[meta-virtualization][kirkstone][PATCH] docker-distribution: fix CVE-2025-24976

[meta-virtualization][kirkstone][PATCH] docker-distribution: fix CVE-2025-24976

[Qi.Chen]

From: Chen Qi <Qi.Chen@windriver.com>

Backport patch to fix CVE-2025-24976.

Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
---
 .../docker-distribution_git.bb                |  1 +
 ...ix-registry-token-authentication-bug.patch | 49 +++++++++++++++++++
 2 files changed, 50 insertions(+)
 create mode 100644 recipes-containers/docker-distribution/files/0001-Fix-registry-token-authentication-bug.patch

diff --git a/recipes-containers/docker-distribution/docker-distribution_git.bb b/recipes-containers/docker-distribution/docker-distribution_git.bb
index 50b6b302..5b5f75bb 100644
--- a/recipes-containers/docker-distribution/docker-distribution_git.bb
+++ b/recipes-containers/docker-distribution/docker-distribution_git.bb
@@ -9,6 +9,7 @@ SRC_URI = "git://github.com/docker/distribution.git;branch=release/2.8;name=dist
            file://0001-build-use-to-use-cross-go-compiler.patch \
            file://0001-Fix-runaway-allocation-on-v2-_catalog.patch \
            file://0001-panicwrap-Use-dup3-on-riscv64-linux.patch \
+           file://0001-Fix-registry-token-authentication-bug.patch \
           "
 
 PACKAGES =+ "docker-registry"
diff --git a/recipes-containers/docker-distribution/files/0001-Fix-registry-token-authentication-bug.patch b/recipes-containers/docker-distribution/files/0001-Fix-registry-token-authentication-bug.patch
new file mode 100644
index 00000000..8d3e98f9
--- /dev/null
+++ b/recipes-containers/docker-distribution/files/0001-Fix-registry-token-authentication-bug.patch
@@ -0,0 +1,49 @@
+From ff9eed251cfd7dd279ea231a289cc784fd7f829f Mon Sep 17 00:00:00 2001
+From: Milos Gajdos <milosthegajdos@gmail.com>
+Date: Sat, 1 Feb 2025 15:30:18 -0800
+Subject: [PATCH] Fix registry token authentication bug
+
+When a JWT contains a JWK header without a certificate chain,
+the original code only checked if the KeyID (kid) matches one of the trusted keys,
+but doesn't verify that the actual key material matches.
+
+As a result, if an attacker guesses the kid, they can inject an
+untrusted key which would then be used to grant access to protected
+data.
+
+This fixes the issue such as only the trusted key is verified.
+
+Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
+
+CVE: CVE-2025-24976
+
+Upstream-Status: Backport [https://github.com/distribution/distribution/commit/f4a500caf68169dccb0b54cb90523e68ee1ac2be]
+
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ registry/auth/token/token.go | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/registry/auth/token/token.go b/registry/auth/token/token.go
+index f803415f..fbcf5bfa 100644
+--- a/registry/auth/token/token.go
++++ b/registry/auth/token/token.go
+@@ -290,12 +290,13 @@ func parseAndVerifyRawJWK(rawJWK *json.RawMessage, verifyOpts VerifyOptions) (pu
+ 	x5cVal, ok := pubKey.GetExtendedField("x5c").([]interface{})
+ 	if !ok {
+ 		// The JWK should be one of the trusted root keys.
+-		if _, trusted := verifyOpts.TrustedKeys[pubKey.KeyID()]; !trusted {
++		trustedKey, trusted := verifyOpts.TrustedKeys[pubKey.KeyID()]
++		if !trusted {
+ 			return nil, errors.New("untrusted JWK with no certificate chain")
+ 		}
+ 
+ 		// The JWK is one of the trusted keys.
+-		return
++		return trustedKey, nil
+ 	}
+ 
+ 	// Ensure each item in the chain is of the correct type.
+-- 
+2.25.1
+
-- 
2.25.1

Re: [meta-virtualization][kirkstone][PATCH] docker-distribution: fix CVE-2025-24976

[Bruce Ashfield]

merged.

