Re: [meta-virtualization] [scarthgap] [PATCH] docker-moby 25.0.3: fix CVE-2024-36623

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Bruce Ashfield <bruce.ashfield@gmail.com>
To: sudumbha@cisco.com
Cc: meta-virtualization@lists.yoctoproject.org, xe-linux-external@cisco.com
Subject: Re: [meta-virtualization] [scarthgap] [PATCH] docker-moby 25.0.3: fix CVE-2024-36623
Date: Sun, 20 Jul 2025 22:37:57 -0400	[thread overview]
Message-ID: <aH2oBWMowUl8f7+U@gmail.com> (raw)
In-Reply-To: <20250717180522.498240-1-sudumbha@cisco.com>

This patch is coming through garbled:

[/home/bruc...]> git am -s ~/incoming/0003-_meta-virtualization_scarthgap_PATCH_docker-moby_25.0.3_fix_CVE-2024-3.patch
Patch format detection failed.

Bruce

In message: [meta-virtualization] [scarthgap] [PATCH] docker-moby 25.0.3: fix CVE-2024-36623
on 17/07/2025 Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.yoctoproject.org wrote:

> Upstream Repository: https://github.com/moby/moby.git
> 
> Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2024-36623
> Type: Security Fix
> CVE: CVE-2024-36623
> Score: 8.1
> Patch: https://github.com/moby/moby/commit/8e3bcf197488
> 
> Analysis:
> - Moby through v25.0.3 has a race condition vulnerability in the
>   streamformatter package. It can trigger multiple concurrent write
>   operations resulting in data corruption. [1]
> - The fix adds a mutex to prevent concurrent writes and protect against
>   data corruption. [2]
> 
> Reference:
> [1] https://nvd.nist.gov/vuln/detail/CVE-2024-36623
> [2] https://github.com/moby/moby/commit/8e3bcf197488
> 
> Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
> ---
>  recipes-containers/docker/docker-moby_git.bb  |  1 +
>  .../docker/files/CVE-2024-36623.patch         | 55 +++++++++++++++++++
>  2 files changed, 56 insertions(+)
>  create mode 100644 recipes-containers/docker/files/CVE-2024-36623.patch
> 
> diff --git a/recipes-containers/docker/docker-moby_git.bb b/recipes-containers/docker/docker-moby_git.bb
> index aa239f68..d40e3e17 100644
> --- a/recipes-containers/docker/docker-moby_git.bb
> +++ b/recipes-containers/docker/docker-moby_git.bb
> @@ -60,6 +60,7 @@ SRC_URI = "\
>          file://CVE-2024-36621.patch;patchdir=src/import \
>          file://CVE-2024-29018_p1.patch;patchdir=src/import \
>          file://CVE-2024-29018_p2.patch;patchdir=src/import \
> +        file://CVE-2024-36623.patch;patchdir=src/import \
>  	"
>  
>  DOCKER_COMMIT = "${SRCREV_moby}"
> diff --git a/recipes-containers/docker/files/CVE-2024-36623.patch b/recipes-containers/docker/files/CVE-2024-36623.patch
> new file mode 100644
> index 00000000..811a37d7
> --- /dev/null
> +++ b/recipes-containers/docker/files/CVE-2024-36623.patch
> @@ -0,0 +1,55 @@
> +From 595fb34dbb46105379b469abfb70f7f9228c9361 Mon Sep 17 00:00:00 2001
> +From: =?UTF-8?q?Pawe=C5=82=20Gronowski?= <pawel.gronowski@docker.com>
> +Date: Thu, 22 Feb 2024 18:01:40 +0100
> +Subject: [PATCH] pkg/streamformatter: Make `progressOutput` concurrency safe
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +Sync access to the underlying `io.Writer` with a mutex.
> +
> +Upstream-Status: Backport [https://github.com/moby/moby/commit/8e3bcf197488]
> +CVE: CVE-2024-36623
> +
> +Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
> +(cherry picked from commit 5689dabfb357b673abdb4391eef426f297d7d1bb)
> +Signed-off-by: Albin Kerouanton <albinker@gmail.com>
> +(cherry picked from commit 8e3bcf19748838b30e34d612832d1dc9d90363b8)
> +Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
> +---
> + pkg/streamformatter/streamformatter.go | 5 +++++
> + 1 file changed, 5 insertions(+)
> +
> +diff --git a/pkg/streamformatter/streamformatter.go b/pkg/streamformatter/streamformatter.go
> +index b0456e580d..098df6b523 100644
> +--- a/pkg/streamformatter/streamformatter.go
> ++++ b/pkg/streamformatter/streamformatter.go
> +@@ -5,6 +5,7 @@ import (
> + 	"encoding/json"
> + 	"fmt"
> + 	"io"
> ++	"sync"
> + 
> + 	"github.com/docker/docker/pkg/jsonmessage"
> + 	"github.com/docker/docker/pkg/progress"
> +@@ -109,6 +110,7 @@ type progressOutput struct {
> + 	sf       formatProgress
> + 	out      io.Writer
> + 	newLines bool
> ++	mu       sync.Mutex
> + }
> + 
> + // WriteProgress formats progress information from a ProgressReader.
> +@@ -120,6 +122,9 @@ func (out *progressOutput) WriteProgress(prog progress.Progress) error {
> + 		jsonProgress := jsonmessage.JSONProgress{Current: prog.Current, Total: prog.Total, HideCounts: prog.HideCounts, Units: prog.Units}
> + 		formatted = out.sf.formatProgress(prog.ID, prog.Action, &jsonProgress, prog.Aux)
> + 	}
> ++
> ++	out.mu.Lock()
> ++	defer out.mu.Unlock()
> + 	_, err := out.out.Write(formatted)
> + 	if err != nil {
> + 		return err
> +-- 
> +2.44.1
> +
> -- 
> 2.35.6
> 

> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#9318): https://lists.yoctoproject.org/g/meta-virtualization/message/9318
> Mute This Topic: https://lists.yoctoproject.org/mt/114208293/1050810
> Group Owner: meta-virtualization+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [bruce.ashfield@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

next prev parent reply	other threads:[~2025-07-21  2:38 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-07-17 18:05 [meta-virtualization] [scarthgap] [PATCH] docker-moby 25.0.3: fix CVE-2024-36623 Sudhir Dumbhare
2025-07-21  2:37 ` Bruce Ashfield [this message]
2025-07-21 10:17   ` Sudhir Dumbhare
2025-07-31 17:41     ` Bruce Ashfield
2025-07-31 19:43       ` Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco)
2025-07-31 20:12         ` Bruce Ashfield
     [not found] <PH0PR11MB7496292BBD9BF5D6A0225078D127A@cisco.com>
2025-07-31 19:53 ` sudumbha
     [not found] <CADkTA4OB4YTqY9_TZjX0YiHsXjaFezoKO1W5x7M1H_PeQ8hV-A@@cisco.com>
2025-07-31 21:31 ` Sudhir Dumbhare
2025-08-04 12:54   ` Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco)
2025-08-04 13:04     ` Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco)
2025-08-25 10:57       ` Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco)
2025-08-25 10:59         ` Bruce Ashfield

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aH2oBWMowUl8f7+U@gmail.com \
    --to=bruce.ashfield@gmail.com \
    --cc=meta-virtualization@lists.yoctoproject.org \
    --cc=sudumbha@cisco.com \
    --cc=xe-linux-external@cisco.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.