fix CVE-2024-41110

(cherry picked from commit 7de97fd428cf9a6a81d91683083a8b22b3dfde4e)
2024-07-26 10:06:11 +08:00 · 2024-07-26 10:06:11 +08:00 · ece246fcc2
commit ece246fcc2
parent ea0c291b9d
2 changed files with 215 additions and 1 deletions
--- a/backport-CVE-2024-41110.patch
+++ b/backport-CVE-2024-41110.patch
@ -0,0 +1,206 @@
 From 9659c3a52bac57e615b5fb49b0652baca448643e Mon Dec 1 00:00:00 2001
 From: Jameson Hyde <jameson.hyde@docker.com>
 Date: Mon, 1 Dec 2018 09:57:10 +0800
 Subject: [PATCH] Authz plugin security fixes for 0-length content and path validation
 https://github.com/moby/moby/commit/65cc597cea28cdc25bea3b8a86384b4251872919
 https://github.com/moby/moby/commit/42f40b1d6dd7562342f832b9cd2adf9e668eeb76
 If url includes scheme, urlPath will drop hostname, which would not m…
 …atch the auth check
 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 Signed-off-by: Eli Uriegas <eli.uriegas@docker.com>
 ---
 pkg/authorization/authz.go           | 38 +++++++++++--
 pkg/authorization/authz_unix_test.go | 84 +++++++++++++++++++++++++++-
 2 files changed, 115 insertions(+), 7 deletions(-)
 diff --git a/pkg/authorization/authz.go b/pkg/authorization/authz.go
 index 1eb4431..d568a2b 100644
 --- a/pkg/authorization/authz.go
 +++ b/pkg/authorization/authz.go
@@ -8,6 +8,8 @@ import (
 	"io"
 	"mime"
 	"net/http"
 +	"net/url"
 +	"regexp"
 	"strings"
 	"github.com/containerd/log"
@@ -53,10 +55,23 @@ type Ctx struct {
 	authReq *Request
 }
 +func isChunked(r *http.Request) bool {
 +	// RFC 7230 specifies that content length is to be ignored if Transfer-Encoding is chunked
 +	if strings.EqualFold(r.Header.Get("Transfer-Encoding"), "chunked") {
 +		return true
 +	}
 +	for _, v := range r.TransferEncoding {
 +		if strings.EqualFold(v, "chunked") {
 +			return true
 +		}
 +	}
 +	return false
 +}
 +
 // AuthZRequest authorized the request to the docker daemon using authZ plugins
 func (ctx *Ctx) AuthZRequest(w http.ResponseWriter, r *http.Request) error {
 	var body []byte
 -	if sendBody(ctx.requestURI, r.Header) && r.ContentLength > 0 && r.ContentLength < maxBodySize {
 +	if sendBody(ctx.requestURI, r.Header) && (r.ContentLength > 0 || isChunked(r)) && r.ContentLength < maxBodySize {
 		var err error
 		body, r.Body, err = drainBody(r.Body)
 		if err != nil {
@@ -109,7 +124,6 @@ func (ctx *Ctx) AuthZResponse(rm ResponseModifier, r *http.Request) error {
 	if sendBody(ctx.requestURI, rm.Header()) {
 		ctx.authReq.ResponseBody = rm.RawBody()
 	}
 -
 	for _, plugin := range ctx.plugins {
 		log.G(context.TODO()).Debugf("AuthZ response using plugin %s", plugin.Name())
@@ -147,10 +161,26 @@ func drainBody(body io.ReadCloser) ([]byte, io.ReadCloser, error) {
 	return nil, newBody, err
 }
 +func isAuthEndpoint(urlPath string) (bool, error) {
 +	// eg www.test.com/v1.24/auth/optional?optional1=something&optional2=something (version optional)
 +	matched, err := regexp.MatchString(`^[^\/]*\/(v\d[\d\.]*\/)?auth.*`, urlPath)
 +	if err != nil {
 +		return false, err
 +	}
 +	return matched, nil
 +}
 +
 // sendBody returns true when request/response body should be sent to AuthZPlugin
 -func sendBody(url string, header http.Header) bool {
 +func sendBody(inURL string, header http.Header) bool {
 +	u, err := url.Parse(inURL)
 +	// Assume no if the URL cannot be parsed - an empty request will still be forwarded to the plugin and should be rejected
 +	if err != nil {
 +		return false
 +	}
 +
 	// Skip body for auth endpoint
 -	if strings.HasSuffix(url, "/auth") {
 +	isAuth, err := isAuthEndpoint(u.Path)
 +	if isAuth || err != nil {
 		return false
 	}
 diff --git a/pkg/authorization/authz_unix_test.go b/pkg/authorization/authz_unix_test.go
 index c9b18d9..66b4d20 100644
 --- a/pkg/authorization/authz_unix_test.go
 +++ b/pkg/authorization/authz_unix_test.go
@@ -174,8 +174,8 @@ func TestDrainBody(t *testing.T) {
 func TestSendBody(t *testing.T) {
 	var (
 -		url       = "nothing.com"
