Re: [Buildroot] [PATCH v1 2/2] package/docker-cli: backport fix for host header check

From: Peter Korsgaard <peter@korsgaard.com>
To: "TIAN Yuanhao" <tianyuanhao3@163.com>
Cc: Christian Stewart <christian@aperture.us>, buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH v1 2/2] package/docker-cli: backport fix for host header check
Date: Wed, 06 Sep 2023 21:01:07 +0200	[thread overview]
Message-ID: <87pm2vgm8c.fsf@48ers.dk> (raw)
In-Reply-To: <845cccd.4d5f.18977003291.Coremail.tianyuanhao3@163.com> (TIAN Yuanhao's message of "Fri, 21 Jul 2023 13:50:48 +0800 (CST)")

>>>>> "TIAN" == TIAN Yuanhao <tianyuanhao3@163.com> writes:

 > Tested-by: TIAN Yuanhao <tianyuanhao3@163.com>
 > At 2023-07-17 12:10:47, "Christian Stewart via buildroot" <buildroot@buildroot.org> wrote:
 >> Go 1.20.6 and 1.19.11 include a security check of the http Host header:
 >> 
 >> https://github.com/golang/go/issues/60374
 >> 
 >> docker-cli does not satisfy this check:
 >> 
 >> $ docker exec -it ctr bash
 >> http: invalid Host header
 >> 
 >> This is a backported patch to fix this issue:
 >> 
 >> Issue: https://github.com/moby/moby/issues/45935
 >> Upstream PR: https://github.com/moby/moby/pull/45942
 >> 
 >> The upstream PR has been merged and will be included in v24.0.5.
 >> 
 >> Signed-off-by: Christian Stewart <christian@aperture.us>
 >> ---
 >> ...ackport-fix-for-go-Host-header-check.patch | 270 ++++++++++++++++++
 >> 1 file changed, 270 insertions(+)
 >> create mode 100644 package/docker-cli/0001-backport-fix-for-go-Host-header-check.patch
 >> 
 >> diff --git a/package/docker-cli/0001-backport-fix-for-go-Host-header-check.patch b/package/docker-cli/0001-backport-fix-for-go-Host-header-check.patch
 >> new file mode 100644
 >> index 0000000000..2d16fd6df2
 >> --- /dev/null
 >> +++ b/package/docker-cli/0001-backport-fix-for-go-Host-header-check.patch
 >> @@ -0,0 +1,270 @@
 >> +From 4dc783e2bdf414761ef7c209b435d0a30f17c858 Mon Sep 17 00:00:00 2001
 >> +From: Sebastiaan van Stijn <github@gone.nl>
 >> +Date: Sat, 15 Jul 2023 02:22:10 +0200
 >> +Subject: [PATCH] backport fix for go Host header check
 >> +
 >> +Go 1.20.6 and 1.19.11 include a security check of the http Host header:
 >> +    
 >> +  https://github.com/golang/go/issues/60374
 >> +
 >> +docker-cli fails this check:
 >> +
 >> +  $ docker exec -it ctr bash
 >> +  http: invalid Host header
 >> +
 >> +This is a backported patch to fix this issue.
 >> +
 >> +Issue: https://github.com/moby/moby/issues/45935
 >> +Upstream PR: https://github.com/moby/moby/pull/45942
 >> +
 >> +The upstream PR has been merged and will be included in v24.0.5.
 >> +
 >> +Signed-off-by: Christian Stewart <christian@aperture.us>
 >> +
 >> +---
 >> +
 >> +For local communications (npipe://, unix://), the hostname is not used,
 >> +but we need valid and meaningful hostname.
 >> +
 >> +The current code used the socket path as hostname, which gets rejected by
 >> +go1.20.6 and go1.19.11 because of a security fix for [CVE-2023-29406 ][1],
 >> +which was implemented in  https://go.dev/issue/60374.
 >> +
 >> +Prior versions go Go would clean the host header, and strip slashes in the
 >> +process, but go1.20.6 and go1.19.11 no longer do, and reject the host
 >> +header.
 >> +---
 >> + vendor.mod                                    | 16 +++++-----
 >> + vendor.sum                                    | 32 +++++++++----------

Do we really need the changes to vendor.mod / vendor.sum? They didn't
apply to 23.0.5 here, so I dropped those hunks.

Committed with that fixed to 2023.02.x and 2023.05.x, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot