* [meta-virtualization][scarthgap][PATCH 1/3] docker-moby: Fix CVE-2024-36620
@ 2025-03-26 19:50 Praveen Kumar
2025-03-26 19:50 ` [meta-virtualization][scarthgap][PATCH 2/3] docker-moby: Fix CVE-2024-36621 Praveen Kumar
` (2 more replies)
0 siblings, 3 replies; 9+ messages in thread
From: Praveen Kumar @ 2025-03-26 19:50 UTC (permalink / raw)
To: meta-virtualization; +Cc: Praveen Kumar
moby v25.0.0 - v26.0.2 is vulnerable to NULL Pointer Dereference
via daemon/images/image_history.go.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-36620
Upstream-patch:
https://github.com/moby/moby/commit/ab570ab3d62038b3d26f96a9bb585d0b6095b9b4
Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
---
recipes-containers/docker/docker-moby_git.bb | 1 +
.../docker/files/CVE-2024-36620.patch | 40 +++++++++++++++++++
2 files changed, 41 insertions(+)
create mode 100644 recipes-containers/docker/files/CVE-2024-36620.patch
diff --git a/recipes-containers/docker/docker-moby_git.bb b/recipes-containers/docker/docker-moby_git.bb
index 0abb0b3f..a1879ed2 100644
--- a/recipes-containers/docker/docker-moby_git.bb
+++ b/recipes-containers/docker/docker-moby_git.bb
@@ -56,6 +56,7 @@ SRC_URI = "\
file://0001-libnetwork-use-GO-instead-of-go.patch \
file://0001-cli-use-external-GO111MODULE-and-cross-compiler.patch \
file://0001-dynbinary-use-go-cross-compiler.patch;patchdir=src/import \
+ file://CVE-2024-36620.patch;patchdir=src/import \
"
DOCKER_COMMIT = "${SRCREV_moby}"
diff --git a/recipes-containers/docker/files/CVE-2024-36620.patch b/recipes-containers/docker/files/CVE-2024-36620.patch
new file mode 100644
index 00000000..7bce4137
--- /dev/null
+++ b/recipes-containers/docker/files/CVE-2024-36620.patch
@@ -0,0 +1,40 @@
+From ab570ab3d62038b3d26f96a9bb585d0b6095b9b4 Mon Sep 17 00:00:00 2001
+From: Christopher Petito <47751006+krissetto@users.noreply.github.com>
+Date: Fri, 19 Apr 2024 10:44:30 +0000
+Subject: [PATCH] nil dereference fix on image history Created value
+
+Issue was caused by the changes here https://github.com/moby/moby/pull/45504
+First released in v25.0.0-beta.1
+
+CVE: CVE-2024-36620
+
+Upstream-Status:
+Backport [https://github.com/moby/moby/commit/ab570ab3d62038b3d26f96a9bb585d0b6095b9b4]
+
+Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
+---
+ daemon/images/image_history.go | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/daemon/images/image_history.go b/daemon/images/image_history.go
+index dcf7a906aa..e5adda8639 100644
+--- a/daemon/images/image_history.go
++++ b/daemon/images/image_history.go
+@@ -41,10 +41,14 @@ func (i *ImageService) ImageHistory(ctx context.Context, name string) ([]*image.
+ layer.ReleaseAndLog(i.layerStore, l)
+ layerCounter++
+ }
++ var created int64
++ if h.Created != nil {
++ created = h.Created.Unix()
++ }
+
+ history = append([]*image.HistoryResponseItem{{
+ ID: "<missing>",
+- Created: h.Created.Unix(),
++ Created: created,
+ CreatedBy: h.CreatedBy,
+ Comment: h.Comment,
+ Size: layerSize,
+--
+2.40.0
--
2.40.0
^ permalink raw reply related [flat|nested] 9+ messages in thread* [meta-virtualization][scarthgap][PATCH 2/3] docker-moby: Fix CVE-2024-36621 2025-03-26 19:50 [meta-virtualization][scarthgap][PATCH 1/3] docker-moby: Fix CVE-2024-36620 Praveen Kumar @ 2025-03-26 19:50 ` Praveen Kumar 2025-04-02 2:22 ` Bruce Ashfield 2025-04-02 13:59 ` Martin Jansa 2025-03-26 19:50 ` [meta-virtualization][scarthgap][PATCH 3/3] buildah: upgrade 1.34.3 -> 1.35.5 Praveen Kumar 2025-04-02 2:21 ` [meta-virtualization][scarthgap][PATCH 1/3] docker-moby: Fix CVE-2024-36620 Bruce Ashfield 2 siblings, 2 replies; 9+ messages in thread From: Praveen Kumar @ 2025-03-26 19:50 UTC (permalink / raw) To: meta-virtualization; +Cc: Praveen Kumar moby v25.0.5 is affected by a Race Condition in builder/builder-next/adapters/snapshot/layer.go. The vulnerability could be used to trigger concurrent builds that call the EnsureLayer function resulting in resource leaks/exhaustion. Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-36621 Upstream-patch: https://github.com/moby/moby/commit/37545cc644344dcb576cba67eb7b6f51a463d31e Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com> --- recipes-containers/docker/docker-moby_git.bb | 1 + .../docker/files/CVE-2024-36621.patch | 83 +++++++++++++++++++ 2 files changed, 84 insertions(+) create mode 100644 recipes-containers/docker/files/CVE-2024-36621.patch diff --git a/recipes-containers/docker/docker-moby_git.bb b/recipes-containers/docker/docker-moby_git.bb index a1879ed2..d274b002 100644 --- a/recipes-containers/docker/docker-moby_git.bb +++ b/recipes-containers/docker/docker-moby_git.bb @@ -57,6 +57,7 @@ SRC_URI = "\ file://0001-cli-use-external-GO111MODULE-and-cross-compiler.patch \ file://0001-dynbinary-use-go-cross-compiler.patch;patchdir=src/import \ file://CVE-2024-36620.patch;patchdir=src/import \ + file://CVE-2024-36621.patch;patchdir=src/import \ " DOCKER_COMMIT = "${SRCREV_moby}" diff --git a/recipes-containers/docker/files/CVE-2024-36621.patch b/recipes-containers/docker/files/CVE-2024-36621.patch new file mode 100644 index 00000000..a6c06ef2 --- /dev/null +++ b/recipes-containers/docker/files/CVE-2024-36621.patch @@ -0,0 +1,83 @@ +From 37545cc644344dcb576cba67eb7b6f51a463d31e Mon Sep 17 00:00:00 2001 +From: Tonis Tiigi <tonistiigi@gmail.com> +Date: Wed, 6 Mar 2024 23:11:32 -0800 +Subject: [PATCH] builder-next: fix missing lock in ensurelayer + +When this was called concurrently from the moby image +exporter there could be a data race where a layer was +written to the refs map when it was already there. + +In that case the reference count got mixed up and on +release only one of these layers was actually released. + +CVE: CVE-2024-36621 + +Upstream-Status: +Backport [https://github.com/moby/moby/commit/37545cc644344dcb576cba67eb7b6f51a463d31e] + +Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com> +--- + .../builder-next/adapters/snapshot/layer.go | 3 +++ + .../adapters/snapshot/snapshot.go | 19 +++++++++++-------- + 2 files changed, 14 insertions(+), 8 deletions(-) + +diff --git a/builder/builder-next/adapters/snapshot/layer.go b/builder/builder-next/adapters/snapshot/layer.go +index 73120ea70b..fc83058339 100644 +--- a/builder/builder-next/adapters/snapshot/layer.go ++++ b/builder/builder-next/adapters/snapshot/layer.go +@@ -22,6 +22,9 @@ func (s *snapshotter) GetDiffIDs(ctx context.Context, key string) ([]layer.DiffI + } + + func (s *snapshotter) EnsureLayer(ctx context.Context, key string) ([]layer.DiffID, error) { ++ s.layerCreateLocker.Lock(key) ++ defer s.layerCreateLocker.Unlock(key) ++ + diffIDs, err := s.GetDiffIDs(ctx, key) + if err != nil { + return nil, err +diff --git a/builder/builder-next/adapters/snapshot/snapshot.go b/builder/builder-next/adapters/snapshot/snapshot.go +index a0d28ad984..510ffefb49 100644 +--- a/builder/builder-next/adapters/snapshot/snapshot.go ++++ b/builder/builder-next/adapters/snapshot/snapshot.go +@@ -17,6 +17,7 @@ import ( + "github.com/moby/buildkit/identity" + "github.com/moby/buildkit/snapshot" + "github.com/moby/buildkit/util/leaseutil" ++ "github.com/moby/locker" + "github.com/opencontainers/go-digest" + "github.com/pkg/errors" + bolt "go.etcd.io/bbolt" +@@ -51,10 +52,11 @@ type checksumCalculator interface { + type snapshotter struct { + opt Opt + +- refs map[string]layer.Layer +- db *bolt.DB +- mu sync.Mutex +- reg graphIDRegistrar ++ refs map[string]layer.Layer ++ db *bolt.DB ++ mu sync.Mutex ++ reg graphIDRegistrar ++ layerCreateLocker *locker.Locker + } + + // NewSnapshotter creates a new snapshotter +@@ -71,10 +73,11 @@ func NewSnapshotter(opt Opt, prevLM leases.Manager, ns string) (snapshot.Snapsho + } + + s := &snapshotter{ +- opt: opt, +- db: db, +- refs: map[string]layer.Layer{}, +- reg: reg, ++ opt: opt, ++ db: db, ++ refs: map[string]layer.Layer{}, ++ reg: reg, ++ layerCreateLocker: locker.New(), + } + + slm := newLeaseManager(s, prevLM) +-- +2.40.0 -- 2.40.0 ^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [meta-virtualization][scarthgap][PATCH 2/3] docker-moby: Fix CVE-2024-36621 2025-03-26 19:50 ` [meta-virtualization][scarthgap][PATCH 2/3] docker-moby: Fix CVE-2024-36621 Praveen Kumar @ 2025-04-02 2:22 ` Bruce Ashfield 2025-04-02 13:59 ` Martin Jansa 1 sibling, 0 replies; 9+ messages in thread From: Bruce Ashfield @ 2025-04-02 2:22 UTC (permalink / raw) To: praveen.kumar; +Cc: meta-virtualization merged. Bruce In message: [meta-virtualization][scarthgap][PATCH 2/3] docker-moby: Fix CVE-2024-36621 on 26/03/2025 Praveen Kumar via lists.yoctoproject.org wrote: > moby v25.0.5 is affected by a Race Condition in > builder/builder-next/adapters/snapshot/layer.go. The vulnerability could > be used to trigger concurrent builds that call the EnsureLayer function > resulting in resource leaks/exhaustion. > > Reference: > https://nvd.nist.gov/vuln/detail/CVE-2024-36621 > > Upstream-patch: > https://github.com/moby/moby/commit/37545cc644344dcb576cba67eb7b6f51a463d31e > > Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com> > --- > recipes-containers/docker/docker-moby_git.bb | 1 + > .../docker/files/CVE-2024-36621.patch | 83 +++++++++++++++++++ > 2 files changed, 84 insertions(+) > create mode 100644 recipes-containers/docker/files/CVE-2024-36621.patch > > diff --git a/recipes-containers/docker/docker-moby_git.bb b/recipes-containers/docker/docker-moby_git.bb > index a1879ed2..d274b002 100644 > --- a/recipes-containers/docker/docker-moby_git.bb > +++ b/recipes-containers/docker/docker-moby_git.bb > @@ -57,6 +57,7 @@ SRC_URI = "\ > file://0001-cli-use-external-GO111MODULE-and-cross-compiler.patch \ > file://0001-dynbinary-use-go-cross-compiler.patch;patchdir=src/import \ > file://CVE-2024-36620.patch;patchdir=src/import \ > + file://CVE-2024-36621.patch;patchdir=src/import \ > " > > DOCKER_COMMIT = "${SRCREV_moby}" > diff --git a/recipes-containers/docker/files/CVE-2024-36621.patch b/recipes-containers/docker/files/CVE-2024-36621.patch > new file mode 100644 > index 00000000..a6c06ef2 > --- /dev/null > +++ b/recipes-containers/docker/files/CVE-2024-36621.patch > @@ -0,0 +1,83 @@ > +From 37545cc644344dcb576cba67eb7b6f51a463d31e Mon Sep 17 00:00:00 2001 > +From: Tonis Tiigi <tonistiigi@gmail.com> > +Date: Wed, 6 Mar 2024 23:11:32 -0800 > +Subject: [PATCH] builder-next: fix missing lock in ensurelayer > + > +When this was called concurrently from the moby image > +exporter there could be a data race where a layer was > +written to the refs map when it was already there. > + > +In that case the reference count got mixed up and on > +release only one of these layers was actually released. > + > +CVE: CVE-2024-36621 > + > +Upstream-Status: > +Backport [https://github.com/moby/moby/commit/37545cc644344dcb576cba67eb7b6f51a463d31e] > + > +Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com> > +--- > + .../builder-next/adapters/snapshot/layer.go | 3 +++ > + .../adapters/snapshot/snapshot.go | 19 +++++++++++-------- > + 2 files changed, 14 insertions(+), 8 deletions(-) > + > +diff --git a/builder/builder-next/adapters/snapshot/layer.go b/builder/builder-next/adapters/snapshot/layer.go > +index 73120ea70b..fc83058339 100644 > +--- a/builder/builder-next/adapters/snapshot/layer.go > ++++ b/builder/builder-next/adapters/snapshot/layer.go > +@@ -22,6 +22,9 @@ func (s *snapshotter) GetDiffIDs(ctx context.Context, key string) ([]layer.DiffI > + } > + > + func (s *snapshotter) EnsureLayer(ctx context.Context, key string) ([]layer.DiffID, error) { > ++ s.layerCreateLocker.Lock(key) > ++ defer s.layerCreateLocker.Unlock(key) > ++ > + diffIDs, err := s.GetDiffIDs(ctx, key) > + if err != nil { > + return nil, err > +diff --git a/builder/builder-next/adapters/snapshot/snapshot.go b/builder/builder-next/adapters/snapshot/snapshot.go > +index a0d28ad984..510ffefb49 100644 > +--- a/builder/builder-next/adapters/snapshot/snapshot.go > ++++ b/builder/builder-next/adapters/snapshot/snapshot.go > +@@ -17,6 +17,7 @@ import ( > + "github.com/moby/buildkit/identity" > + "github.com/moby/buildkit/snapshot" > + "github.com/moby/buildkit/util/leaseutil" > ++ "github.com/moby/locker" > + "github.com/opencontainers/go-digest" > + "github.com/pkg/errors" > + bolt "go.etcd.io/bbolt" > +@@ -51,10 +52,11 @@ type checksumCalculator interface { > + type snapshotter struct { > + opt Opt > + > +- refs map[string]layer.Layer > +- db *bolt.DB > +- mu sync.Mutex > +- reg graphIDRegistrar > ++ refs map[string]layer.Layer > ++ db *bolt.DB > ++ mu sync.Mutex > ++ reg graphIDRegistrar > ++ layerCreateLocker *locker.Locker > + } > + > + // NewSnapshotter creates a new snapshotter > +@@ -71,10 +73,11 @@ func NewSnapshotter(opt Opt, prevLM leases.Manager, ns string) (snapshot.Snapsho > + } > + > + s := &snapshotter{ > +- opt: opt, > +- db: db, > +- refs: map[string]layer.Layer{}, > +- reg: reg, > ++ opt: opt, > ++ db: db, > ++ refs: map[string]layer.Layer{}, > ++ reg: reg, > ++ layerCreateLocker: locker.New(), > + } > + > + slm := newLeaseManager(s, prevLM) > +-- > +2.40.0 > -- > 2.40.0 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#9175): https://lists.yoctoproject.org/g/meta-virtualization/message/9175 > Mute This Topic: https://lists.yoctoproject.org/mt/111924195/1050810 > Group Owner: meta-virtualization+owner@lists.yoctoproject.org > Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [bruce.ashfield@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- > ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [meta-virtualization][scarthgap][PATCH 2/3] docker-moby: Fix CVE-2024-36621 2025-03-26 19:50 ` [meta-virtualization][scarthgap][PATCH 2/3] docker-moby: Fix CVE-2024-36621 Praveen Kumar 2025-04-02 2:22 ` Bruce Ashfield @ 2025-04-02 13:59 ` Martin Jansa 1 sibling, 0 replies; 9+ messages in thread From: Martin Jansa @ 2025-04-02 13:59 UTC (permalink / raw) To: praveen.kumar; +Cc: meta-virtualization Please don't add a break after Upstream-Status, it's not parsed correctly, fix sent in: https://lists.yoctoproject.org/g/meta-virtualization/message/9191 On Wed, Mar 26, 2025 at 8:50 PM Praveen Kumar via lists.yoctoproject.org <praveen.kumar=windriver.com@lists.yoctoproject.org> wrote: > > moby v25.0.5 is affected by a Race Condition in > builder/builder-next/adapters/snapshot/layer.go. The vulnerability could > be used to trigger concurrent builds that call the EnsureLayer function > resulting in resource leaks/exhaustion. > > Reference: > https://nvd.nist.gov/vuln/detail/CVE-2024-36621 > > Upstream-patch: > https://github.com/moby/moby/commit/37545cc644344dcb576cba67eb7b6f51a463d31e > > Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com> > --- > recipes-containers/docker/docker-moby_git.bb | 1 + > .../docker/files/CVE-2024-36621.patch | 83 +++++++++++++++++++ > 2 files changed, 84 insertions(+) > create mode 100644 recipes-containers/docker/files/CVE-2024-36621.patch > > diff --git a/recipes-containers/docker/docker-moby_git.bb b/recipes-containers/docker/docker-moby_git.bb > index a1879ed2..d274b002 100644 > --- a/recipes-containers/docker/docker-moby_git.bb > +++ b/recipes-containers/docker/docker-moby_git.bb > @@ -57,6 +57,7 @@ SRC_URI = "\ > file://0001-cli-use-external-GO111MODULE-and-cross-compiler.patch \ > file://0001-dynbinary-use-go-cross-compiler.patch;patchdir=src/import \ > file://CVE-2024-36620.patch;patchdir=src/import \ > + file://CVE-2024-36621.patch;patchdir=src/import \ > " > > DOCKER_COMMIT = "${SRCREV_moby}" > diff --git a/recipes-containers/docker/files/CVE-2024-36621.patch b/recipes-containers/docker/files/CVE-2024-36621.patch > new file mode 100644 > index 00000000..a6c06ef2 > --- /dev/null > +++ b/recipes-containers/docker/files/CVE-2024-36621.patch > @@ -0,0 +1,83 @@ > +From 37545cc644344dcb576cba67eb7b6f51a463d31e Mon Sep 17 00:00:00 2001 > +From: Tonis Tiigi <tonistiigi@gmail.com> > +Date: Wed, 6 Mar 2024 23:11:32 -0800 > +Subject: [PATCH] builder-next: fix missing lock in ensurelayer > + > +When this was called concurrently from the moby image > +exporter there could be a data race where a layer was > +written to the refs map when it was already there. > + > +In that case the reference count got mixed up and on > +release only one of these layers was actually released. > + > +CVE: CVE-2024-36621 > + > +Upstream-Status: > +Backport [https://github.com/moby/moby/commit/37545cc644344dcb576cba67eb7b6f51a463d31e] > + > +Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com> > +--- > + .../builder-next/adapters/snapshot/layer.go | 3 +++ > + .../adapters/snapshot/snapshot.go | 19 +++++++++++-------- > + 2 files changed, 14 insertions(+), 8 deletions(-) > + > +diff --git a/builder/builder-next/adapters/snapshot/layer.go b/builder/builder-next/adapters/snapshot/layer.go > +index 73120ea70b..fc83058339 100644 > +--- a/builder/builder-next/adapters/snapshot/layer.go > ++++ b/builder/builder-next/adapters/snapshot/layer.go > +@@ -22,6 +22,9 @@ func (s *snapshotter) GetDiffIDs(ctx context.Context, key string) ([]layer.DiffI > + } > + > + func (s *snapshotter) EnsureLayer(ctx context.Context, key string) ([]layer.DiffID, error) { > ++ s.layerCreateLocker.Lock(key) > ++ defer s.layerCreateLocker.Unlock(key) > ++ > + diffIDs, err := s.GetDiffIDs(ctx, key) > + if err != nil { > + return nil, err > +diff --git a/builder/builder-next/adapters/snapshot/snapshot.go b/builder/builder-next/adapters/snapshot/snapshot.go > +index a0d28ad984..510ffefb49 100644 > +--- a/builder/builder-next/adapters/snapshot/snapshot.go > ++++ b/builder/builder-next/adapters/snapshot/snapshot.go > +@@ -17,6 +17,7 @@ import ( > + "github.com/moby/buildkit/identity" > + "github.com/moby/buildkit/snapshot" > + "github.com/moby/buildkit/util/leaseutil" > ++ "github.com/moby/locker" > + "github.com/opencontainers/go-digest" > + "github.com/pkg/errors" > + bolt "go.etcd.io/bbolt" > +@@ -51,10 +52,11 @@ type checksumCalculator interface { > + type snapshotter struct { > + opt Opt > + > +- refs map[string]layer.Layer > +- db *bolt.DB > +- mu sync.Mutex > +- reg graphIDRegistrar > ++ refs map[string]layer.Layer > ++ db *bolt.DB > ++ mu sync.Mutex > ++ reg graphIDRegistrar > ++ layerCreateLocker *locker.Locker > + } > + > + // NewSnapshotter creates a new snapshotter > +@@ -71,10 +73,11 @@ func NewSnapshotter(opt Opt, prevLM leases.Manager, ns string) (snapshot.Snapsho > + } > + > + s := &snapshotter{ > +- opt: opt, > +- db: db, > +- refs: map[string]layer.Layer{}, > +- reg: reg, > ++ opt: opt, > ++ db: db, > ++ refs: map[string]layer.Layer{}, > ++ reg: reg, > ++ layerCreateLocker: locker.New(), > + } > + > + slm := newLeaseManager(s, prevLM) > +-- > +2.40.0 > -- > 2.40.0 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#9175): https://lists.yoctoproject.org/g/meta-virtualization/message/9175 > Mute This Topic: https://lists.yoctoproject.org/mt/111924195/3617156 > Group Owner: meta-virtualization+owner@lists.yoctoproject.org > Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [martin.jansa@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- > ^ permalink raw reply [flat|nested] 9+ messages in thread
* [meta-virtualization][scarthgap][PATCH 3/3] buildah: upgrade 1.34.3 -> 1.35.5 2025-03-26 19:50 [meta-virtualization][scarthgap][PATCH 1/3] docker-moby: Fix CVE-2024-36620 Praveen Kumar 2025-03-26 19:50 ` [meta-virtualization][scarthgap][PATCH 2/3] docker-moby: Fix CVE-2024-36621 Praveen Kumar @ 2025-03-26 19:50 ` Praveen Kumar 2025-03-26 20:05 ` Bruce Ashfield 2025-08-20 6:08 ` [scarthgap][PATCH " Hitendra Prajapati 2025-04-02 2:21 ` [meta-virtualization][scarthgap][PATCH 1/3] docker-moby: Fix CVE-2024-36620 Bruce Ashfield 2 siblings, 2 replies; 9+ messages in thread From: Praveen Kumar @ 2025-03-26 19:50 UTC (permalink / raw) To: meta-virtualization; +Cc: Praveen Kumar This upgrade fixes: CVE-2024-11218 CVE-2024-3727 Changelog: ========== https://github.com/containers/buildah/releases?q=1.35.5 Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com> --- ...SecureJoin-when-forming-userns-paths.patch | 155 +++++++++--------- recipes-containers/buildah/buildah_git.bb | 8 +- 2 files changed, 84 insertions(+), 79 deletions(-) diff --git a/recipes-containers/buildah/buildah/0001-Use-securejoin.SecureJoin-when-forming-userns-paths.patch b/recipes-containers/buildah/buildah/0001-Use-securejoin.SecureJoin-when-forming-userns-paths.patch index 73040e82..25f15715 100644 --- a/recipes-containers/buildah/buildah/0001-Use-securejoin.SecureJoin-when-forming-userns-paths.patch +++ b/recipes-containers/buildah/buildah/0001-Use-securejoin.SecureJoin-when-forming-userns-paths.patch @@ -23,16 +23,17 @@ CVE: CVE-2024-9676 Upstream-Status: Backport [854570c44c219c2b92b03b36b7a2069a32e2c08a] Signed-off-by: Chen Qi <Qi.Chen@windriver.com> +Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com> --- - userns.go | 92 ++++++++++++++++++++++++++++++------------- - userns_unsupported.go | 14 +++++++ - 2 files changed, 79 insertions(+), 27 deletions(-) - create mode 100644 userns_unsupported.go + .../github.com/containers/storage/userns.go | 97 +++++++++++++------ + .../containers/storage/userns_unsupported.go | 14 +++ + 2 files changed, 83 insertions(+), 28 deletions(-) + create mode 100644 vendor/github.com/containers/storage/userns_unsupported.go -diff --git a/userns.go b/userns.go -index 32ae830be..2c855da7c 100644 ---- a/userns.go -+++ b/userns.go +diff --git a/vendor/github.com/containers/storage/userns.go b/vendor/github.com/containers/storage/userns.go +index 57120731b..086f8336b 100644 +--- a/vendor/github.com/containers/storage/userns.go ++++ b/vendor/github.com/containers/storage/userns.go @@ -1,18 +1,21 @@ +//go:build linux + @@ -50,36 +51,37 @@ index 32ae830be..2c855da7c 100644 "github.com/containers/storage/pkg/unshare" "github.com/containers/storage/types" + securejoin "github.com/cyphar/filepath-securejoin" - libcontainerUser "github.com/opencontainers/runc/libcontainer/user" + libcontainerUser "github.com/moby/sys/user" "github.com/sirupsen/logrus" + "golang.org/x/sys/unix" ) // getAdditionalSubIDs looks up the additional IDs configured for -@@ -85,40 +88,59 @@ const nobodyUser = 65534 +@@ -85,40 +88,62 @@ const nobodyUser = 65534 // parseMountedFiles returns the maximum UID and GID found in the /etc/passwd and // /etc/group files. func parseMountedFiles(containerMount, passwdFile, groupFile string) uint32 { -+ var ( -+ passwd *os.File -+ group *os.File -+ size int -+ err error -+ ) ++ var ( ++ passwd *os.File ++ group *os.File ++ size int ++ err error ++ ) if passwdFile == "" { - passwdFile = filepath.Join(containerMount, "etc/passwd") - } - if groupFile == "" { - groupFile = filepath.Join(groupFile, "etc/group") -+ passwd, err = secureOpen(containerMount, "/etc/passwd") -+ } else { -+ // User-specified override from a volume. Will not be in -+ // container root. -+ passwd, err = os.Open(passwdFile) - } +- } - - size := 0 -- ++ passwd, err = secureOpen(containerMount, "/etc/passwd") ++ } else { ++ // User-specified override from a volume. Will not be in ++ // container root. ++ passwd, err = os.Open(passwdFile) ++ } + - users, err := libcontainerUser.ParsePasswdFile(passwdFile) if err == nil { - for _, u := range users { @@ -93,34 +95,36 @@ index 32ae830be..2c855da7c 100644 - } - if u.Gid > size && u.Gid != nobodyUser { - size = u.Gid -+ defer passwd.Close() + -+ users, err := libcontainerUser.ParsePasswd(passwd) -+ if err == nil { -+ for _, u := range users { -+ // Skip the "nobody" user otherwise we end up with 65536 -+ // ids with most images -+ if u.Name == "nobody" || u.Name == "nogroup" { -+ continue -+ } -+ if u.Uid > size && u.Uid != nobodyUser { -+ size = u.Uid + 1 -+ } -+ if u.Gid > size && u.Gid != nobodyUser { -+ size = u.Gid + 1 -+ } ++ defer passwd.Close() ++ ++ users, err := libcontainerUser.ParsePasswd(passwd) ++ if err == nil { ++ for _, u := range users { ++ // Skip the "nobody" user otherwise we end up with 65536 ++ // ids with most images ++ if u.Name == "nobody" || u.Name == "nogroup" { ++ continue ++ } ++ if u.Uid > size && u.Uid != nobodyUser { ++ size = u.Uid + 1 ++ } ++ if u.Gid > size && u.Gid != nobodyUser { ++ size = u.Gid + 1 ++ } ++ } } } - +- - groups, err := libcontainerUser.ParseGroupFile(groupFile) -+ if groupFile == "" { -+ group, err = secureOpen(containerMount, "/etc/group") -+ } else { -+ // User-specified override from a volume. Will not be in -+ // container root. -+ group, err = os.Open(groupFile) -+ } ++ if groupFile == "" { ++ group, err = secureOpen(containerMount, "/etc/group") ++ } else { ++ // User-specified override from a volume. Will not be in ++ // container root. ++ group, err = os.Open(groupFile) ++ } if err == nil { - for _, g := range groups { - if g.Name == "nobody" { @@ -128,60 +132,61 @@ index 32ae830be..2c855da7c 100644 - } - if g.Gid > size && g.Gid != nobodyUser { - size = g.Gid -+ defer group.Close() ++ defer group.Close() ++ ++ groups, err := libcontainerUser.ParseGroup(group) ++ if err == nil { ++ for _, g := range groups { ++ if g.Name == "nobody" || g.Name == "nogroup" { ++ continue ++ } ++ if g.Gid > size && g.Gid != nobodyUser { ++ size = g.Gid + 1 ++ } + -+ groups, err := libcontainerUser.ParseGroup(group) -+ if err == nil { -+ for _, g := range groups { -+ if g.Name == "nobody" || g.Name == "nogroup" { -+ continue -+ } -+ if g.Gid > size && g.Gid != nobodyUser { -+ size = g.Gid + 1 -+ } } } } -@@ -309,3 +331,19 @@ func getAutoUserNSIDMappings( +@@ -309,3 +334,19 @@ func getAutoUserNSIDMappings( gidMap := append(availableGIDs.zip(requestedContainerGIDs), additionalGIDMappings...) return uidMap, gidMap, nil } + +// Securely open (read-only) a file in a container mount. +func secureOpen(containerMount, file string) (*os.File, error) { -+ filePath, err := securejoin.SecureJoin(containerMount, file) -+ if err != nil { -+ return nil, err -+ } ++ filePath, err := securejoin.SecureJoin(containerMount, file) ++ if err != nil { ++ return nil, err ++ } + -+ flags := unix.O_PATH | unix.O_CLOEXEC | unix.O_RDONLY -+ fileHandle, err := os.OpenFile(filePath, flags, 0) -+ if err != nil { -+ return nil, err -+ } ++ flags := unix.O_PATH | unix.O_CLOEXEC | unix.O_RDONLY ++ fileHandle, err := os.OpenFile(filePath, flags, 0) ++ if err != nil { ++ return nil, err ++ } + -+ return fileHandle, nil ++ return fileHandle, nil +} -diff --git a/userns_unsupported.go b/userns_unsupported.go +diff --git a/vendor/github.com/containers/storage/userns_unsupported.go b/vendor/github.com/containers/storage/userns_unsupported.go new file mode 100644 -index 000000000..e37c18fe4 +index 000000000..3905bd3ce --- /dev/null -+++ b/userns_unsupported.go ++++ b/vendor/github.com/containers/storage/userns_unsupported.go @@ -0,0 +1,14 @@ +//go:build !linux + +package storage + +import ( -+ "errors" ++ "errors" + -+ "github.com/containers/storage/pkg/idtools" -+ "github.com/containers/storage/types" ++ "github.com/containers/storage/pkg/idtools" ++ "github.com/containers/storage/types" +) + +func (s *store) getAutoUserNS(_ *types.AutoUserNsOptions, _ *Image, _ rwLayerStore, _ []roLayerStore) ([]idtools.IDMap, []idtools.IDMap, error) { -+ return nil, nil, errors.New("user namespaces are not supported on this platform") ++ return nil, nil, errors.New("user namespaces are not supported on this platform") +} -- -2.25.1 +2.40.0 diff --git a/recipes-containers/buildah/buildah_git.bb b/recipes-containers/buildah/buildah_git.bb index 288a1cb0..fd2503fe 100644 --- a/recipes-containers/buildah/buildah_git.bb +++ b/recipes-containers/buildah/buildah_git.bb @@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://src/github.com/containers/buildah/LICENSE;md5=e3fc50a S = "${WORKDIR}/git" -BUILDAH_VERSION = "1.34.3" +BUILDAH_VERSION = "1.35.5" PV = "${BUILDAH_VERSION}" @@ -28,12 +28,12 @@ GO_WORKDIR = "${GO_INSTALL}" GOBUILDFLAGS += "-mod vendor" SRCREV_FORMAT = "buildah_storage" -SRCREV_buildah = "2db756331014a4f355507df47d2622d05532da1f" +SRCREV_buildah = "df0b92073ee9d34c1f86e03b4ffb17ec25e514e4" SRCREV_storage = "246ba3062e8b551026aef2708eee747014ce5c52" SRC_URI = " \ - git://github.com/containers/buildah;branch=release-1.34;name=buildah;protocol=https \ - file://0001-Use-securejoin.SecureJoin-when-forming-userns-paths.patch;patchdir=src/github.com/containers/buildah/vendor/github.com/containers/storage \ + git://github.com/containers/buildah;branch=release-1.35;name=buildah;protocol=https \ + file://0001-Use-securejoin.SecureJoin-when-forming-userns-paths.patch;patchdir=src/github.com/containers/buildah/ \ " DEPENDS = "libdevmapper btrfs-tools gpgme" -- 2.40.0 ^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [meta-virtualization][scarthgap][PATCH 3/3] buildah: upgrade 1.34.3 -> 1.35.5 2025-03-26 19:50 ` [meta-virtualization][scarthgap][PATCH 3/3] buildah: upgrade 1.34.3 -> 1.35.5 Praveen Kumar @ 2025-03-26 20:05 ` Bruce Ashfield 2025-08-20 6:08 ` [scarthgap][PATCH " Hitendra Prajapati 1 sibling, 0 replies; 9+ messages in thread From: Bruce Ashfield @ 2025-03-26 20:05 UTC (permalink / raw) To: praveen.kumar; +Cc: meta-virtualization [-- Attachment #1: Type: text/plain, Size: 13121 bytes --] On Wed, Mar 26, 2025 at 3:50 PM Praveen Kumar via lists.yoctoproject.org <praveen.kumar=windriver.com@lists.yoctoproject.org> wrote: > This upgrade fixes: > CVE-2024-11218 > CVE-2024-3727 > > Changelog: > ========== > https://github.com/containers/buildah/releases?q=1.35.5 Links to changelogs are not useful, they can't be searched when looking at the git history. That being said, this isn't an upgrade we can do in a released branch. Only 3rd digit upgrades are "stable". Bruce > > Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com> > --- > ...SecureJoin-when-forming-userns-paths.patch | 155 +++++++++--------- > recipes-containers/buildah/buildah_git.bb | 8 +- > 2 files changed, 84 insertions(+), 79 deletions(-) > > diff --git > a/recipes-containers/buildah/buildah/0001-Use-securejoin.SecureJoin-when-forming-userns-paths.patch > b/recipes-containers/buildah/buildah/0001-Use-securejoin.SecureJoin-when-forming-userns-paths.patch > index 73040e82..25f15715 100644 > --- > a/recipes-containers/buildah/buildah/0001-Use-securejoin.SecureJoin-when-forming-userns-paths.patch > +++ > b/recipes-containers/buildah/buildah/0001-Use-securejoin.SecureJoin-when-forming-userns-paths.patch > @@ -23,16 +23,17 @@ CVE: CVE-2024-9676 > Upstream-Status: Backport [854570c44c219c2b92b03b36b7a2069a32e2c08a] > > Signed-off-by: Chen Qi <Qi.Chen@windriver.com> > +Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com> > --- > - userns.go | 92 ++++++++++++++++++++++++++++++------------- > - userns_unsupported.go | 14 +++++++ > - 2 files changed, 79 insertions(+), 27 deletions(-) > - create mode 100644 userns_unsupported.go > + .../github.com/containers/storage/userns.go | 97 +++++++++++++------ > + .../containers/storage/userns_unsupported.go | 14 +++ > + 2 files changed, 83 insertions(+), 28 deletions(-) > + create mode 100644 vendor/ > github.com/containers/storage/userns_unsupported.go > > -diff --git a/userns.go b/userns.go > -index 32ae830be..2c855da7c 100644 > ---- a/userns.go > -+++ b/userns.go > +diff --git a/vendor/github.com/containers/storage/userns.go b/vendor/ > github.com/containers/storage/userns.go > +index 57120731b..086f8336b 100644 > +--- a/vendor/github.com/containers/storage/userns.go > ++++ b/vendor/github.com/containers/storage/userns.go > @@ -1,18 +1,21 @@ > +//go:build linux > + > @@ -50,36 +51,37 @@ index 32ae830be..2c855da7c 100644 > "github.com/containers/storage/pkg/unshare" > "github.com/containers/storage/types" > + securejoin "github.com/cyphar/filepath-securejoin" > - libcontainerUser "github.com/opencontainers/runc/libcontainer/user > " > + libcontainerUser "github.com/moby/sys/user" > "github.com/sirupsen/logrus" > + "golang.org/x/sys/unix" > ) > > // getAdditionalSubIDs looks up the additional IDs configured for > -@@ -85,40 +88,59 @@ const nobodyUser = 65534 > +@@ -85,40 +88,62 @@ const nobodyUser = 65534 > // parseMountedFiles returns the maximum UID and GID found in the > /etc/passwd and > // /etc/group files. > func parseMountedFiles(containerMount, passwdFile, groupFile string) > uint32 { > -+ var ( > -+ passwd *os.File > -+ group *os.File > -+ size int > -+ err error > -+ ) > ++ var ( > ++ passwd *os.File > ++ group *os.File > ++ size int > ++ err error > ++ ) > if passwdFile == "" { > - passwdFile = filepath.Join(containerMount, "etc/passwd") > - } > - if groupFile == "" { > - groupFile = filepath.Join(groupFile, "etc/group") > -+ passwd, err = secureOpen(containerMount, "/etc/passwd") > -+ } else { > -+ // User-specified override from a volume. Will not be in > -+ // container root. > -+ passwd, err = os.Open(passwdFile) > - } > +- } > - > - size := 0 > -- > ++ passwd, err = secureOpen(containerMount, "/etc/passwd") > ++ } else { > ++ // User-specified override from a volume. Will not be in > ++ // container root. > ++ passwd, err = os.Open(passwdFile) > ++ } > + > - users, err := libcontainerUser.ParsePasswdFile(passwdFile) > if err == nil { > - for _, u := range users { > @@ -93,34 +95,36 @@ index 32ae830be..2c855da7c 100644 > - } > - if u.Gid > size && u.Gid != nobodyUser { > - size = u.Gid > -+ defer passwd.Close() > + > -+ users, err := libcontainerUser.ParsePasswd(passwd) > -+ if err == nil { > -+ for _, u := range users { > -+ // Skip the "nobody" user otherwise we end > up with 65536 > -+ // ids with most images > -+ if u.Name == "nobody" || u.Name == > "nogroup" { > -+ continue > -+ } > -+ if u.Uid > size && u.Uid != nobodyUser { > -+ size = u.Uid + 1 > -+ } > -+ if u.Gid > size && u.Gid != nobodyUser { > -+ size = u.Gid + 1 > -+ } > ++ defer passwd.Close() > ++ > ++ users, err := libcontainerUser.ParsePasswd(passwd) > ++ if err == nil { > ++ for _, u := range users { > ++ // Skip the "nobody" user otherwise we > end up with 65536 > ++ // ids with most images > ++ if u.Name == "nobody" || u.Name == > "nogroup" { > ++ continue > ++ } > ++ if u.Uid > size && u.Uid != nobodyUser { > ++ size = u.Uid + 1 > ++ } > ++ if u.Gid > size && u.Gid != nobodyUser { > ++ size = u.Gid + 1 > ++ } > ++ > } > } > } > - > +- > - groups, err := libcontainerUser.ParseGroupFile(groupFile) > -+ if groupFile == "" { > -+ group, err = secureOpen(containerMount, "/etc/group") > -+ } else { > -+ // User-specified override from a volume. Will not be in > -+ // container root. > -+ group, err = os.Open(groupFile) > -+ } > ++ if groupFile == "" { > ++ group, err = secureOpen(containerMount, "/etc/group") > ++ } else { > ++ // User-specified override from a volume. Will not be in > ++ // container root. > ++ group, err = os.Open(groupFile) > ++ } > if err == nil { > - for _, g := range groups { > - if g.Name == "nobody" { > @@ -128,60 +132,61 @@ index 32ae830be..2c855da7c 100644 > - } > - if g.Gid > size && g.Gid != nobodyUser { > - size = g.Gid > -+ defer group.Close() > ++ defer