* [meta-virtualization][scarthgap][PATCH 1/3] docker-moby: Fix CVE-2024-36620
@ 2025-03-26 19:50 Praveen Kumar
2025-03-26 19:50 ` [meta-virtualization][scarthgap][PATCH 2/3] docker-moby: Fix CVE-2024-36621 Praveen Kumar
` (2 more replies)
0 siblings, 3 replies; 9+ messages in thread
From: Praveen Kumar @ 2025-03-26 19:50 UTC (permalink / raw)
To: meta-virtualization; +Cc: Praveen Kumar
moby v25.0.0 - v26.0.2 is vulnerable to NULL Pointer Dereference
via daemon/images/image_history.go.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-36620
Upstream-patch:
https://github.com/moby/moby/commit/ab570ab3d62038b3d26f96a9bb585d0b6095b9b4
Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
---
recipes-containers/docker/docker-moby_git.bb | 1 +
.../docker/files/CVE-2024-36620.patch | 40 +++++++++++++++++++
2 files changed, 41 insertions(+)
create mode 100644 recipes-containers/docker/files/CVE-2024-36620.patch
diff --git a/recipes-containers/docker/docker-moby_git.bb b/recipes-containers/docker/docker-moby_git.bb
index 0abb0b3f..a1879ed2 100644
--- a/recipes-containers/docker/docker-moby_git.bb
+++ b/recipes-containers/docker/docker-moby_git.bb
@@ -56,6 +56,7 @@ SRC_URI = "\
file://0001-libnetwork-use-GO-instead-of-go.patch \
file://0001-cli-use-external-GO111MODULE-and-cross-compiler.patch \
file://0001-dynbinary-use-go-cross-compiler.patch;patchdir=src/import \
+ file://CVE-2024-36620.patch;patchdir=src/import \
"
DOCKER_COMMIT = "${SRCREV_moby}"
diff --git a/recipes-containers/docker/files/CVE-2024-36620.patch b/recipes-containers/docker/files/CVE-2024-36620.patch
new file mode 100644
index 00000000..7bce4137
--- /dev/null
+++ b/recipes-containers/docker/files/CVE-2024-36620.patch
@@ -0,0 +1,40 @@
+From ab570ab3d62038b3d26f96a9bb585d0b6095b9b4 Mon Sep 17 00:00:00 2001
+From: Christopher Petito <47751006+krissetto@users.noreply.github.com>
+Date: Fri, 19 Apr 2024 10:44:30 +0000
+Subject: [PATCH] nil dereference fix on image history Created value
+
+Issue was caused by the changes here https://github.com/moby/moby/pull/45504
+First released in v25.0.0-beta.1
+
+CVE: CVE-2024-36620
+
+Upstream-Status:
+Backport [https://github.com/moby/moby/commit/ab570ab3d62038b3d26f96a9bb585d0b6095b9b4]
+
+Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
+---
+ daemon/images/image_history.go | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/daemon/images/image_history.go b/daemon/images/image_history.go
+index dcf7a906aa..e5adda8639 100644
+--- a/daemon/images/image_history.go
++++ b/daemon/images/image_history.go
+@@ -41,10 +41,14 @@ func (i *ImageService) ImageHistory(ctx context.Context, name string) ([]*image.
+ layer.ReleaseAndLog(i.layerStore, l)
+ layerCounter++
+ }
++ var created int64
++ if h.Created != nil {
++ created = h.Created.Unix()
++ }
+
+ history = append([]*image.HistoryResponseItem{{
+ ID: "<missing>",
+- Created: h.Created.Unix(),
++ Created: created,
+ CreatedBy: h.CreatedBy,
+ Comment: h.Comment,
+ Size: layerSize,
+--
+2.40.0
--
2.40.0
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [meta-virtualization][scarthgap][PATCH 2/3] docker-moby: Fix CVE-2024-36621
2025-03-26 19:50 [meta-virtualization][scarthgap][PATCH 1/3] docker-moby: Fix CVE-2024-36620 Praveen Kumar
@ 2025-03-26 19:50 ` Praveen Kumar
2025-04-02 2:22 ` Bruce Ashfield
2025-04-02 13:59 ` Martin Jansa
2025-03-26 19:50 ` [meta-virtualization][scarthgap][PATCH 3/3] buildah: upgrade 1.34.3 -> 1.35.5 Praveen Kumar
2025-04-02 2:21 ` [meta-virtualization][scarthgap][PATCH 1/3] docker-moby: Fix CVE-2024-36620 Bruce Ashfield
2 siblings, 2 replies; 9+ messages in thread
From: Praveen Kumar @ 2025-03-26 19:50 UTC (permalink / raw)
To: meta-virtualization; +Cc: Praveen Kumar
moby v25.0.5 is affected by a Race Condition in
builder/builder-next/adapters/snapshot/layer.go. The vulnerability could
be used to trigger concurrent builds that call the EnsureLayer function
resulting in resource leaks/exhaustion.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-36621
Upstream-patch:
https://github.com/moby/moby/commit/37545cc644344dcb576cba67eb7b6f51a463d31e
Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
---
recipes-containers/docker/docker-moby_git.bb | 1 +
.../docker/files/CVE-2024-36621.patch | 83 +++++++++++++++++++
2 files changed, 84 insertions(+)
create mode 100644 recipes-containers/docker/files/CVE-2024-36621.patch
diff --git a/recipes-containers/docker/docker-moby_git.bb b/recipes-containers/docker/docker-moby_git.bb
index a1879ed2..d274b002 100644
--- a/recipes-containers/docker/docker-moby_git.bb
+++ b/recipes-containers/docker/docker-moby_git.bb
@@ -57,6 +57,7 @@ SRC_URI = "\
file://0001-cli-use-external-GO111MODULE-and-cross-compiler.patch \
file://0001-dynbinary-use-go-cross-compiler.patch;patchdir=src/import \
file://CVE-2024-36620.patch;patchdir=src/import \
+ file://CVE-2024-36621.patch;patchdir=src/import \
"
DOCKER_COMMIT = "${SRCREV_moby}"
diff --git a/recipes-containers/docker/files/CVE-2024-36621.patch b/recipes-containers/docker/files/CVE-2024-36621.patch
new file mode 100644
index 00000000..a6c06ef2
--- /dev/null
+++ b/recipes-containers/docker/files/CVE-2024-36621.patch
@@ -0,0 +1,83 @@
+From 37545cc644344dcb576cba67eb7b6f51a463d31e Mon Sep 17 00:00:00 2001
+From: Tonis Tiigi <tonistiigi@gmail.com>
+Date: Wed, 6 Mar 2024 23:11:32 -0800
+Subject: [PATCH] builder-next: fix missing lock in ensurelayer
+
+When this was called concurrently from the moby image
+exporter there could be a data race where a layer was
+written to the refs map when it was already there.
+
+In that case the reference count got mixed up and on
+release only one of these layers was actually released.