Bruce

In message: [meta-virtualization][kirkstone][PATCH] docker-distribution: fix CVE-2025-24976
on 05/03/2025 Chen Qi via lists.yoctoproject.org wrote:

> From: Chen Qi <Qi.Chen@windriver.com>
> 
> Backport patch to fix CVE-2025-24976.
> 
> Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
> ---
>  .../docker-distribution_git.bb                |  1 +
>  ...ix-registry-token-authentication-bug.patch | 49 +++++++++++++++++++
>  2 files changed, 50 insertions(+)
>  create mode 100644 recipes-containers/docker-distribution/files/0001-Fix-registry-token-authentication-bug.patch
> 
> diff --git a/recipes-containers/docker-distribution/docker-distribution_git.bb b/recipes-containers/docker-distribution/docker-distribution_git.bb
> index 50b6b302..5b5f75bb 100644
> --- a/recipes-containers/docker-distribution/docker-distribution_git.bb
> +++ b/recipes-containers/docker-distribution/docker-distribution_git.bb
> @@ -9,6 +9,7 @@ SRC_URI = "git://github.com/docker/distribution.git;branch=release/2.8;name=dist
>             file://0001-build-use-to-use-cross-go-compiler.patch \
>             file://0001-Fix-runaway-allocation-on-v2-_catalog.patch \
>             file://0001-panicwrap-Use-dup3-on-riscv64-linux.patch \
> +           file://0001-Fix-registry-token-authentication-bug.patch \
>            "
>  
>  PACKAGES =+ "docker-registry"
> diff --git a/recipes-containers/docker-distribution/files/0001-Fix-registry-token-authentication-bug.patch b/recipes-containers/docker-distribution/files/0001-Fix-registry-token-authentication-bug.patch
> new file mode 100644
> index 00000000..8d3e98f9
> --- /dev/null
> +++ b/recipes-containers/docker-distribution/files/0001-Fix-registry-token-authentication-bug.patch
> @@ -0,0 +1,49 @@
> +From ff9eed251cfd7dd279ea231a289cc784fd7f829f Mon Sep 17 00:00:00 2001
> +From: Milos Gajdos <milosthegajdos@gmail.com>
> +Date: Sat, 1 Feb 2025 15:30:18 -0800
> +Subject: [PATCH] Fix registry token authentication bug
> +
> +When a JWT contains a JWK header without a certificate chain,
> +the original code only checked if the KeyID (kid) matches one of the trusted keys,
> +but doesn't verify that the actual key material matches.
> +
> +As a result, if an attacker guesses the kid, they can inject an
> +untrusted key which would then be used to grant access to protected
> +data.
> +
> +This fixes the issue such as only the trusted key is verified.
> +
> +Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
> +
> +CVE: CVE-2025-24976
> +
> +Upstream-Status: Backport [https://github.com/distribution/distribution/commit/f4a500caf68169dccb0b54cb90523e68ee1ac2be]
> +
> +Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
> +---
> + registry/auth/token/token.go | 5 +++--
> + 1 file changed, 3 insertions(+), 2 deletions(-)
> +
> +diff --git a/registry/auth/token/token.go b/registry/auth/token/token.go
> +index f803415f..fbcf5bfa 100644
> +--- a/registry/auth/token/token.go
> ++++ b/registry/auth/token/token.go
> +@@ -290,12 +290,13 @@ func parseAndVerifyRawJWK(rawJWK *json.RawMessage, verifyOpts VerifyOptions) (pu
> + 	x5cVal, ok := pubKey.GetExtendedField("x5c").([]interface{})
> + 	if !ok {
> + 		// The JWK should be one of the trusted root keys.
> +-		if _, trusted := verifyOpts.TrustedKeys[pubKey.KeyID()]; !trusted {
> ++		trustedKey, trusted := verifyOpts.TrustedKeys[pubKey.KeyID()]
> ++		if !trusted {
> + 			return nil, errors.New("untrusted JWK with no certificate chain")
> + 		}
> + 
> + 		// The JWK is one of the trusted keys.
> +-		return
> ++		return trustedKey, nil
> + 	}
> + 
> + 	// Ensure each item in the chain is of the correct type.
> +-- 
> +2.25.1
> +
> -- 
> 2.25.1
> 

> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#9154): https://lists.yoctoproject.org/g/meta-virtualization/message/9154
> Mute This Topic: https://lists.yoctoproject.org/mt/111541296/1050810
> Group Owner: meta-virtualization+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [bruce.ashfield@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>