From: Bruce Ashfield <bruce.ashfield@gmail.com>
To: Qi.Chen@windriver.com
Cc: meta-virtualization@lists.yoctoproject.org
Subject: Re: [meta-virtualization][scarthgap][PATCH] docker-distribution: fix CVE-2025-24976
Date: Thu, 6 Mar 2025 17:42:33 +0000 [thread overview]
Message-ID: <Z8neiWDvXHx/rTCB@gmail.com> (raw)
In-Reply-To: <20250305064105.3044844-1-Qi.Chen@windriver.com>
merged.
Bruce
In message: [meta-virtualization][scarthgap][PATCH] docker-distribution: fix CVE-2025-24976
on 04/03/2025 Chen Qi via lists.yoctoproject.org wrote:
> From: Chen Qi <Qi.Chen@windriver.com>
>
> Backport patch to fix CVE-2025-24976.
>
> Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
> ---
> .../docker-distribution_git.bb | 1 +
> ...ix-registry-token-authentication-bug.patch | 49 +++++++++++++++++++
> 2 files changed, 50 insertions(+)
> create mode 100644 recipes-containers/docker-distribution/files/0001-Fix-registry-token-authentication-bug.patch
>
> diff --git a/recipes-containers/docker-distribution/docker-distribution_git.bb b/recipes-containers/docker-distribution/docker-distribution_git.bb
> index 9b918b62..e85085e5 100644
> --- a/recipes-containers/docker-distribution/docker-distribution_git.bb
> +++ b/recipes-containers/docker-distribution/docker-distribution_git.bb
> @@ -8,6 +8,7 @@ SRC_URI = "git://github.com/docker/distribution.git;branch=release/2.8;name=dist
> file://docker-registry.service \
> file://0001-build-use-to-use-cross-go-compiler.patch \
> file://0001-panicwrap-Use-dup3-on-riscv64-linux.patch \
> + file://0001-Fix-registry-token-authentication-bug.patch \
> "
>
> PACKAGES =+ "docker-registry"
> diff --git a/recipes-containers/docker-distribution/files/0001-Fix-registry-token-authentication-bug.patch b/recipes-containers/docker-distribution/files/0001-Fix-registry-token-authentication-bug.patch
> new file mode 100644
> index 00000000..8d3e98f9
> --- /dev/null
> +++ b/recipes-containers/docker-distribution/files/0001-Fix-registry-token-authentication-bug.patch
> @@ -0,0 +1,49 @@
> +From ff9eed251cfd7dd279ea231a289cc784fd7f829f Mon Sep 17 00:00:00 2001
> +From: Milos Gajdos <milosthegajdos@gmail.com>
> +Date: Sat, 1 Feb 2025 15:30:18 -0800
> +Subject: [PATCH] Fix registry token authentication bug
> +
> +When a JWT contains a JWK header without a certificate chain,
> +the original code only checked if the KeyID (kid) matches one of the trusted keys,
> +but doesn't verify that the actual key material matches.
> +
> +As a result, if an attacker guesses the kid, they can inject an
> +untrusted key which would then be used to grant access to protected
> +data.
> +
> +This fixes the issue such as only the trusted key is verified.
> +
> +Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
> +
> +CVE: CVE-2025-24976
> +
> +Upstream-Status: Backport [https://github.com/distribution/distribution/commit/f4a500caf68169dccb0b54cb90523e68ee1ac2be]
> +
> +Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
> +---
> + registry/auth/token/token.go | 5 +++--
> + 1 file changed, 3 insertions(+), 2 deletions(-)
> +
> +diff --git a/registry/auth/token/token.go b/registry/auth/token/token.go
> +index f803415f..fbcf5bfa 100644
> +--- a/registry/auth/token/token.go
> ++++ b/registry/auth/token/token.go
> +@@ -290,12 +290,13 @@ func parseAndVerifyRawJWK(rawJWK *json.RawMessage, verifyOpts VerifyOptions) (pu
> + x5cVal, ok := pubKey.GetExtendedField("x5c").([]interface{})
> + if !ok {
> + // The JWK should be one of the trusted root keys.
> +- if _, trusted := verifyOpts.TrustedKeys[pubKey.KeyID()]; !trusted {
> ++ trustedKey, trusted := verifyOpts.TrustedKeys[pubKey.KeyID()]
> ++ if !trusted {
> + return nil, errors.New("untrusted JWK with no certificate chain")
> + }
> +
> + // The JWK is one of the trusted keys.
> +- return
> ++ return trustedKey, nil
> + }
> +
> + // Ensure each item in the chain is of the correct type.
> +--
> +2.25.1
> +
> --
> 2.25.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#9153): https://lists.yoctoproject.org/g/meta-virtualization/message/9153
> Mute This Topic: https://lists.yoctoproject.org/mt/111524442/1050810
> Group Owner: meta-virtualization+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [bruce.ashfield@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
prev parent reply other threads:[~2025-03-06 17:42 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-05 6:41 [meta-virtualization][scarthgap][PATCH] docker-distribution: fix CVE-2025-24976 Qi.Chen
2025-03-06 17:42 ` Bruce Ashfield [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z8neiWDvXHx/rTCB@gmail.com \
--to=bruce.ashfield@gmail.com \
--cc=Qi.Chen@windriver.com \
--cc=meta-virtualization@lists.yoctoproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.