+
+CVE: CVE-2024-36621
+
+Upstream-Status:
+Backport [https://github.com/moby/moby/commit/37545cc644344dcb576cba67eb7b6f51a463d31e]
+
+Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
+---
+ .../builder-next/adapters/snapshot/layer.go | 3 +++
+ .../adapters/snapshot/snapshot.go | 19 +++++++++++--------
+ 2 files changed, 14 insertions(+), 8 deletions(-)
+
+diff --git a/builder/builder-next/adapters/snapshot/layer.go b/builder/builder-next/adapters/snapshot/layer.go
+index 73120ea70b..fc83058339 100644
+--- a/builder/builder-next/adapters/snapshot/layer.go
++++ b/builder/builder-next/adapters/snapshot/layer.go
+@@ -22,6 +22,9 @@ func (s *snapshotter) GetDiffIDs(ctx context.Context, key string) ([]layer.DiffI
+ }
+
+ func (s *snapshotter) EnsureLayer(ctx context.Context, key string) ([]layer.DiffID, error) {
++ s.layerCreateLocker.Lock(key)
++ defer s.layerCreateLocker.Unlock(key)
++
+ diffIDs, err := s.GetDiffIDs(ctx, key)
+ if err != nil {
+ return nil, err
+diff --git a/builder/builder-next/adapters/snapshot/snapshot.go b/builder/builder-next/adapters/snapshot/snapshot.go
+index a0d28ad984..510ffefb49 100644
+--- a/builder/builder-next/adapters/snapshot/snapshot.go
++++ b/builder/builder-next/adapters/snapshot/snapshot.go
+@@ -17,6 +17,7 @@ import (
+ "github.com/moby/buildkit/identity"
+ "github.com/moby/buildkit/snapshot"
+ "github.com/moby/buildkit/util/leaseutil"
++ "github.com/moby/locker"
+ "github.com/opencontainers/go-digest"
+ "github.com/pkg/errors"
+ bolt "go.etcd.io/bbolt"
+@@ -51,10 +52,11 @@ type checksumCalculator interface {
+ type snapshotter struct {
+ opt Opt
+
+- refs map[string]layer.Layer
+- db *bolt.DB
+- mu sync.Mutex
+- reg graphIDRegistrar
++ refs map[string]layer.Layer
++ db *bolt.DB
++ mu sync.Mutex
++ reg graphIDRegistrar
++ layerCreateLocker *locker.Locker
+ }
+
+ // NewSnapshotter creates a new snapshotter
+@@ -71,10 +73,11 @@ func NewSnapshotter(opt Opt, prevLM leases.Manager, ns string) (snapshot.Snapsho
+ }
+
+ s := &snapshotter{
+- opt: opt,
+- db: db,
+- refs: map[string]layer.Layer{},
+- reg: reg,
++ opt: opt,
++ db: db,
++ refs: map[string]layer.Layer{},
++ reg: reg,
++ layerCreateLocker: locker.New(),
+ }
+
+ slm := newLeaseManager(s, prevLM)
+--
+2.40.0
--
2.40.0
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [meta-virtualization][scarthgap][PATCH 3/3] buildah: upgrade 1.34.3 -> 1.35.5
2025-03-26 19:50 [meta-virtualization][scarthgap][PATCH 1/3] docker-moby: Fix CVE-2024-36620 Praveen Kumar
2025-03-26 19:50 ` [meta-virtualization][scarthgap][PATCH 2/3] docker-moby: Fix CVE-2024-36621 Praveen Kumar
@ 2025-03-26 19:50 ` Praveen Kumar
2025-03-26 20:05 ` Bruce Ashfield
2025-08-20 6:08 ` [scarthgap][PATCH " Hitendra Prajapati
2025-04-02 2:21 ` [meta-virtualization][scarthgap][PATCH 1/3] docker-moby: Fix CVE-2024-36620 Bruce Ashfield
2 siblings, 2 replies; 9+ messages in thread
From: Praveen Kumar @ 2025-03-26 19:50 UTC (permalink / raw)
To: meta-virtualization; +Cc: Praveen Kumar
This upgrade fixes:
CVE-2024-11218
CVE-2024-3727
Changelog:
==========
https://github.com/containers/buildah/releases?q=1.35.5
Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
---
...SecureJoin-when-forming-userns-paths.patch | 155 +++++++++---------
recipes-containers/buildah/buildah_git.bb | 8 +-
2 files changed, 84 insertions(+), 79 deletions(-)
diff --git a/recipes-containers/buildah/buildah/0001-Use-securejoin.SecureJoin-when-forming-userns-paths.patch b/recipes-containers/buildah/buildah/0001-Use-securejoin.SecureJoin-when-forming-userns-paths.patch
index 73040e82..25f15715 100644
--- a/recipes-containers/buildah/buildah/0001-Use-securejoin.SecureJoin-when-forming-userns-paths.patch
+++ b/recipes-containers/buildah/buildah/0001-Use-securejoin.SecureJoin-when-forming-userns-paths.patch
@@ -23,16 +23,17 @@ CVE: CVE-2024-9676
Upstream-Status: Backport [854570c44c219c2b92b03b36b7a2069a32e2c08a]
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
---
- userns.go | 92 ++++++++++++++++++++++++++++++-------------
- userns_unsupported.go | 14 +++++++
- 2 files changed, 79 insertions(+), 27 deletions(-)
- create mode 100644 userns_unsupported.go
+ .../github.com/containers/storage/userns.go | 97 +++++++++++++------
+ .../containers/storage/userns_unsupported.go | 14 +++
+ 2 files changed, 83 insertions(+), 28 deletions(-)
+ create mode 100644 vendor/github.com/containers/storage/userns_unsupported.go
-diff --git a/userns.go b/userns.go
-index 32ae830be..2c855da7c 100644
---- a/userns.go
-+++ b/userns.go
+diff --git a/vendor/github.com/containers/storage/userns.go b/vendor/github.com/containers/storage/userns.go
+index 57120731b..086f8336b 100644
+--- a/vendor/github.com/containers/storage/userns.go
++++ b/vendor/github.com/containers/storage/userns.go
@@ -1,18 +1,21 @@
+//go:build linux
+
@@ -50,36 +51,37 @@ index 32ae830be..2c855da7c 100644
"github.com/containers/storage/pkg/unshare"
"github.com/containers/storage/types"
+ securejoin "github.com/cyphar/filepath-securejoin"
- libcontainerUser "github.com/opencontainers/runc/libcontainer/user"
+ libcontainerUser "github.com/moby/sys/user"
"github.com/sirupsen/logrus"
+ "golang.org/x/sys/unix"
)
// getAdditionalSubIDs looks up the additional IDs configured for
-@@ -85,40 +88,59 @@ const nobodyUser = 65534
+@@ -85,40 +88,62 @@ const nobodyUser = 65534
// parseMountedFiles returns the maximum UID and GID found in the /etc/passwd and
// /etc/group files.
func parseMountedFiles(containerMount, passwdFile, groupFile string) uint32 {
-+ var (
-+ passwd *os.File
-+ group *os.File
-+ size int
-+ err error
-+ )
++ var (
++ passwd *os.File
++ group *os.File
++ size int
++ err error
++ )
if passwdFile == "" {
- passwdFile = filepath.Join(containerMount, "etc/passwd")
- }
- if groupFile == "" {
- groupFile = filepath.Join(groupFile, "etc/group")
-+ passwd, err = secureOpen(containerMount, "/etc/passwd")
-+ } else {
-+ // User-specified override from a volume. Will not be in
-+ // container root.
-+ passwd, err = os.Open(passwdFile)
- }
+- }
-
- size := 0
--
++ passwd, err = secureOpen(containerMount, "/etc/passwd")
++ } else {
++ // User-specified override from a volume. Will not be in
++ // container root.
++ passwd, err = os.Open(passwdFile)
++ }
+
- users, err := libcontainerUser.ParsePasswdFile(passwdFile)
if err == nil {
- for _, u := range users {
@@ -93,34 +95,36 @@ index 32ae830be..2c855da7c 100644
- }
- if u.Gid > size && u.Gid != nobodyUser {
- size = u.Gid
-+ defer passwd.Close()
+
-+ users, err := libcontainerUser.ParsePasswd(passwd)
-+ if err == nil {
-+ for _, u := range users {
-+ // Skip the "nobody" user otherwise we end up with 65536
-+ // ids with most images
-+ if u.Name == "nobody" || u.Name == "nogroup" {
-+ continue
-+ }
-+ if u.Uid > size && u.Uid != nobodyUser {
-+ size = u.Uid + 1
-+ }
-+ if u.Gid > size && u.Gid != nobodyUser {
-+ size = u.Gid + 1
-+ }
++ defer passwd.Close()
++
++ users, err := libcontainerUser.ParsePasswd(passwd)
++ if err == nil {
++ for _, u := range users {
++ // Skip the "nobody" user otherwise we end up with 65536
++ // ids with most images
++ if u.Name == "nobody" || u.Name == "nogroup" {
++ continue
++ }
++ if u.Uid > size && u.Uid != nobodyUser {
++ size = u.Uid + 1
++ }
++ if u.Gid > size && u.Gid != nobodyUser {
++ size = u.Gid + 1
++ }
++
}
}
}
-
+-
- groups, err := libcontainerUser.ParseGroupFile(groupFile)
-+ if groupFile == "" {
-+ group, err = secureOpen(containerMount, "/etc/group")
-+ } else {
-+ // User-specified override from a volume. Will not be in
-+ // container root.
-+ group, err = os.Open(groupFile)
-+ }
++ if groupFile == "" {
++ group, err = secureOpen(containerMount, "/etc/group")
++ } else {
++ // User-specified override from a volume. Will not be in
++ // container root.
++ group, err = os.Open(groupFile)
++ }
if err == nil {
- for _, g := range groups {
- if g.Name == "nobody" {
@@ -128,60 +132,61 @@ index 32ae830be..2c855da7c 100644
- }
- if g.Gid > size && g.Gid != nobodyUser {
- size = g.Gid
-+ defer group.Close()
++ defer group.Close()
++
++ groups, err := libcontainerUser.ParseGroup(group)
++ if err == nil {
++ for _, g := range groups {
++ if g.Name == "nobody" || g.Name == "nogroup" {
++ continue
++ }
++ if g.Gid > size && g.Gid != nobodyUser {
++ size = g.Gid + 1
++ }
+
-+ groups, err := libcontainerUser.ParseGroup(group)
-+ if err == nil {
-+ for _, g := range groups {
-+ if g.Name == "nobody" || g.Name == "nogroup" {
-+ continue
-+ }
-+ if g.Gid > size && g.Gid != nobodyUser {
-+ size = g.Gid + 1
-+ }
}
}
}
-@@ -309,3 +331,19 @@ func getAutoUserNSIDMappings(
+@@ -309,3 +334,19 @@ func getAutoUserNSIDMappings(
gidMap := append(availableGIDs.zip(requestedContainerGIDs), additionalGIDMappings...)
return uidMap, gidMap, nil
}
+
+// Securely open (read-only) a file in a container mount.
+func secureOpen(containerMount, file string) (*os.File, error) {
-+ filePath, err := securejoin.SecureJoin(containerMount, file)
-+ if err != nil {
-+ return nil, err
-+ }
++ filePath, err := securejoin.SecureJoin(containerMount, file)
++ if err != nil {
++ return nil, err
++ }
+
-+ flags := unix.O_PATH | unix.O_CLOEXEC | unix.O_RDONLY
-+ fileHandle, err := os.OpenFile(filePath, flags, 0)
-+ if err != nil {
-+ return nil, err
-+ }
++ flags := unix.O_PATH | unix.O_CLOEXEC | unix.O_RDONLY
++ fileHandle, err := os.OpenFile(filePath, flags, 0)
++ if err != nil {
++ return nil, err
++ }
+
-+ return fileHandle, nil
++ return fileHandle, nil
+}
-diff --git a/userns_unsupported.go b/userns_unsupported.go
+diff --git a/vendor/github.com/containers/storage/userns_unsupported.go b/vendor/github.com/containers/storage/userns_unsupported.go
new file mode 100644
-index 000000000..e37c18fe4
+index 000000000..3905bd3ce
--- /dev/null
-+++ b/userns_unsupported.go
++++ b/vendor/github.com/containers/storage/userns_unsupported.go
@@ -0,0 +1,14 @@
+//go:build !linux
+
+package storage
+
+import (
-+ "errors"
++ "errors"
+
-+ "github.com/containers/storage/pkg/idtools"
-+ "github.com/containers/storage/types"
++ "github.com/containers/storage/pkg/idtools"
++ "github.com/containers/storage/types"
+)
+
+func (s *store) getAutoUserNS(_ *types.AutoUserNsOptions, _ *Image, _ rwLayerStore, _ []roLayerStore) ([]idtools.IDMap, []idtools.IDMap, error) {
-+ return nil, nil, errors.New("user namespaces are not supported on this platform")
++ return nil, nil, errors.New("user namespaces are not supported on this platform")
+}
--
-2.25.1
+2.40.0
diff --git a/recipes-containers/buildah/buildah_git.bb b/recipes-containers/buildah/buildah_git.bb
index 288a1cb0..fd2503fe 100644
--- a/recipes-containers/buildah/buildah_git.bb
+++ b/recipes-containers/buildah/buildah_git.bb
@@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://src/github.com/containers/buildah/LICENSE;md5=e3fc50a
S = "${WORKDIR}/git"
-BUILDAH_VERSION = "1.34.3"
+BUILDAH_VERSION = "1.35.5"
PV = "${BUILDAH_VERSION}"
@@ -28,12 +28,12 @@ GO_WORKDIR = "${GO_INSTALL}"
GOBUILDFLAGS += "-mod vendor"
SRCREV_FORMAT = "buildah_storage"
-SRCREV_buildah = "2db756331014a4f355507df47d2622d05532da1f"
+SRCREV_buildah = "df0b92073ee9d34c1f86e03b4ffb17ec25e514e4"
SRCREV_storage = "246ba3062e8b551026aef2708eee747014ce5c52"
SRC_URI = " \
- git://github.com/containers/buildah;branch=release-1.34;name=buildah;protocol=https \
- file://0001-Use-securejoin.SecureJoin-when-forming-userns-paths.patch;patchdir=src/github.com/containers/buildah/vendor/github.com/containers/storage \
+ git://github.com/containers/buildah;branch=release-1.35;name=buildah;protocol=https \
+ file://0001-Use-securejoin.SecureJoin-when-forming-userns-paths.patch;patchdir=src/github.com/containers/buildah/ \
"
DEPENDS = "libdevmapper btrfs-tools gpgme"
--
2.40.0
^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [meta-virtualization][scarthgap][PATCH 3/3] buildah: upgrade 1.34.3 -> 1.35.5
2025-03-26 19:50 ` [meta-virtualization][scarthgap][PATCH 3/3] buildah: upgrade 1.34.3 -> 1.35.5 Praveen Kumar
@ 2025-03-26 20:05 ` Bruce Ashfield
2025-08-20 6:08 ` [scarthgap][PATCH " Hitendra Prajapati
1 sibling, 0 replies; 9+ messages in thread
From: Bruce Ashfield @ 2025-03-26 20:05 UTC (permalink / raw)
To: praveen.kumar; +Cc: meta-virtualization
[-- Attachment #1: Type: text/plain, Size: 13121 bytes --]
On Wed, Mar 26, 2025 at 3:50 PM Praveen Kumar via lists.yoctoproject.org
<praveen.kumar=windriver.com@lists.yoctoproject.org> wrote:
> This upgrade fixes:
> CVE-2024-11218
> CVE-2024-3727
>
> Changelog:
> ==========
> https://github.com/containers/buildah/releases?q=1.35.5
Links to changelogs are not useful, they can't be searched when looking at
the git history.
That being said, this isn't an upgrade we can do in a released branch.
Only 3rd digit upgrades are "stable".
Bruce
>
> Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
> ---
> ...SecureJoin-when-forming-userns-paths.patch | 155 +++++++++---------
> recipes-containers/buildah/buildah_git.bb | 8 +-
> 2 files changed, 84 insertions(+), 79 deletions(-)
>
> diff --git
> a/recipes-containers/buildah/buildah/0001-Use-securejoin.SecureJoin-when-forming-userns-paths.patch
> b/recipes-containers/buildah/buildah/0001-Use-securejoin.SecureJoin-when-forming-userns-paths.patch
> index 73040e82..25f15715 100644
> ---
> a/recipes-containers/buildah/buildah/0001-Use-securejoin.SecureJoin-when-forming-userns-paths.patch
> +++
> b/recipes-containers/buildah/buildah/0001-Use-securejoin.SecureJoin-when-forming-userns-paths.patch
> @@ -23,16 +23,17 @@ CVE: CVE-2024-9676
> Upstream-Status: Backport [854570c44c219c2b92b03b36b7a2069a32e2c08a]
>
> Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
> +Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
> ---
> - userns.go | 92 ++++++++++++++++++++++++++++++-------------
> - userns_unsupported.go | 14 +++++++
> - 2 files changed, 79 insertions(+), 27 deletions(-)
> - create mode 100644 userns_unsupported.go
> + .../github.com/containers/storage/userns.go | 97 +++++++++++++------
> + .../containers/storage/userns_unsupported.go | 14 +++
> + 2 files changed, 83 insertions(+), 28 deletions(-)
> + create mode 100644 vendor/
> github.com/containers/storage/userns_unsupported.go
>
> -diff --git a/userns.go b/userns.go
> -index 32ae830be..2c855da7c 100644
> ---- a/userns.go
> -+++ b/userns.go
> +diff --git a/vendor/github.com/containers/storage/userns.go b/vendor/
> github.com/containers/storage/userns.go
> +index 57120731b..086f8336b 100644
> +--- a/vendor/github.com/containers/storage/userns.go
> ++++ b/vendor/github.com/containers/storage/userns.go
> @@ -1,18 +1,21 @@
> +//go:build linux
> +
> @@ -50,36 +51,37 @@ index 32ae830be..2c855da7c 100644
> "github.com/containers/storage/pkg/unshare"
> "github.com/containers/storage/types"
> + securejoin "github.com/cyphar/filepath-securejoin"
> - libcontainerUser "github.com/opencontainers/runc/libcontainer/user
> "
> + libcontainerUser "github.com/moby/sys/user"
> "github.com/sirupsen/logrus"
> + "golang.org/x/sys/unix"
> )
>
> // getAdditionalSubIDs looks up the additional IDs configured for
> -@@ -85,40 +88,59 @@ const nobodyUser = 65534
> +@@ -85,40 +88,62 @@ const nobodyUser = 65534
> // parseMountedFiles returns the maximum UID and GID found in the
> /etc/passwd and
> // /etc/group files.
> func parseMountedFiles(containerMount, passwdFile, groupFile string)
> uint32 {
> -+ var (
> -+ passwd *os.File
> -+ group *os.File
> -+ size int
> -+ err error
> -+ )
> ++ var (
> ++ passwd *os.File
> ++ group *os.File
> ++ size int
> ++ err error
> ++ )
> if passwdFile == "" {
> - passwdFile = filepath.Join(containerMount, "etc/passwd")
> - }
> - if groupFile == "" {
> - groupFile = filepath.Join(groupFile, "etc/group")
> -+ passwd, err = secureOpen(containerMount, "/etc/passwd")
> -+ } else {
> -+ // User-specified override from a volume. Will not be in
> -+ // container root.
> -+ passwd, err = os.Open(passwdFile)
> - }
> +- }
> -
> - size := 0
> --
> ++ passwd, err = secureOpen(containerMount, "/etc/passwd")
> ++ } else {
> ++ // User-specified override from a volume. Will not be in
> ++ // container root.
> ++ passwd, err = os.Open(passwdFile)
> ++ }
> +
> - users, err := libcontainerUser.ParsePasswdFile(passwdFile)
> if err == nil {
> - for _, u := range users {
> @@ -93,34 +95,36 @@ index 32ae830be..2c855da7c 100644
> - }
> - if u.Gid > size && u.Gid != nobodyUser {
> - size = u.Gid
> -+ defer passwd.Close()
> +
> -+ users, err := libcontainerUser.ParsePasswd(passwd)
> -+ if err == nil {
> -+ for _, u := range users {
> -+ // Skip the "nobody" user otherwise we end
> up with 65536
> -+ // ids with most images
> -+ if u.Name == "nobody" || u.Name ==
> "nogroup" {
> -+ continue
> -+ }
> -+ if u.Uid > size && u.Uid != nobodyUser {
> -+ size = u.Uid + 1
> -+ }
> -+ if u.Gid > size && u.Gid != nobodyUser {
> -+ size = u.Gid + 1
> -+ }
> ++ defer passwd.Close()
> ++
> ++ users, err := libcontainerUser.ParsePasswd(passwd)
> ++ if err == nil {
> ++ for _, u := range users {
> ++ // Skip the "nobody" user otherwise we
> end up with 65536
> ++ // ids with most images
> ++ if u.Name == "nobody" || u.Name ==
> "nogroup" {
> ++ continue
> ++ }
> ++ if u.Uid > size && u.Uid != nobodyUser {
> ++ size = u.Uid + 1
> ++ }
> ++ if u.Gid > size && u.Gid != nobodyUser {
> ++ size = u.Gid + 1
> ++ }
> ++
> }
> }
> }
> -
> +-
> - groups, err := libcontainerUser.ParseGroupFile(groupFile)
> -+ if groupFile == "" {
> -+ group, err = secureOpen(containerMount, "/etc/group")
> -+ } else {
> -+ // User-specified override from a volume. Will not be in
> -+ // container root.
> -+ group, err = os.Open(groupFile)
> -+ }
> ++ if groupFile == "" {
> ++ group, err = secureOpen(containerMount, "/etc/group")
> ++ } else {
> ++ // User-specified override from a volume. Will not be in
> ++ // container root.
> ++ group, err = os.Open(groupFile)
> ++ }
> if err == nil {
> - for _, g := range groups {
> - if g.Name == "nobody" {
> @@ -128,60 +132,61 @@ index 32ae830be..2c855da7c 100644
> - }
> - if g.Gid > size && g.Gid != nobodyUser {
> - size = g.Gid
> -+ defer group.Close()
> ++ defer group.Close()
> ++
> ++ groups, err := libcontainerUser.ParseGroup(group)
> ++ if err == nil {
> ++ for _, g := range groups {
> ++ if g.Name == "nobody" || g.Name ==
> "nogroup" {
> ++ continue
> ++ }
> ++ if g.Gid > size && g.Gid != nobodyUser {
> ++ size = g.Gid + 1
> ++ }
> +
> -+ groups, err := libcontainerUser.ParseGroup(group)
> -+ if err == nil {
> -+ for _, g := range groups {
> -+ if g.Name == "nobody" || g.Name ==
> "nogroup" {
> -+ continue
> -+ }
> -+ if g.Gid > size && g.Gid != nobodyUser {
> -+ size = g.Gid + 1
> -+ }
> }
> }
> }
> -@@ -309,3 +331,19 @@ func getAutoUserNSIDMappings(
> +@@ -309,3 +334,19 @@ func getAutoUserNSIDMappings(
> gidMap := append(availableGIDs.zip(requestedContainerGIDs),
> additionalGIDMappings...)
> return uidMap, gidMap, nil
> }
> +
> +// Securely open (read-only) a file in a container mount.
> +func secureOpen(containerMount, file string) (*os.File, error) {
> -+ filePath, err := securejoin.SecureJoin(containerMount, file)
> -+ if err != nil {
> -+ return nil, err
> -+ }
> ++ filePath, err := securejoin.SecureJoin(containerMount, file)
> ++ if err != nil {
> ++ return nil, err
> ++ }
> +
> -+ flags := unix.O_PATH | unix.O_CLOEXEC | unix.O_RDONLY
> -+ fileHandle, err := os.OpenFile(filePath, flags, 0)
> -+ if err != nil {
> -+ return nil, err
> -+ }
> ++ flags := unix.O_PATH | unix.O_CLOEXEC | unix.O_RDONLY
> ++ fileHandle, err := os.OpenFile(filePath, flags, 0)
> ++ if err != nil {
> ++ return nil, err
> ++ }
> +
> -+ return fileHandle, nil
> ++ return fileHandle, nil
> +}
> -diff --git a/userns_unsupported.go b/userns_unsupported.go
> +diff --git a/vendor/github.com/containers/storage/userns_unsupported.go
> b/vendor/github.com/containers/storage/userns_unsupported.go
> new file mode 100644
> -index 000000000..e37c18fe4
> +index 000000000..3905bd3ce
> --- /dev/null
> -+++ b/userns_unsupported.go
> ++++ b/vendor/github.com/containers/storage/userns_unsupported.go
> @@ -0,0 +1,14 @@
> +//go:build !linux
> +
> +package storage
> +
> +import (
> -+ "errors"
> ++ "errors"
> +
> -+ "github.com/containers/storage/pkg/idtools"
> -+ "github.com/containers/storage/types"
> ++ "github.com/containers/storage/pkg/idtools"
> ++ "github.com/containers/storage/types"
> +)
> +
> +func (s *store) getAutoUserNS(_ *types.AutoUserNsOptions, _ *Image, _
> rwLayerStore, _ []roLayerStore) ([]idtools.IDMap, []idtools.IDMap, error) {
> -+ return nil, nil, errors.New("user namespaces are not supported on
> this platform")
> ++ return nil, nil, errors.New("user namespaces are not supported on
> this platform")
> +}
> --
> -2.25.1
> +2.40.0
>
> diff --git a/recipes-containers/buildah/buildah_git.bb
> b/recipes-containers/buildah/buildah_git.bb
> index 288a1cb0..fd2503fe 100644
> --- a/recipes-containers/buildah/buildah_git.bb
> +++ b/recipes-containers/buildah/buildah_git.bb
> @@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://src/
> github.com/containers/buildah/LICENSE;md5=e3fc50a
>
> S = "${WORKDIR}/git"
>
> -BUILDAH_VERSION = "1.34.3"
> +BUILDAH_VERSION = "1.35.5"
>
> PV = "${BUILDAH_VERSION}"
>
> @@ -28,12 +28,12 @@ GO_WORKDIR = "${GO_INSTALL}"
> GOBUILDFLAGS += "-mod vendor"
>
> SRCREV_FORMAT = "buildah_storage"
> -SRCREV_buildah = "2db756331014a4f355507df47d2622d05532da1f"
> +SRCREV_buildah = "df0b92073ee9d34c1f86e03b4ffb17ec25e514e4"
> SRCREV_storage = "246ba3062e8b551026aef2708eee747014ce5c52"
>
> SRC_URI = " \
> - git://
> github.com/containers/buildah;branch=release-1.34;name=buildah;protocol=https
> \
> -
> file://0001-Use-securejoin.SecureJoin-when-forming-userns-paths.patch;patchdir=src/
> github.com/containers/buildah/vendor/github.com/containers/storage \
> + git://
> github.com/containers/buildah;branch=release-1.35;name=buildah;protocol=https
> \
> +
> file://0001-Use-securejoin.SecureJoin-when-forming-userns-paths.patch;patchdir=src/
> github.com/containers/buildah/ \
> "
>
> DEPENDS = "libdevmapper btrfs-tools gpgme"
> --
> 2.40.0
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#9176):
> https://lists.yoctoproject.org/g/meta-virtualization/message/9176
> Mute This Topic: https://lists.yoctoproject.org/mt/111924201/1050810
> Group Owner: meta-virtualization+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [
> bruce.ashfield@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
>
--
- Thou shalt not follow the NULL pointer, for chaos and madness await thee
at its end
- "Use the force Harry" - Gandalf, Star Trek II
[-- Attachment #2: Type: text/html, Size: 20198 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [meta-virtualization][scarthgap][PATCH 1/3] docker-moby: Fix CVE-2024-36620
2025-03-26 19:50 [meta-virtualization][scarthgap][PATCH 1/3] docker-moby: Fix CVE-2024-36620 Praveen Kumar
2025-03-26 19:50 ` [meta-virtualization][scarthgap][PATCH 2/3] docker-moby: Fix CVE-2024-36621 Praveen Kumar
2025-03-26 19:50 ` [meta-virtualization][scarthgap][PATCH 3/3] buildah: upgrade 1.34.3 -> 1.35.5 Praveen Kumar
@ 2025-04-02 2:21 ` Bruce Ashfield
2 siblings, 0 replies; 9+ messages in thread
From: Bruce Ashfield @ 2025-04-02 2:21 UTC (permalink / raw)
To: praveen.kumar; +Cc: meta-virtualization
merged.
Bruce
In message: [meta-virtualization][scarthgap][PATCH 1/3] docker-moby: Fix CVE-2024-36620
on 26/03/2025 Praveen Kumar via lists.yoctoproject.org wrote:
> moby v25.0.0 - v26.0.2 is vulnerable to NULL Pointer Dereference
> via daemon/images/image_history.go.
>
> Reference:
> https://nvd.nist.gov/vuln/detail/CVE-2024-36620
>
> Upstream-patch:
> https://github.com/moby/moby/commit/ab570ab3d62038b3d26f96a9bb585d0b6095b9b4
>
> Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
> ---
> recipes-containers/docker/docker-moby_git.bb | 1 +
> .../docker/files/CVE-2024-36620.patch | 40 +++++++++++++++++++
> 2 files changed, 41 insertions(+)
> create mode 100644 recipes-containers/docker/files/CVE-2024-36620.patch
>
> diff --git a/recipes-containers/docker/docker-moby_git.bb b/recipes-containers/docker/docker-moby_git.bb
> index 0abb0b3f..a1879ed2 100644
> --- a/recipes-containers/docker/docker-moby_git.bb
> +++ b/recipes-containers/docker/docker-moby_git.bb
> @@ -56,6 +56,7 @@ SRC_URI = "\
> file://0001-libnetwork-use-GO-instead-of-go.patch \
> file://0001-cli-use-external-GO111MODULE-and-cross-compiler.patch \
> file://0001-dynbinary-use-go-cross-compiler.patch;patchdir=src/import \
> + file://CVE-2024-36620.patch;patchdir=src/import \
> "
>
> DOCKER_COMMIT = "${SRCREV_moby}"
> diff --git a/recipes-containers/docker/files/CVE-2024-36620.patch b/recipes-containers/docker/files/CVE-2024-36620.patch
> new file mode 100644
> index 00000000..7bce4137
> --- /dev/null
> +++ b/recipes-containers/docker/files/CVE-2024-36620.patch
> @@ -0,0 +1,40 @@
> +From ab570ab3d62038b3d26f96a9bb585d0b6095b9b4 Mon Sep 17 00:00:00 2001
> +From: Christopher Petito <47751006+krissetto@users.noreply.github.com>
> +Date: Fri, 19 Apr 2024 10:44:30 +0000
> +Subject: [PATCH] nil dereference fix on image history Created value
> +
> +Issue was caused by the changes here https://github.com/moby/moby/pull/45504
> +First released in v25.0.0-beta.1
> +
> +CVE: CVE-2024-36620
> +
> +Upstream-Status:
> +Backport [https://github.com/moby/moby/commit/ab570ab3d62038b3d26f96a9bb585d0b6095b9b4]
> +
> +Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
> +---
> + daemon/images/image_history.go | 6 +++++-
> + 1 file changed, 5 insertions(+), 1 deletion(-)
> +
> +diff --git a/daemon/images/image_history.go b/daemon/images/image_history.go
> +index dcf7a906aa..e5adda8639 100644
> +--- a/daemon/images/image_history.go
> ++++ b/daemon/images/image_history.go
> +@@ -41,10 +41,14 @@ func (i *ImageService) ImageHistory(ctx context.Context, name string) ([]*image.
> + layer.ReleaseAndLog(i.layerStore, l)
> + layerCounter++
> + }
> ++ var created int64
> ++ if h.Created != nil {
> ++ created = h.Created.Unix()
> ++ }
> +
> + history = append([]*image.HistoryResponseItem{{
> + ID: "<missing>",
> +- Created: h.Created.Unix(),
> ++ Created: created,
> + CreatedBy: h.CreatedBy,
> + Comment: h.Comment,
> + Size: layerSize,
> +--
> +2.40.0
> --
> 2.40.0
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#9174): https://lists.yoctoproject.org/g/meta-virtualization/message/9174
> Mute This Topic: https://lists.yoctoproject.org/mt/111924192/1050810
> Group Owner: meta-virtualization+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [bruce.ashfield@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [meta-virtualization][scarthgap][PATCH 2/3] docker-moby: Fix CVE-2024-36621
2025-03-26 19:50 ` [meta-virtualization][scarthgap][PATCH 2/3] docker-moby: Fix CVE-2024-36621 Praveen Kumar
@ 2025-04-02 2:22 ` Bruce Ashfield
2025-04-02 13:59 ` Martin Jansa
1 sibling, 0 replies; 9+ messages in thread
From: Bruce Ashfield @ 2025-04-02 2:22 UTC (permalink / raw)
To: praveen.kumar; +Cc: meta-virtualization
merged.
Bruce
In message: [meta-virtualization][scarthgap][PATCH 2/3] docker-moby: Fix CVE-2024-36621
on 26/03/2025 Praveen Kumar via lists.yoctoproject.org wrote:
> moby v25.0.5 is affected by a Race Condition in
> builder/builder-next/adapters/snapshot/layer.go. The vulnerability could
> be used to trigger concurrent builds that call the EnsureLayer function
> resulting in resource leaks/exhaustion.
>
> Reference:
> https://nvd.nist.gov/vuln/detail/CVE-2024-36621
>
> Upstream-patch:
> https://github.com/moby/moby/commit/37545cc644344dcb576cba67eb7b6f51a463d31e
>
> Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
> ---
> recipes-containers/docker/docker-moby_git.bb | 1 +
> .../docker/files/CVE-2024-36621.patch | 83 +++++++++++++++++++
> 2 files changed, 84 insertions(+)
> create mode 100644 recipes-containers/docker/files/CVE-2024-36621.patch
>
> diff --git a/recipes-containers/docker/docker-moby_git.bb b/recipes-containers/docker/docker-moby_git.bb
> index a1879ed2..d274b002 100644
> --- a/recipes-containers/docker/docker-moby_git.bb
> +++ b/recipes-containers/docker/docker-moby_git.bb
> @@ -57,6 +57,7 @@ SRC_URI = "\
> file://0001-cli-use-external-GO111MODULE-and-cross-compiler.patch \
> file://0001-dynbinary-use-go-cross-compiler.patch;patchdir=src/import \
> file://CVE-2024-36620.patch;patchdir=src/import \
> + file://CVE-2024-36621.patch;patchdir=src/import \
> "
>
> DOCKER_COMMIT = "${SRCREV_moby}"
> diff --git a/recipes-containers/docker/files/CVE-2024-36621.patch b/recipes-containers/docker/files/CVE-2024-36621.patch
> new file mode 100644
> index 00000000..a6c06ef2
> --- /dev/null
> +++ b/recipes-containers/docker/files/CVE-2024-36621.patch
> @@ -0,0 +1,83 @@
> +From 37545cc644344dcb576cba67eb7b6f51a463d31e Mon Sep 17 00:00:00 2001
> +From: Tonis Tiigi <tonistiigi@gmail.com>
> +Date: Wed, 6 Mar 2024 23:11:32 -0800
> +Subject: [PATCH] builder-next: fix missing lock in ensurelayer
> +
> +When this was called concurrently from the moby image
> +exporter there could be a data race where a layer was
> +written to the refs map when it was already there.
