fix CVE-2024-36620, CVE-2024-36621, CVE-2024-36623

(cherry picked from commit c0b254900730351d4f70590eb6692ae88c4523ab)

1010-fix-CVE-2024-36621.patch

@@ -0,0 +1,76 @@
+From 37545cc644344dcb576cba67eb7b6f51a463d31e Mon Sep 17 00:00:00 2001
+From: Tonis Tiigi <tonistiigi@gmail.com>
+Date: Wed, 6 Mar 2024 23:11:32 -0800
+Subject: [PATCH] builder-next: fix missing lock in ensurelayer
+
+When this was called concurrently from the moby image
+exporter there could be a data race where a layer was
+written to the refs map when it was already there.
+
+In that case the reference count got mixed up and on
+release only one of these layers was actually released.
+
+Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
+---
+ .../builder-next/adapters/snapshot/layer.go   |  3 +++
+ .../adapters/snapshot/snapshot.go             | 19 +++++++++++--------
+ 2 files changed, 14 insertions(+), 8 deletions(-)
+
+diff --git a/builder/builder-next/adapters/snapshot/layer.go b/builder/builder-next/adapters/snapshot/layer.go
+index 73120ea70b2ee..fc83058339c7b 100644
+--- a/builder/builder-next/adapters/snapshot/layer.go
++++ b/builder/builder-next/adapters/snapshot/layer.go
+@@ -22,6 +22,9 @@ func (s *snapshotter) GetDiffIDs(ctx context.Context, key string) ([]layer.DiffI
+ }
+ 
+ func (s *snapshotter) EnsureLayer(ctx context.Context, key string) ([]layer.DiffID, error) {
++	s.layerCreateLocker.Lock(key)
++	defer s.layerCreateLocker.Unlock(key)
++
+ 	diffIDs, err := s.GetDiffIDs(ctx, key)
+ 	if err != nil {
+ 		return nil, err
+diff --git a/builder/builder-next/adapters/snapshot/snapshot.go b/builder/builder-next/adapters/snapshot/snapshot.go
+index a0d28ad984ba4..510ffefb49406 100644
+--- a/builder/builder-next/adapters/snapshot/snapshot.go
++++ b/builder/builder-next/adapters/snapshot/snapshot.go
+@@ -17,6 +17,7 @@ import (
+ 	"github.com/moby/buildkit/identity"
+ 	"github.com/moby/buildkit/snapshot"
+ 	"github.com/moby/buildkit/util/leaseutil"
++	"github.com/moby/locker"
+ 	"github.com/opencontainers/go-digest"
+ 	"github.com/pkg/errors"
+ 	bolt "go.etcd.io/bbolt"
+@@ -51,10 +52,11 @@ type checksumCalculator interface {
+ type snapshotter struct {
+ 	opt Opt
+ 
+-	refs map[string]layer.Layer
+-	db   *bolt.DB
+-	mu   sync.Mutex
+-	reg  graphIDRegistrar
++	refs              map[string]layer.Layer
++	db                *bolt.DB
++	mu                sync.Mutex
++	reg               graphIDRegistrar
++	layerCreateLocker *locker.Locker
+ }
+ 
+ // NewSnapshotter creates a new snapshotter
+@@ -71,10 +73,11 @@ func NewSnapshotter(opt Opt, prevLM leases.Manager, ns string) (snapshot.Snapsho
+ 	}
+ 
+ 	s := &snapshotter{
+-		opt:  opt,
+-		db:   db,
+-		refs: map[string]layer.Layer{},
+-		reg:  reg,
++		opt:               opt,
++		db:                db,
++		refs:              map[string]layer.Layer{},
++		reg:               reg,
++		layerCreateLocker: locker.New(),
+ 	}
+ 
+ 	slm := newLeaseManager(s, prevLM)

1011-fix-CVE-2024-36620.patch

@@ -0,0 +1,33 @@
+From ab570ab3d62038b3d26f96a9bb585d0b6095b9b4 Mon Sep 17 00:00:00 2001
+From: Christopher Petito <47751006+krissetto@users.noreply.github.com>
+Date: Fri, 19 Apr 2024 10:44:30 +0000
+Subject: [PATCH] nil dereference fix on image history Created value
+
+Issue was caused by the changes here https://github.com/moby/moby/pull/45504
+First released in v25.0.0-beta.1
+
+Signed-off-by: Christopher Petito <47751006+krissetto@users.noreply.github.com>
+---
+ daemon/images/image_history.go | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/daemon/images/image_history.go b/daemon/images/image_history.go
+index 1617f8be62906..f621ceae13bc6 100644
+--- a/daemon/images/image_history.go
++++ b/daemon/images/image_history.go
+@@ -43,9 +43,14 @@ func (i *ImageService) ImageHistory(ctx context.Context, name string) ([]*image.
+ 			layerCounter++
+ 		}
+ 
++		var created int64
++		if h.Created != nil {
++			created = h.Created.Unix()
++		}
++
+ 		history = append([]*image.HistoryResponseItem{{
+ 			ID:        "<missing>",
+-			Created:   h.Created.Unix(),
++			Created:   created,
+ 			CreatedBy: h.CreatedBy,
+ 			Comment:   h.Comment,
+ 			Size:      layerSize,