group.Close() > ++ > ++ groups, err := libcontainerUser.ParseGroup(group) > ++ if err == nil { > ++ for _, g := range groups { > ++ if g.Name == "nobody" || g.Name == > "nogroup" { > ++ continue > ++ } > ++ if g.Gid > size && g.Gid != nobodyUser { > ++ size = g.Gid + 1 > ++ } > + > -+ groups, err := libcontainerUser.ParseGroup(group) > -+ if err == nil { > -+ for _, g := range groups { > -+ if g.Name == "nobody" || g.Name == > "nogroup" { > -+ continue > -+ } > -+ if g.Gid > size && g.Gid != nobodyUser { > -+ size = g.Gid + 1 > -+ } > } > } > } > -@@ -309,3 +331,19 @@ func getAutoUserNSIDMappings( > +@@ -309,3 +334,19 @@ func getAutoUserNSIDMappings( > gidMap := append(availableGIDs.zip(requestedContainerGIDs), > additionalGIDMappings...) > return uidMap, gidMap, nil > } > + > +// Securely open (read-only) a file in a container mount. > +func secureOpen(containerMount, file string) (*os.File, error) { > -+ filePath, err := securejoin.SecureJoin(containerMount, file) > -+ if err != nil { > -+ return nil, err > -+ } > ++ filePath, err := securejoin.SecureJoin(containerMount, file) > ++ if err != nil { > ++ return nil, err > ++ } > + > -+ flags := unix.O_PATH | unix.O_CLOEXEC | unix.O_RDONLY > -+ fileHandle, err := os.OpenFile(filePath, flags, 0) > -+ if err != nil { > -+ return nil, err > -+ } > ++ flags := unix.O_PATH | unix.O_CLOEXEC | unix.O_RDONLY > ++ fileHandle, err := os.OpenFile(filePath, flags, 0) > ++ if err != nil { > ++ return nil, err > ++ } > + > -+ return fileHandle, nil > ++ return fileHandle, nil > +} > -diff --git a/userns_unsupported.go b/userns_unsupported.go > +diff --git a/vendor/github.com/containers/storage/userns_unsupported.go > b/vendor/github.com/containers/storage/userns_unsupported.go > new file mode 100644 > -index 000000000..e37c18fe4 > +index 000000000..3905bd3ce > --- /dev/null > -+++ b/userns_unsupported.go > ++++ b/vendor/github.com/containers/storage/userns_unsupported.go > @@ -0,0 +1,14 @@ > +//go:build !linux > + > +package storage > + > +import ( > -+ "errors" > ++ "errors" > + > -+ "github.com/containers/storage/pkg/idtools" > -+ "github.com/containers/storage/types" > ++ "github.com/containers/storage/pkg/idtools" > ++ "github.com/containers/storage/types" > +) > + > +func (s *store) getAutoUserNS(_ *types.AutoUserNsOptions, _ *Image, _ > rwLayerStore, _ []roLayerStore) ([]idtools.IDMap, []idtools.IDMap, error) { > -+ return nil, nil, errors.New("user namespaces are not supported on > this platform") > ++ return nil, nil, errors.New("user namespaces are not supported on > this platform") > +} > -- > -2.25.1 > +2.40.0 > > diff --git a/recipes-containers/buildah/buildah_git.bb > b/recipes-containers/buildah/buildah_git.bb > index 288a1cb0..fd2503fe 100644 > --- a/recipes-containers/buildah/buildah_git.bb > +++ b/recipes-containers/buildah/buildah_git.bb > @@ -8,7 +8,7 @@ LIC_FILES_CHKSUM = "file://src/ > github.com/containers/buildah/LICENSE;md5=e3fc50a > > S = "${WORKDIR}/git" > > -BUILDAH_VERSION = "1.34.3" > +BUILDAH_VERSION = "1.35.5" > > PV = "${BUILDAH_VERSION}" > > @@ -28,12 +28,12 @@ GO_WORKDIR = "${GO_INSTALL}" > GOBUILDFLAGS += "-mod vendor" > > SRCREV_FORMAT = "buildah_storage" > -SRCREV_buildah = "2db756331014a4f355507df47d2622d05532da1f" > +SRCREV_buildah = "df0b92073ee9d34c1f86e03b4ffb17ec25e514e4" > SRCREV_storage = "246ba3062e8b551026aef2708eee747014ce5c52" > > SRC_URI = " \ > - git:// > github.com/containers/buildah;branch=release-1.34;name=buildah;protocol=https > \ > - > file://0001-Use-securejoin.SecureJoin-when-forming-userns-paths.patch;patchdir=src/ > github.com/containers/buildah/vendor/github.com/containers/storage \ > + git:// > github.com/containers/buildah;branch=release-1.35;name=buildah;protocol=https > \ > + > file://0001-Use-securejoin.SecureJoin-when-forming-userns-paths.patch;patchdir=src/ > github.com/containers/buildah/ \ > " > > DEPENDS = "libdevmapper btrfs-tools gpgme" > -- > 2.40.0 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#9176): > https://lists.yoctoproject.org/g/meta-virtualization/message/9176 > Mute This Topic: https://lists.yoctoproject.org/mt/111924201/1050810 > Group Owner: meta-virtualization+owner@lists.yoctoproject.org > Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [ > bruce.ashfield@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- > > -- - Thou shalt not follow the NULL pointer, for chaos and madness await thee at its end - "Use the force Harry" - Gandalf, Star Trek II [-- Attachment #2: Type: text/html, Size: 20198 bytes --] ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [scarthgap][PATCH 3/3] buildah: upgrade 1.34.3 -> 1.35.5 2025-03-26 19:50 ` [meta-virtualization][scarthgap][PATCH 3/3] buildah: upgrade 1.34.3 -> 1.35.5 Praveen Kumar 2025-03-26 20:05 ` Bruce Ashfield @ 2025-08-20 6:08 ` Hitendra Prajapati 2025-08-20 13:03 ` [meta-virtualization] " Bruce Ashfield 1 sibling, 1 reply; 9+ messages in thread From: Hitendra Prajapati @ 2025-08-20 6:08 UTC (permalink / raw) To: meta-virtualization [-- Attachment #1: Type: text/plain, Size: 212 bytes --] Hi Team, Does there any issue with this patch for upgrading : buildah: upgrade 1.34.3 -> 1.35.5 ?? Why it is not merged into repo yet. It's been 5-6 month after the patch submitted . Regards, Hitendra [-- Attachment #2: Type: text/html, Size: 308 bytes --] ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [meta-virtualization] [scarthgap][PATCH 3/3] buildah: upgrade 1.34.3 -> 1.35.5 2025-08-20 6:08 ` [scarthgap][PATCH " Hitendra Prajapati @ 2025-08-20 13:03 ` Bruce Ashfield 0 siblings, 0 replies; 9+ messages in thread From: Bruce Ashfield @ 2025-08-20 13:03 UTC (permalink / raw) To: hprajapati; +Cc: meta-virtualization [-- Attachment #1: Type: text/plain, Size: 1061 bytes --] On Wed, Aug 20, 2025 at 2:08 AM Hitendra Prajapati via