> +
> +In that case the reference count got mixed up and on
> +release only one of these layers was actually released.
> +
> +CVE: CVE-2024-36621
> +
> +Upstream-Status:
> +Backport [https://github.com/moby/moby/commit/37545cc644344dcb576cba67eb7b6f51a463d31e]
> +
> +Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
> +---
> + .../builder-next/adapters/snapshot/layer.go | 3 +++
> + .../adapters/snapshot/snapshot.go | 19 +++++++++++--------
> + 2 files changed, 14 insertions(+), 8 deletions(-)
> +
> +diff --git a/builder/builder-next/adapters/snapshot/layer.go b/builder/builder-next/adapters/snapshot/layer.go
> +index 73120ea70b..fc83058339 100644
> +--- a/builder/builder-next/adapters/snapshot/layer.go
> ++++ b/builder/builder-next/adapters/snapshot/layer.go
> +@@ -22,6 +22,9 @@ func (s *snapshotter) GetDiffIDs(ctx context.Context, key string) ([]layer.DiffI
> + }
> +
> + func (s *snapshotter) EnsureLayer(ctx context.Context, key string) ([]layer.DiffID, error) {
> ++ s.layerCreateLocker.Lock(key)
> ++ defer s.layerCreateLocker.Unlock(key)
> ++
> + diffIDs, err := s.GetDiffIDs(ctx, key)
> + if err != nil {
> + return nil, err
> +diff --git a/builder/builder-next/adapters/snapshot/snapshot.go b/builder/builder-next/adapters/snapshot/snapshot.go
> +index a0d28ad984..510ffefb49 100644
> +--- a/builder/builder-next/adapters/snapshot/snapshot.go
> ++++ b/builder/builder-next/adapters/snapshot/snapshot.go
> +@@ -17,6 +17,7 @@ import (
> + "github.com/moby/buildkit/identity"
> + "github.com/moby/buildkit/snapshot"
> + "github.com/moby/buildkit/util/leaseutil"
> ++ "github.com/moby/locker"
> + "github.com/opencontainers/go-digest"
> + "github.com/pkg/errors"
> + bolt "go.etcd.io/bbolt"
> +@@ -51,10 +52,11 @@ type checksumCalculator interface {
> + type snapshotter struct {
> + opt Opt
> +
> +- refs map[string]layer.Layer
> +- db *bolt.DB
> +- mu sync.Mutex
> +- reg graphIDRegistrar
> ++ refs map[string]layer.Layer
> ++ db *bolt.DB
> ++ mu sync.Mutex
> ++ reg graphIDRegistrar
> ++ layerCreateLocker *locker.Locker
> + }
> +
> + // NewSnapshotter creates a new snapshotter
> +@@ -71,10 +73,11 @@ func NewSnapshotter(opt Opt, prevLM leases.Manager, ns string) (snapshot.Snapsho
> + }
> +
> + s := &snapshotter{
> +- opt: opt,
> +- db: db,
> +- refs: map[string]layer.Layer{},
> +- reg: reg,
> ++ opt: opt,
> ++ db: db,
> ++ refs: map[string]layer.Layer{},
> ++ reg: reg,
> ++ layerCreateLocker: locker.New(),
> + }
> +
> + slm := newLeaseManager(s, prevLM)
> +--
> +2.40.0
> --
> 2.40.0
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#9175): https://lists.yoctoproject.org/g/meta-virtualization/message/9175
> Mute This Topic: https://lists.yoctoproject.org/mt/111924195/1050810
> Group Owner: meta-virtualization+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [bruce.ashfield@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [meta-virtualization][scarthgap][PATCH 2/3] docker-moby: Fix CVE-2024-36621
2025-03-26 19:50 ` [meta-virtualization][scarthgap][PATCH 2/3] docker-moby: Fix CVE-2024-36621 Praveen Kumar
2025-04-02 2:22 ` Bruce Ashfield
@ 2025-04-02 13:59 ` Martin Jansa
1 sibling, 0 replies; 9+ messages in thread
From: Martin Jansa @ 2025-04-02 13:59 UTC (permalink / raw)
To: praveen.kumar; +Cc: meta-virtualization
Please don't add a break after Upstream-Status, it's not parsed
correctly, fix sent in:
https://lists.yoctoproject.org/g/meta-virtualization/message/9191
On Wed, Mar 26, 2025 at 8:50 PM Praveen Kumar via
lists.yoctoproject.org
<praveen.kumar=windriver.com@lists.yoctoproject.org> wrote:
>
> moby v25.0.5 is affected by a Race Condition in
> builder/builder-next/adapters/snapshot/layer.go. The vulnerability could
> be used to trigger concurrent builds that call the EnsureLayer function
> resulting in resource leaks/exhaustion.
>
> Reference:
> https://nvd.nist.gov/vuln/detail/CVE-2024-36621
>
> Upstream-patch:
> https://github.com/moby/moby/commit/37545cc644344dcb576cba67eb7b6f51a463d31e
>
> Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
> ---
> recipes-containers/docker/docker-moby_git.bb | 1 +
> .../docker/files/CVE-2024-36621.patch | 83 +++++++++++++++++++
> 2 files changed, 84 insertions(+)
> create mode 100644 recipes-containers/docker/files/CVE-2024-36621.patch
>
> diff --git a/recipes-containers/docker/docker-moby_git.bb b/recipes-containers/docker/docker-moby_git.bb
> index a1879ed2..d274b002 100644
> --- a/recipes-containers/docker/docker-moby_git.bb
> +++ b/recipes-containers/docker/docker-moby_git.bb
> @@ -57,6 +57,7 @@ SRC_URI = "\
> file://0001-cli-use-external-GO111MODULE-and-cross-compiler.patch \
> file://0001-dynbinary-use-go-cross-compiler.patch;patchdir=src/import \
> file://CVE-2024-36620.patch;patchdir=src/import \
> + file://CVE-2024-36621.patch;patchdir=src/import \
> "
>
> DOCKER_COMMIT = "${SRCREV_moby}"
> diff --git a/recipes-containers/docker/files/CVE-2024-36621.patch b/recipes-containers/docker/files/CVE-2024-36621.patch
> new file mode 100644
> index 00000000..a6c06ef2
> --- /dev/null
> +++ b/recipes-containers/docker/files/CVE-2024-36621.patch
> @@ -0,0 +1,83 @@
> +From 37545cc644344dcb576cba67eb7b6f51a463d31e Mon Sep 17 00:00:00 2001
> +From: Tonis Tiigi <tonistiigi@gmail.com>
> +Date: Wed, 6 Mar 2024 23:11:32 -0800
> +Subject: [PATCH] builder-next: fix missing lock in ensurelayer
> +
> +When this was called concurrently from the moby image
> +exporter there could be a data race where a layer was
> +written to the refs map when it was already there.