 		testcases = []struct {
 +			url         string
 			contentType string
 			expected    bool
 		}{
@@ -219,15 +219,93 @@ func TestSendBody(t *testing.T) {
 				contentType: "",
 				expected:    false,
 			},
 +			{
 +				url:         "nothing.com/auth",
 +				contentType: "",
 +				expected:    false,
 +			},
 +			{
 +				url:         "nothing.com/auth",
 +				contentType: "application/json;charset=UTF8",
 +				expected:    false,
 +			},
 +			{
 +				url:         "nothing.com/auth?p1=test",
 +				contentType: "application/json;charset=UTF8",
 +				expected:    false,
 +			},
 +			{
 +				url:         "nothing.com/test?p1=/auth",
 +				contentType: "application/json;charset=UTF8",
 +				expected:    true,
 +			},
 +			{
 +				url:         "nothing.com/something/auth",
 +				contentType: "application/json;charset=UTF8",
 +				expected:    true,
 +			},
 +			{
 +				url:         "nothing.com/auth/test",
 +				contentType: "application/json;charset=UTF8",
 +				expected:    false,
 +			},
 +			{
 +				url:         "nothing.com/v1.24/auth/test",
 +				contentType: "application/json;charset=UTF8",
 +				expected:    false,
 +			},
 +			{
 +				url:         "nothing.com/v1/auth/test",
 +				contentType: "application/json;charset=UTF8",
 +				expected:    false,
 +			},
 +			{
 +				url:         "www.nothing.com/v1.24/auth/test",
 +				contentType: "application/json;charset=UTF8",
 +				expected:    false,
 +			},
 +			{
 +				url:         "https://www.nothing.com/v1.24/auth/test",
 +				contentType: "application/json;charset=UTF8",
 +				expected:    false,
 +			},
 +			{
 +				url:         "http://nothing.com/v1.24/auth/test",
 +				contentType: "application/json;charset=UTF8",
 +				expected:    false,
 +			},
 +			{
 +				url:         "www.nothing.com/test?p1=/auth",
 +				contentType: "application/json;charset=UTF8",
 +				expected:    true,
 +			},
 +			{
 +				url:         "http://www.nothing.com/test?p1=/auth",
 +				contentType: "application/json;charset=UTF8",
 +				expected:    true,
 +			},
 +			{
 +				url:         "www.nothing.com/something/auth",
 +				contentType: "application/json;charset=UTF8",
 +				expected:    true,
 +			},
 +			{
 +				url:         "https://www.nothing.com/something/auth",
 +				contentType: "application/json;charset=UTF8",
 +				expected:    true,
 +			},
 		}
 	)
 	for _, testcase := range testcases {
 		header := http.Header{}
 		header.Set("Content-Type", testcase.contentType)
 +		if testcase.url == "" {
 +			testcase.url = "nothing.com"
 +		}
 -		if b := sendBody(url, header); b != testcase.expected {
 -			t.Fatalf("Unexpected Content-Type; Expected: %t, Actual: %t", testcase.expected, b)
 +		if b := sendBody(testcase.url, header); b != testcase.expected {
 +			t.Fatalf("sendBody failed: url: %s, content-type: %s; Expected: %t, Actual: %t", testcase.url, testcase.contentType, testcase.expected, b)
 		}
 	}
 }
 -- 
 2.33.0
--- a/moby.spec
+++ b/moby.spec
@ -7,7 +7,7 @@
 Name: 	  docker
 Version:  25.0.3
-Release:  9
+Release:  10
 Summary:  The open-source application container engine
 License:  ASL 2.0
 URL:	  https://www.docker.com
@ -25,6 +25,7 @@ Patch0001:  0002-fix-cve-2024-32473.patch
 Patch0002:  0003-add-loongarch64-seccomp-support.patch
 Patch0003:  0004-fix-docker-swarm-run-failed-for-loongarch64.patch
 Patch9000:  backport-CVE-2024-41110.patch
 Requires: %{name}-engine = %{version}-%{release}
 Requires: %{name}-client = %{version}-%{release}
@ -93,6 +94,7 @@ Docker client binary and related utilities
 %patch0001 -p1
 %patch0002 -p1
 %patch0003 -p1
 %patch9000 -p1
 %setup -q -T -n %{_source_docker_init} -b 2
 %build
@ -194,6 +196,12 @@ fi
 %systemd_postun_with_restart docker.service
 %changelog
 * Fri Jul 26 2024 zhangxianting <zhangxianting@uniontechc.om> - 25.0.3-10
 - Type:CVE
 - ID:NA
 - SUG:NA
 - DESC:fix CVE-2024-41110
 * Fri Jul 12 2024 lvxiangcong <lvxiangcong@kylinos.cn> - 25.0.3-9
 - Type:bugfix
 - ID:NA