go
index c9b18d9..66b4d20 100644
--- a/pkg/authorization/authz_unix_test.go
+++ b/pkg/authorization/authz_unix_test.go
@@ -174,8 +174,8 @@ func TestDrainBody(t *testing.T) {
func TestSendBody(t *testing.T) {
var (
- url = "nothing.com"
testcases = []struct {
+ url string
contentType string
expected bool
}{
@@ -219,15 +219,93 @@ func TestSendBody(t *testing.T) {
contentType: "",
expected: false,
},
+ {
+ url: "nothing.com/auth",
+ contentType: "",
+ expected: false,
+ },
+ {
+ url: "nothing.com/auth",
+ contentType: "application/json;charset=UTF8",
+ expected: false,
+ },
+ {
+ url: "nothing.com/auth?p1=test",
+ contentType: "application/json;charset=UTF8",
+ expected: false,
+ },
+ {
+ url: "nothing.com/test?p1=/auth",
+ contentType: "application/json;charset=UTF8",
+ expected: true,
+ },
+ {
+ url: "nothing.com/something/auth",
+ contentType: "application/json;charset=UTF8",
+ expected: true,
+ },
+ {
+ url: "nothing.com/auth/test",
+ contentType: "application/json;charset=UTF8",
+ expected: false,
+ },
+ {
+ url: "nothing.com/v1.24/auth/test",
+ contentType: "application/json;charset=UTF8",
+ expected: false,
+ },
+ {
+ url: "nothing.com/v1/auth/test",
+ contentType: "application/json;charset=UTF8",
+ expected: false,
+ },
+ {
+ url: "www.nothing.com/v1.24/auth/test",
+ contentType: "application/json;charset=UTF8",
+ expected: false,
+ },
+ {
+ url: "https://www.nothing.com/v1.24/auth/test",
+ contentType: "application/json;charset=UTF8",
+ expected: false,
+ },
+ {
+ url: "http://nothing.com/v1.24/auth/test",
+ contentType: "application/json;charset=UTF8",
+ expected: false,
+ },
+ {
+ url: "www.nothing.com/test?p1=/auth",
+ contentType: "application/json;charset=UTF8",
+ expected: true,
+ },
+ {
+ url: "http://www.nothing.com/test?p1=/auth",
+ contentType: "application/json;charset=UTF8",
+ expected: true,
+ },
+ {
+ url: "www.nothing.com/something/auth",
+ contentType: "application/json;charset=UTF8",
+ expected: true,
+ },
+ {
+ url: "https://www.nothing.com/something/auth",
+ contentType: "application/json;charset=UTF8",
+ expected: true,
+ },
}
)
for _, testcase := range testcases {
header := http.Header{}
header.Set("Content-Type", testcase.contentType)
+ if testcase.url == "" {
+ testcase.url = "nothing.com"
+ }
- if b := sendBody(url, header); b != testcase.expected {
- t.Fatalf("Unexpected Content-Type; Expected: %t, Actual: %t", testcase.expected, b)
+ if b := sendBody(testcase.url, header); b != testcase.expected {
+ t.Fatalf("sendBody failed: url: %s, content-type: %s; Expected: %t, Actual: %t", testcase.url, testcase.contentType, testcase.expected, b)
}
}
}
--
2.33.0

10
moby.spec
View File

@ -7,7 +7,7 @@
Name: docker
Version: 25.0.3
Release: 9
Release: 10
Summary: The open-source application container engine
License: ASL 2.0
URL: https://www.docker.com
@ -25,6 +25,7 @@ Patch0001: 0002-fix-cve-2024-32473.patch
Patch0002: 0003-add-loongarch64-seccomp-support.patch
Patch0003: 0004-fix-docker-swarm-run-failed-for-loongarch64.patch
Patch9000: backport-CVE-2024-41110.patch
Requires: %{name}-engine = %{version}-%{release}
Requires: %{name}-client = %{version}-%{release}
@ -93,6 +94,7 @@ Docker client binary and related utilities
%patch0001 -p1
%patch0002 -p1
%patch0003 -p1
%patch9000 -p1
%setup -q -T -n %{_source_docker_init} -b 2
%build
@ -194,6 +196,12 @@ fi
%systemd_postun_with_restart docker.service
%changelog
* Fri Jul 26 2024 zhangxianting <zhangxianting@uniontechc.om> - 25.0.3-10
- Type:CVE
- ID:NA
- SUG:NA
- DESC:fix CVE-2024-41110
* Fri Jul 12 2024 lvxiangcong <lvxiangcong@kylinos.cn> - 25.0.3-9
- Type:bugfix
- ID:NA