> +
> +In that case the reference count got mixed up and on
> +release only one of these layers was actually released.
> +
> +CVE: CVE-2024-36621
> +
> +Upstream-Status:
> +Backport [https://github.com/moby/moby/commit/37545cc644344dcb576cba67eb7b6f51a463d31e]
> +
> +Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
> +---
> + .../builder-next/adapters/snapshot/layer.go | 3 +++
> + .../adapters/snapshot/snapshot.go | 19 +++++++++++--------
> + 2 files changed, 14 insertions(+), 8 deletions(-)
> +
> +diff --git a/builder/builder-next/adapters/snapshot/layer.go b/builder/builder-next/adapters/snapshot/layer.go
> +index 73120ea70b..fc83058339 100644
> +--- a/builder/builder-next/adapters/snapshot/layer.go
> ++++ b/builder/builder-next/adapters/snapshot/layer.go
> +@@ -22,6 +22,9 @@ func (s *snapshotter) GetDiffIDs(ctx context.Context, key string) ([]layer.DiffI
> + }
> +
> + func (s *snapshotter) EnsureLayer(ctx context.Context, key string) ([]layer.DiffID, error) {
> ++ s.layerCreateLocker.Lock(key)
> ++ defer s.layerCreateLocker.Unlock(key)
> ++
> + diffIDs, err := s.GetDiffIDs(ctx, key)
> + if err != nil {
> + return nil, err
> +diff --git a/builder/builder-next/adapters/snapshot/snapshot.go b/builder/builder-next/adapters/snapshot/snapshot.go
> +index a0d28ad984..510ffefb49 100644
> +--- a/builder/builder-next/adapters/snapshot/snapshot.go
> ++++ b/builder/builder-next/adapters/snapshot/snapshot.go
> +@@ -17,6 +17,7 @@ import (
> + "github.com/moby/buildkit/identity"
> + "github.com/moby/buildkit/snapshot"
> + "github.com/moby/buildkit/util/leaseutil"
> ++ "github.com/moby/locker"
> + "github.com/opencontainers/go-digest"
> + "github.com/pkg/errors"
> + bolt "go.etcd.io/bbolt"
> +@@ -51,10 +52,11 @@ type checksumCalculator interface {
> + type snapshotter struct {
> + opt Opt
> +
> +- refs map[string]layer.Layer
> +- db *bolt.DB
> +- mu sync.Mutex
> +- reg graphIDRegistrar
> ++ refs map[string]layer.Layer
> ++ db *bolt.DB
> ++ mu sync.Mutex
> ++ reg graphIDRegistrar
> ++ layerCreateLocker *locker.Locker
> + }
> +
> + // NewSnapshotter creates a new snapshotter
> +@@ -71,10 +73,11 @@ func NewSnapshotter(opt Opt, prevLM leases.Manager, ns string) (snapshot.Snapsho
> + }
> +
> + s := &snapshotter{
> +- opt: opt,
> +- db: db,
> +- refs: map[string]layer.Layer{},
> +- reg: reg,
> ++ opt: opt,
> ++ db: db,
> ++ refs: map[string]layer.Layer{},
> ++ reg: reg,
> ++ layerCreateLocker: locker.New(),
> + }
> +
> + slm := newLeaseManager(s, prevLM)
> +--
> +2.40.0
> --
> 2.40.0
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#9175): https://lists.yoctoproject.org/g/meta-virtualization/message/9175
> Mute This Topic: https://lists.yoctoproject.org/mt/111924195/3617156
> Group Owner: meta-virtualization+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [martin.jansa@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [scarthgap][PATCH 3/3] buildah: upgrade 1.34.3 -> 1.35.5
2025-03-26 19:50 ` [meta-virtualization][scarthgap][PATCH 3/3] buildah: upgrade 1.34.3 -> 1.35.5 Praveen Kumar
2025-03-26 20:05 ` Bruce Ashfield
@ 2025-08-20 6:08 ` Hitendra Prajapati
2025-08-20 13:03 ` [meta-virtualization] " Bruce Ashfield
1 sibling, 1 reply; 9+ messages in thread
From: Hitendra Prajapati @ 2025-08-20 6:08 UTC (permalink / raw)
To: meta-virtualization
[-- Attachment #1: Type: text/plain, Size: 212 bytes --]
Hi Team,
Does there any issue with this patch for upgrading : buildah: upgrade 1.34.3 -> 1.35.5 ??
Why it is not merged into repo yet. It's been 5-6 month after the patch submitted .
Regards,
Hitendra
[-- Attachment #2: Type: text/html, Size: 308 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [meta-virtualization] [scarthgap][PATCH 3/3] buildah: upgrade 1.34.3 -> 1.35.5
2025-08-20 6:08 ` [scarthgap][PATCH " Hitendra Prajapati
@ 2025-08-20 13:03 ` Bruce Ashfield
0 siblings, 0 replies; 9+ messages in thread
From: Bruce Ashfield @ 2025-08-20 13:03 UTC (permalink / raw)
To: hprajapati; +Cc: meta-virtualization
[-- Attachment #1: Type: text/plain, Size: 1061 bytes --]
On Wed, Aug 20, 2025 at 2:08 AM Hitendra Prajapati via
lists.yoctoproject.org <hprajapati=mvista.com@lists.yoctoproject.org> wrote:
> Hi Team,
> Does there any issue with this patch for upgrading : buildah: upgrade
> 1.34.3 -> 1.35.5 ??
>
> Why it is not merged into repo yet. It's been 5-6 month after the patch
> submitted .
>
Did you read my reply to the original email? I won't repeat it here.
Bruce
>
> Regards,
> Hitendra
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#9350):
> https://lists.yoctoproject.org/g/meta-virtualization/message/9350
> Mute This Topic: https://lists.yoctoproject.org/mt/111924201/1050810
> Group Owner: meta-virtualization+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [
> bruce.ashfield@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
>
--
- Thou shalt not follow the NULL pointer, for chaos and madness await thee
at its end
- "Use the force Harry" - Gandalf, Star Trek II
[-- Attachment #2: Type: text/html, Size: 2538 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2025-08-20 13:03 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-03-26 19:50 [meta-virtualization][scarthgap][PATCH 1/3] docker-moby: Fix CVE-2024-36620 Praveen Kumar
2025-03-26 19:50 ` [meta-virtualization][scarthgap][PATCH 2/3] docker-moby: Fix CVE-2024-36621 Praveen Kumar
2025-04-02 2:22 ` Bruce Ashfield
2025-04-02 13:59 ` Martin Jansa
2025-03-26 19:50 ` [meta-virtualization][scarthgap][PATCH 3/3] buildah: upgrade 1.34.3 -> 1.35.5 Praveen Kumar
2025-03-26 20:05 ` Bruce Ashfield
2025-08-20 6:08 ` [scarthgap][PATCH " Hitendra Prajapati
2025-08-20 13:03 ` [meta-virtualization] " Bruce Ashfield
2025-04-02 2:21 ` [meta-virtualization][scarthgap][PATCH 1/3] docker-moby: Fix CVE-2024-36620 Bruce Ashfield
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.