lists.yoctoproject.org <hprajapati=mvista.com@lists.yoctoproject.org> wrote: > Hi Team, > Does there any issue with this patch for upgrading : buildah: upgrade > 1.34.3 -> 1.35.5 ?? > > Why it is not merged into repo yet. It's been 5-6 month after the patch > submitted . > Did you read my reply to the original email? I won't repeat it here. Bruce > > Regards, > Hitendra > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#9350): > https://lists.yoctoproject.org/g/meta-virtualization/message/9350 > Mute This Topic: https://lists.yoctoproject.org/mt/111924201/1050810 > Group Owner: meta-virtualization+owner@lists.yoctoproject.org > Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [ > bruce.ashfield@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- > > -- - Thou shalt not follow the NULL pointer, for chaos and madness await thee at its end - "Use the force Harry" - Gandalf, Star Trek II [-- Attachment #2: Type: text/html, Size: 2538 bytes --] ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [meta-virtualization][scarthgap][PATCH 1/3] docker-moby: Fix CVE-2024-36620 2025-03-26 19:50 [meta-virtualization][scarthgap][PATCH 1/3] docker-moby: Fix CVE-2024-36620 Praveen Kumar 2025-03-26 19:50 ` [meta-virtualization][scarthgap][PATCH 2/3] docker-moby: Fix CVE-2024-36621 Praveen Kumar 2025-03-26 19:50 ` [meta-virtualization][scarthgap][PATCH 3/3] buildah: upgrade 1.34.3 -> 1.35.5 Praveen Kumar @ 2025-04-02 2:21 ` Bruce Ashfield 2 siblings, 0 replies; 9+ messages in thread From: Bruce Ashfield @ 2025-04-02 2:21 UTC (permalink / raw) To: praveen.kumar; +Cc: meta-virtualization merged. Bruce In message: [meta-virtualization][scarthgap][PATCH 1/3] docker-moby: Fix CVE-2024-36620 on 26/03/2025 Praveen Kumar via lists.yoctoproject.org wrote: > moby v25.0.0 - v26.0.2 is vulnerable to NULL Pointer Dereference > via daemon/images/image_history.go. > > Reference: > https://nvd.nist.gov/vuln/detail/CVE-2024-36620 > > Upstream-patch: > https://github.com/moby/moby/commit/ab570ab3d62038b3d26f96a9bb585d0b6095b9b4 > > Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com> > --- > recipes-containers/docker/docker-moby_git.bb | 1 + > .../docker/files/CVE-2024-36620.patch | 40 +++++++++++++++++++ > 2 files changed, 41 insertions(+) > create mode 100644 recipes-containers/docker/files/CVE-2024-36620.patch > > diff --git a/recipes-containers/docker/docker-moby_git.bb b/recipes-containers/docker/docker-moby_git.bb > index 0abb0b3f..a1879ed2 100644 > --- a/recipes-containers/docker/docker-moby_git.bb > +++ b/recipes-containers/docker/docker-moby_git.bb > @@ -56,6 +56,7 @@ SRC_URI = "\ > file://0001-libnetwork-use-GO-instead-of-go.patch \ > file://0001-cli-use-external-GO111MODULE-and-cross-compiler.patch \ > file://0001-dynbinary-use-go-cross-compiler.patch;patchdir=src/import \ > + file://CVE-2024-36620.patch;patchdir=src/import \ > " > > DOCKER_COMMIT = "${SRCREV_moby}" > diff --git a/recipes-containers/docker/files/CVE-2024-36620.patch b/recipes-containers/docker/files/CVE-2024-36620.patch > new file mode 100644 > index 00000000..7bce4137 > --- /dev/null > +++ b/recipes-containers/docker/files/CVE-2024-36620.patch > @@ -0,0 +1,40 @@ > +From ab570ab3d62038b3d26f96a9bb585d0b6095b9b4 Mon Sep 17 00:00:00 2001 > +From: Christopher Petito <47751006+krissetto@users.noreply.github.com> > +Date: Fri, 19 Apr 2024 10:44:30 +0000 > +Subject: [PATCH] nil dereference fix on image history Created value > + > +Issue was caused by the changes here https://github.com/moby/moby/pull/45504 > +First released in v25.0.0-beta.1 > + > +CVE: CVE-2024-36620 > + > +Upstream-Status: > +Backport [https://github.com/moby/moby/commit/ab570ab3d62038b3d26f96a9bb585d0b6095b9b4] > + > +Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com> > +--- > + daemon/images/image_history.go | 6 +++++- > + 1 file changed, 5 insertions(+), 1 deletion(-) > + > +diff --git a/daemon/images/image_history.go b/daemon/images/image_history.go > +index dcf7a906aa..e5adda8639 100644 > +--- a/daemon/images/image_history.go > ++++ b/daemon/images/image_history.go > +@@ -41,10 +41,14 @@ func (i *ImageService) ImageHistory(ctx context.Context, name string) ([]*image. > + layer.ReleaseAndLog(i.layerStore, l) > + layerCounter++ > + } > ++ var created int64 > ++ if h.Created != nil { > ++ created = h.Created.Unix() > ++ } > + > + history = append([]*image.HistoryResponseItem{{ > + ID: "<missing>", > +- Created: h.Created.Unix(), > ++ Created: created, > + CreatedBy: h.CreatedBy, > + Comment: h.Comment, > + Size: layerSize, > +-- > +2.40.0 > -- > 2.40.0 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#9174): https://lists.yoctoproject.org/g/meta-virtualization/message/9174 > Mute This Topic: https://lists.yoctoproject.org/mt/111924192/1050810 > Group Owner: meta-virtualization+owner@lists.yoctoproject.org > Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [bruce.ashfield@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- > ^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2025-08-20 13:03 UTC | newest] Thread overview: 9+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2025-03-26 19:50 [meta-virtualization][scarthgap][PATCH 1/3] docker-moby: Fix CVE-2024-36620 Praveen Kumar 2025-03-26 19:50 ` [meta-virtualization][scarthgap][PATCH 2/3] docker-moby: Fix CVE-2024-36621 Praveen Kumar 2025-04-02 2:22 ` Bruce Ashfield 2025-04-02 13:59 ` Martin Jansa 2025-03-26 19:50 ` [meta-virtualization][scarthgap][PATCH 3/3] buildah: upgrade 1.34.3 -> 1.35.5 Praveen Kumar 2025-03-26 20:05 ` Bruce Ashfield 2025-08-20 6:08 ` [scarthgap][PATCH " Hitendra Prajapati 2025-08-20 13:03 ` [meta-virtualization] " Bruce Ashfield 2025-04-02 2:21 ` [meta-virtualization][scarthgap][PATCH 1/3] docker-moby: Fix CVE-2024-36620 Bruce Ashfield
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.