1012-fix-CVE-2024-36623.patch

@@ -0,0 +1,45 @@
+From 5689dabfb357b673abdb4391eef426f297d7d1bb Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pawe=C5=82=20Gronowski?= <pawel.gronowski@docker.com>
+Date: Thu, 22 Feb 2024 18:01:40 +0100
+Subject: [PATCH] pkg/streamformatter: Make `progressOutput` concurrency safe
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Sync access to the underlying `io.Writer` with a mutex.
+
+Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
+---
+ pkg/streamformatter/streamformatter.go | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/pkg/streamformatter/streamformatter.go b/pkg/streamformatter/streamformatter.go
+index b0456e580dc9d..098df6b5236b9 100644
+--- a/pkg/streamformatter/streamformatter.go
++++ b/pkg/streamformatter/streamformatter.go
+@@ -5,6 +5,7 @@ import (
+ 	"encoding/json"
+ 	"fmt"
+ 	"io"
++	"sync"
+ 
+ 	"github.com/docker/docker/pkg/jsonmessage"
+ 	"github.com/docker/docker/pkg/progress"
+@@ -109,6 +110,7 @@ type progressOutput struct {
+ 	sf       formatProgress
+ 	out      io.Writer
+ 	newLines bool
++	mu       sync.Mutex
+ }
+ 
+ // WriteProgress formats progress information from a ProgressReader.
+@@ -120,6 +122,9 @@ func (out *progressOutput) WriteProgress(prog progress.Progress) error {
+ 		jsonProgress := jsonmessage.JSONProgress{Current: prog.Current, Total: prog.Total, HideCounts: prog.HideCounts, Units: prog.Units}
+ 		formatted = out.sf.formatProgress(prog.ID, prog.Action, &jsonProgress, prog.Aux)
+ 	}
++
++	out.mu.Lock()
++	defer out.mu.Unlock()
+ 	_, err := out.out.Write(formatted)
+ 	if err != nil {
+ 		return err

moby.spec

@@ -7,7 +7,7 @@
 
 Name: 	  moby
 Version:  25.0.3
-Release:  21
+Release:  22
 Summary:  The open-source application container engine
 License:  Apache-2.0
 URL:	  https://www.docker.com
@@ -20,16 +20,22 @@ Source2:  tini-0.19.0.tar.gz
 Source3:  docker.service
 Source4:  docker.socket
 Source5:  docker.sysconfig
-Patch0001:  0001-fix-cve-2024-29018.patch
+# Patch 0001-0999 for cli
-Patch0002:  0002-fix-cve-2024-32473.patch
+# Patch 1001-1999 for moby
-Patch0003:  0003-add-loongarch64-seccomp-support.patch
+Patch1001:  1001-fix-cve-2024-29018.patch
-Patch0004:  0004-fix-docker-swarm-run-failed-for-loongarch64.patch
+Patch1002:  1002-fix-cve-2024-32473.patch
-Patch0005:  0005-CVE-2024-41110.patch
+Patch1003:  1003-add-loongarch64-seccomp-support.patch
-Patch0006:  0006-tini.c-a-function-declaration-without-a-prototype-is.patch
+Patch1004:  1004-fix-docker-swarm-run-failed-for-loongarch64.patch
-Patch0007:  0007-fix-libnetwork-osl-test-TestAddRemoveInterface.patch
+Patch1005:  1005-CVE-2024-41110.patch
-Patch0008:  0008-api-omit-missing-Created-field-from-ImageInspect-res.patch
+Patch1006:  1006-fix-libnetwork-osl-test-TestAddRemoveInterface.patch
-Patch0009:  0009-integration-Add-container-output-utility.patch
+Patch1007:  1007-api-omit-missing-Created-field-from-ImageInspect-res.patch
-Patch0010:  0010-mounts-validate-Don-t-check-source-exists-with-Creat.patch
+Patch1008:  1008-integration-Add-container-output-utility.patch
+Patch1009:  1009-mounts-validate-Don-t-check-source-exists-with-Creat.patch
+Patch1010:  1010-fix-CVE-2024-36621.patch
+Patch1011:  1011-fix-CVE-2024-36620.patch
+Patch1012:  1012-fix-CVE-2024-36623.patch
+# Patch 2001-2999 for tini
+Patch2001:  2001-tini.c-a-function-declaration-without-a-prototype-is.patch
 Requires(meta): %{name}-engine = %{version}-%{release}
 Requires(meta): %{name}-client = %{version}-%{release}
 
@@ -108,18 +114,11 @@ Proxy used for docker port mapping.
 
 %prep
 %setup -q -n %{_source_client}
+%autopatch -p1 -m 0001 -M 0999
 %setup -q -T -n %{_source_engine} -b 1
-%patch 0001 -p1
+%autopatch -p1 -m 1001 -M 1999
-%patch 0002 -p1
-%patch 0003 -p1
-%patch 0004 -p1
-%patch 0005 -p1
-%patch 0007 -p1
-%patch 0008 -p1
-%patch 0009 -p1
-%patch 0010 -p1
 %setup -q -T -n %{_source_docker_init} -b 2
-%patch 0006 -p1
+%autopatch -p1 -m 2001 -M 2999
 
 %build
 export GO111MODULE=off
@@ -128,6 +127,8 @@ export DOCKER_GITCOMMIT=%{_gitcommit_engine}
 export DOCKER_BUILDTAGS="exclude_graphdriver_btrfs"
 
 pushd %{_builddir}/%{_source_engine}
+CGO_CFLAGS="%{build_cflags}" \
+CGO_LDFLAGS="%{build_ldflags}" \
 AUTO_GOPATH=1 VERSION=%{version} PRODUCT=docker hack/make.sh dynbinary
 popd
 
@@ -224,6 +225,10 @@ fi
 %systemd_postun_with_restart docker.service
 
 %changelog
+* Sat Nov 30 2024 Funda Wang <fundawang@yeah.net> - 25.0.3-22
+- fix CVE-2024-36620, CVE-2024-36621, CVE-2024-36623
+- reorganize patches so that they could be applied automatically
+
 * Fri Nov 29 2024 Funda Wang <fundawang@yeah.net> - 25.0.3-21
 - convert patches into unix format