* Re: [meta-virtualization] [scarthgap] [PATCH] docker-moby 25.0.3: fix CVE-2024-36623 [not found] <CADkTA4OB4YTqY9_TZjX0YiHsXjaFezoKO1W5x7M1H_PeQ8hV-A@@cisco.com> @ 2025-07-31 21:31 ` Sudhir Dumbhare 2025-08-04 12:54 ` Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) 0 siblings, 1 reply; 11+ messages in thread From: Sudhir Dumbhare @ 2025-07-31 21:31 UTC (permalink / raw) To: meta-virtualization; +Cc: xe-linux-external, vchavda Upstream Repository: https://github.com/moby/moby.git Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2024-36623 Type: Security Fix CVE: CVE-2024-36623 Score: 8.1 Patch: https://github.com/moby/moby/commit/8e3bcf197488 Analysis: - Moby through v25.0.3 has a race condition vulnerability in the streamformatter package. It can trigger multiple concurrent write operations resulting in data corruption. [1] - The fix adds a mutex to prevent concurrent writes and protect against data corruption. [2] Reference: [1] https://nvd.nist.gov/vuln/detail/CVE-2024-36623 [2] https://github.com/moby/moby/commit/8e3bcf197488 Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> --- recipes-containers/docker/docker-moby_git.bb | 1 + .../docker/files/CVE-2024-36623.patch | 47 +++++++++++++++++++ 2 files changed, 48 insertions(+) create mode 100644 recipes-containers/docker/files/CVE-2024-36623.patch diff --git a/recipes-containers/docker/docker-moby_git.bb b/recipes-containers/docker/docker-moby_git.bb index d274b002..e1ece0fd 100644 --- a/recipes-containers/docker/docker-moby_git.bb +++ b/recipes-containers/docker/docker-moby_git.bb @@ -58,6 +58,7 @@ SRC_URI = "\ file://0001-dynbinary-use-go-cross-compiler.patch;patchdir=src/import \ file://CVE-2024-36620.patch;patchdir=src/import \ file://CVE-2024-36621.patch;patchdir=src/import \ + file://CVE-2024-36623.patch;patchdir=src/import \ " DOCKER_COMMIT = "${SRCREV_moby}" diff --git a/recipes-containers/docker/files/CVE-2024-36623.patch b/recipes-containers/docker/files/CVE-2024-36623.patch new file mode 100644 index 00000000..28553c3e --- /dev/null +++ b/recipes-containers/docker/files/CVE-2024-36623.patch @@ -0,0 +1,47 @@ +commit 5becb76fa5a5cb9de135b82017dbc7da7d345614 +Author: Paweł Gronowski <pawel.gronowski@docker.com> +Date: Thu Feb 22 18:01:40 2024 +0100 + + pkg/streamformatter: Make `progressOutput` concurrency safe + + Sync access to the underlying `io.Writer` with a mutex. + + Upstream-Status: Backport [https://github.com/moby/moby/commit/8e3bcf197488] + CVE: CVE-2024-36623 + + Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com> + (cherry picked from commit 5689dabfb357b673abdb4391eef426f297d7d1bb) + Signed-off-by: Albin Kerouanton <albinker@gmail.com> + (cherry picked from commit 8e3bcf19748838b30e34d612832d1dc9d90363b8) + Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> + +diff --git a/pkg/streamformatter/streamformatter.go b/pkg/streamformatter/streamformatter.go +index b0456e580d..098df6b523 100644 +--- a/pkg/streamformatter/streamformatter.go ++++ b/pkg/streamformatter/streamformatter.go +@@ -5,6 +5,7 @@ import ( + "encoding/json" + "fmt" + "io" ++ "sync" + + "github.com/docker/docker/pkg/jsonmessage" + "github.com/docker/docker/pkg/progress" +@@ -109,6 +110,7 @@ type progressOutput struct { + sf formatProgress + out io.Writer + newLines bool ++ mu sync.Mutex + } + + // WriteProgress formats progress information from a ProgressReader. +@@ -120,6 +122,9 @@ func (out *progressOutput) WriteProgress(prog progress.Progress) error { + jsonProgress := jsonmessage.JSONProgress{Current: prog.Current, Total: prog.Total, HideCounts: prog.HideCounts, Units: prog.Units} + formatted = out.sf.formatProgress(prog.ID, prog.Action, &jsonProgress, prog.Aux) + } ++ ++ out.mu.Lock() ++ defer out.mu.Unlock() + _, err := out.out.Write(formatted) + if err != nil { + return err -- 2.35.6 ^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [meta-virtualization] [scarthgap] [PATCH] docker-moby 25.0.3: fix CVE-2024-36623 2025-07-31 21:31 ` [meta-virtualization] [scarthgap] [PATCH] docker-moby 25.0.3: fix CVE-2024-36623 Sudhir Dumbhare @ 2025-08-04 12:54 ` Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) 2025-08-04 13:04 ` Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) 0 siblings, 1 reply; 11+ messages in thread From: Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2025-08-04 12:54 UTC (permalink / raw) To: meta-virtualization; +Cc: vchavda, deeratho Thank you for the reference. I have reviewed the guidelines at https://docs.yoctoproject.org/dev/contributor-guide/submit-changes.html#fixing-your-from-identity and updated the sendemail.from field as recommended. However, the "From:" header was not visible in the previous message, as it was dropped by the organization's email client. Now resending the patch after properly configuring the field. Thanks & Regards, Sudhir ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [meta-virtualization] [scarthgap] [PATCH] docker-moby 25.0.3: fix CVE-2024-36623 2025-08-04 12:54 ` Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2025-08-04 13:04 ` Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) 2025-08-25 10:57 ` Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) 0 siblings, 1 reply; 11+ messages in thread From: Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2025-08-04 13:04 UTC (permalink / raw) To: meta-virtualization; +Cc: vchavda, deeratho From: Sudhir Dumbhare <sudumbha@cisco.com> Upstream Repository: https://github.com/moby/moby.git Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2024-36623 Type: Security Fix CVE: CVE-2024-36623 Score: 8.1 Patch: https://github.com/moby/moby/commit/8e3bcf197488 Analysis: - Moby through v25.0.3 has a race condition vulnerability in the streamformatter package. It can trigger multiple concurrent write operations resulting in data corruption. [1] - The fix adds a mutex to prevent concurrent writes and protect against data corruption. [2] Reference: [1] https://nvd.nist.gov/vuln/detail/CVE-2024-36623 [2] https://github.com/moby/moby/commit/8e3bcf197488 Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> --- recipes-containers/docker/docker-moby_git.bb | 1 + .../docker/files/CVE-2024-36623.patch | 47 +++++++++++++++++++ 2 files changed, 48 insertions(+) create mode 100644 recipes-containers/docker/files/CVE-2024-36623.patch diff --git a/recipes-containers/docker/docker-moby_git.bb b/recipes-containers/docker/docker-moby_git.bb index d274b002..e1ece0fd 100644 --- a/recipes-containers/docker/docker-moby_git.bb +++ b/recipes-containers/docker/docker-moby_git.bb @@ -58,6 +58,7 @@ SRC_URI = "\ file://0001-dynbinary-use-go-cross-compiler.patch;patchdir=src/import \ file://CVE-2024-36620.patch;patchdir=src/import \ file://CVE-2024-36621.patch;patchdir=src/import \ + file://CVE-2024-36623.patch;patchdir=src/import \ " DOCKER_COMMIT = "${SRCREV_moby}" diff --git a/recipes-containers/docker/files/CVE-2024-36623.patch b/recipes-containers/docker/files/CVE-2024-36623.patch new file mode 100644 index 00000000..28553c3e --- /dev/null +++ b/recipes-containers/docker/files/CVE-2024-36623.patch @@ -0,0 +1,47 @@ +commit 5becb76fa5a5cb9de135b82017dbc7da7d345614 +Author: Paweł Gronowski <pawel.gronowski@docker.com> +Date: Thu Feb 22 18:01:40 2024 +0100 + + pkg/streamformatter: Make `progressOutput` concurrency safe + + Sync access to the underlying `io.Writer` with a mutex. + + Upstream-Status: Backport [https://github.com/moby/moby/commit/8e3bcf197488] + CVE: CVE-2024-36623 + + Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com> + (cherry picked from commit 5689dabfb357b673abdb4391eef426f297d7d1bb) + Signed-off-by: Albin Kerouanton <albinker@gmail.com> + (cherry picked from commit 8e3bcf19748838b30e34d612832d1dc9d90363b8) + Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> + +diff --git a/pkg/streamformatter/streamformatter.go b/pkg/streamformatter/streamformatter.go +index b0456e580d..098df6b523 100644 +--- a/pkg/streamformatter/streamformatter.go ++++ b/pkg/streamformatter/streamformatter.go +@@ -5,6 +5,7 @@ import ( + "encoding/json" + "fmt" + "io" ++ "sync" + + "github.com/docker/docker/pkg/jsonmessage" + "github.com/docker/docker/pkg/progress" +@@ -109,6 +110,7 @@ type progressOutput struct { + sf formatProgress + out io.Writer + newLines bool ++ mu sync.Mutex + } + + // WriteProgress formats progress information from a ProgressReader. +@@ -120,6 +122,9 @@ func (out *progressOutput) WriteProgress(prog progress.Progress) error { + jsonProgress := jsonmessage.JSONProgress{Current: prog.Current, Total: prog.Total, HideCounts: prog.HideCounts, Units: prog.Units} + formatted = out.sf.formatProgress(prog.ID, prog.Action, &jsonProgress, prog.Aux) + } ++ ++ out.mu.Lock() ++ defer out.mu.Unlock() + _, err := out.out.Write(formatted) + if err != nil { + return err -- 2.35.6 ^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [meta-virtualization] [scarthgap] [PATCH] docker-moby 25.0.3: fix CVE-2024-36623 2025-08-04 13:04 ` Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2025-08-25 10:57 ` Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) 2025-08-25 10:59 ` Bruce Ashfield 0 siblings, 1 reply; 11+ messages in thread From: Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2025-08-25 10:57 UTC (permalink / raw) To: meta-virtualization; +Cc: vchavda, deeratho ping ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [meta-virtualization] [scarthgap] [PATCH] docker-moby 25.0.3: fix CVE-2024-36623 2025-08-25 10:57 ` Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2025-08-25 10:59 ` Bruce Ashfield 2025-09-03 17:08 ` [meta-virtualization] [scarthgap] [PATCH v2] " Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) 0 siblings, 1 reply; 11+ messages in thread From: Bruce Ashfield @ 2025-08-25 10:59 UTC (permalink / raw) To: Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) Cc: meta-virtualization, Viral Chavda (vchavda), deeratho [-- Attachment #1: Type: text/plain, Size: 953 bytes --] The patches are still mangled by the list. I'm on holidays this week, but will see if I can make better suggestions to fix it when I get back. Bruce - Thou shalt not follow the NULL pointer, for chaos and madness await thee at its end - "Use the force Harry" - Gandalf, Star Trek II On Mon, Aug 25, 2025, 7:57 AM Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.yoctoproject.org <sudumbha= cisco.com@lists.yoctoproject.org> wrote: > ping > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#9358): > https://lists.yoctoproject.org/g/meta-virtualization/message/9358 > Mute This Topic: https://lists.yoctoproject.org/mt/114208293/1050810 > Group Owner: meta-virtualization+owner@lists.yoctoproject.org > Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [ > bruce.ashfield@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- > > [-- Attachment #2: Type: text/html, Size: 2010 bytes --] ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [meta-virtualization] [scarthgap] [PATCH v2] docker-moby 25.0.3: fix CVE-2024-36623 2025-08-25 10:59 ` Bruce Ashfield @ 2025-09-03 17:08 ` Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) 2025-09-04 0:03 ` Bruce Ashfield 0 siblings, 1 reply; 11+ messages in thread From: Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2025-09-03 17:08 UTC (permalink / raw) To: meta-virtualization; +Cc: vchavda, deeratho From: Sudhir Dumbhare <sudumbha@cisco.com> Upstream Repository: https://github.com/moby/moby.git Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2024-36623 Type: Security Fix CVE: CVE-2024-36623 Score: 8.1 Patch: https://github.com/moby/moby/commit/8e3bcf197488 Analysis: - Moby through v25.0.3 has a race condition vulnerability in the streamformatter package. It can trigger multiple concurrent write operations resulting in data corruption. [1] - The fix adds a mutex to prevent concurrent writes and protect against data corruption. [2] Reference: [1] https://nvd.nist.gov/vuln/detail/CVE-2024-36623 [2] https://github.com/moby/moby/commit/8e3bcf197488 Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> --- Changes in v2: * Fix from identity * Clean up whitespace recipes-containers/docker/docker-moby_git.bb | 1 + .../docker/files/CVE-2024-36623.patch | 47 +++++++++++++++++++ 2 files changed, 48 insertions(+) create mode 100644 recipes-containers/docker/files/CVE-2024-36623.patch diff --git a/recipes-containers/docker/docker-moby_git.bb b/recipes-containers/docker/docker-moby_git.bb index d274b002..e1ece0fd 100644 --- a/recipes-containers/docker/docker-moby_git.bb +++ b/recipes-containers/docker/docker-moby_git.bb @@ -58,6 +58,7 @@ SRC_URI = "\ file://0001-dynbinary-use-go-cross-compiler.patch;patchdir=src/import \ file://CVE-2024-36620.patch;patchdir=src/import \ file://CVE-2024-36621.patch;patchdir=src/import \ + file://CVE-2024-36623.patch;patchdir=src/import \ " DOCKER_COMMIT = "${SRCREV_moby}" diff --git a/recipes-containers/docker/files/CVE-2024-36623.patch b/recipes-containers/docker/files/CVE-2024-36623.patch new file mode 100644 index 00000000..3878a8b1 --- /dev/null +++ b/recipes-containers/docker/files/CVE-2024-36623.patch @@ -0,0 +1,47 @@ +commit 5becb76fa5a5cb9de135b82017dbc7da7d345614 +Author: Paweł Gronowski <pawel.gronowski@docker.com> +Date: Thu Feb 22 18:01:40 2024 +0100 + + pkg/streamformatter: Make `progressOutput` concurrency safe + + Sync access to the underlying `io.Writer` with a mutex. + + Upstream-Status: Backport [https://github.com/moby/moby/commit/8e3bcf197488] + CVE: CVE-2024-36623 + + Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com> + (cherry picked from commit 5689dabfb357b673abdb4391eef426f297d7d1bb) + Signed-off-by: Albin Kerouanton <albinker@gmail.com> + (cherry picked from commit 8e3bcf19748838b30e34d612832d1dc9d90363b8) + Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> + +diff --git a/pkg/streamformatter/streamformatter.go b/pkg/streamformatter/streamformatter.go +index b0456e580d..098df6b523 100644 +--- a/pkg/streamformatter/streamformatter.go ++++ b/pkg/streamformatter/streamformatter.go +@@ -5,6 +5,7 @@ import ( + "encoding/json" + "fmt" + "io" ++ "sync" + + "github.com/docker/docker/pkg/jsonmessage" + "github.com/docker/docker/pkg/progress" +@@ -109,6 +110,7 @@ type progressOutput struct { + sf formatProgress + out io.Writer + newLines bool ++ mu sync.Mutex + } + + // WriteProgress formats progress information from a ProgressReader. +@@ -120,6 +122,9 @@ func (out *progressOutput) WriteProgress(prog progress.Progress) error { + jsonProgress := jsonmessage.JSONProgress{Current: prog.Current, Total: prog.Total, HideCounts: prog.HideCounts, Units: prog.Units} + formatted = out.sf.formatProgress(prog.ID, prog.Action, &jsonProgress, prog.Aux) + } ++ ++ out.mu.Lock() ++ defer out.mu.Unlock() + _, err := out.out.Write(formatted) + if err != nil { + return err -- 2.23.1 ^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [meta-virtualization] [scarthgap] [PATCH v2] docker-moby 25.0.3: fix CVE-2024-36623 2025-09-03 17:08 ` [meta-virtualization] [scarthgap] [PATCH v2] " Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2025-09-04 0:03 ` Bruce Ashfield 2025-09-04 9:13 ` [meta-virtualization] [scarthgap] [PATCH v3] " Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) 0 siblings, 1 reply; 11+ messages in thread From: Bruce Ashfield @ 2025-09-04 0:03 UTC (permalink / raw) To: sudumbha; +Cc: meta-virtualization, vchavda, deeratho I'm still unable to apply any of your patches. [/home/bruc...ualization]> git am -s ~/incoming/0001-_Re_meta-virtualization_scarthgap_PATCH_v2_docker-moby_25.0.3_fix_CVE-.patch Patch format detection failed. I know you've probably been through everything already, but have you double checked the settings as described in: https://docs.yoctoproject.org/dev/contributor-guide/submit-changes.html Otherwise, we need to find a different way for you to send patches as something in the path of sending is mangling them. Bruce In message: Re: [meta-virtualization] [scarthgap] [PATCH v2] docker-moby 25.0.3: fix CVE-2024-36623 on 03/09/2025 Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.yoctoproject.org wrote: > From: Sudhir Dumbhare <sudumbha@cisco.com> > > Upstream Repository: https://github.com/moby/moby.git > > Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2024-36623 > Type: Security Fix > CVE: CVE-2024-36623 > Score: 8.1 > Patch: https://github.com/moby/moby/commit/8e3bcf197488 > > Analysis: > - Moby through v25.0.3 has a race condition vulnerability in the > streamformatter package. It can trigger multiple concurrent write > operations resulting in data corruption. [1] > - The fix adds a mutex to prevent concurrent writes and protect against > data corruption. [2] > > Reference: > [1] https://nvd.nist.gov/vuln/detail/CVE-2024-36623 > [2] https://github.com/moby/moby/commit/8e3bcf197488 > > Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> > --- > > Changes in v2: > * Fix from identity > * Clean up whitespace > > recipes-containers/docker/docker-moby_git.bb | 1 + > .../docker/files/CVE-2024-36623.patch | 47 +++++++++++++++++++ > 2 files changed, 48 insertions(+) > create mode 100644 recipes-containers/docker/files/CVE-2024-36623.patch > > diff --git a/recipes-containers/docker/docker-moby_git.bb b/recipes-containers/docker/docker-moby_git.bb > index d274b002..e1ece0fd 100644 > --- a/recipes-containers/docker/docker-moby_git.bb > +++ b/recipes-containers/docker/docker-moby_git.bb > @@ -58,6 +58,7 @@ SRC_URI = "\ > file://0001-dynbinary-use-go-cross-compiler.patch;patchdir=src/import \ > file://CVE-2024-36620.patch;patchdir=src/import \ > file://CVE-2024-36621.patch;patchdir=src/import \ > + file://CVE-2024-36623.patch;patchdir=src/import \ > " > > DOCKER_COMMIT = "${SRCREV_moby}" > diff --git a/recipes-containers/docker/files/CVE-2024-36623.patch b/recipes-containers/docker/files/CVE-2024-36623.patch > new file mode 100644 > index 00000000..3878a8b1 > --- /dev/null > +++ b/recipes-containers/docker/files/CVE-2024-36623.patch > @@ -0,0 +1,47 @@ > +commit 5becb76fa5a5cb9de135b82017dbc7da7d345614 > +Author: Paweł Gronowski <pawel.gronowski@docker.com> > +Date: Thu Feb 22 18:01:40 2024 +0100 > + > + pkg/streamformatter: Make `progressOutput` concurrency safe > + > + Sync access to the underlying `io.Writer` with a mutex. > + > + Upstream-Status: Backport [https://github.com/moby/moby/commit/8e3bcf197488] > + CVE: CVE-2024-36623 > + > + Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com> > + (cherry picked from commit 5689dabfb357b673abdb4391eef426f297d7d1bb) > + Signed-off-by: Albin Kerouanton <albinker@gmail.com> > + (cherry picked from commit 8e3bcf19748838b30e34d612832d1dc9d90363b8) > + Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> > + > +diff --git a/pkg/streamformatter/streamformatter.go b/pkg/streamformatter/streamformatter.go > +index b0456e580d..098df6b523 100644 > +--- a/pkg/streamformatter/streamformatter.go > ++++ b/pkg/streamformatter/streamformatter.go > +@@ -5,6 +5,7 @@ import ( > + "encoding/json" > + "fmt" > + "io" > ++ "sync" > + > + "github.com/docker/docker/pkg/jsonmessage" > + "github.com/docker/docker/pkg/progress" > +@@ -109,6 +110,7 @@ type progressOutput struct { > + sf formatProgress > + out io.Writer > + newLines bool > ++ mu sync.Mutex > + } > + > + // WriteProgress formats progress information from a ProgressReader. > +@@ -120,6 +122,9 @@ func (out *progressOutput) WriteProgress(prog progress.Progress) error { > + jsonProgress := jsonmessage.JSONProgress{Current: prog.Current, Total: prog.Total, HideCounts: prog.HideCounts, Units: prog.Units} > + formatted = out.sf.formatProgress(prog.ID, prog.Action, &jsonProgress, prog.Aux) > + } > ++ > ++ out.mu.Lock() > ++ defer out.mu.Unlock() > + _, err := out.out.Write(formatted) > + if err != nil { > + return err > -- > 2.23.1 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#9365): https://lists.yoctoproject.org/g/meta-virtualization/message/9365 > Mute This Topic: https://lists.yoctoproject.org/mt/115049072/1050810 > Group Owner: meta-virtualization+owner@lists.yoctoproject.org > Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [bruce.ashfield@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- > ^ permalink raw reply [flat|nested] 11+ messages in thread
* [meta-virtualization] [scarthgap] [PATCH v3] docker-moby 25.0.3: fix CVE-2024-36623 2025-09-04 0:03 ` Bruce Ashfield @ 2025-09-04 9:13 ` Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) 2025-09-24 17:53 ` [meta-virtualization] [scarthgap] [PATCH v4] " Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) 0 siblings, 1 reply; 11+ messages in thread From: Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2025-09-04 9:13 UTC (permalink / raw) To: meta-virtualization; +Cc: vchavda, deeratho From: Sudhir Dumbhare <sudumbha@cisco.com> Upstream Repository: https://github.com/moby/moby.git Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2024-36623 Type: Security Fix CVE: CVE-2024-36623 Score: 8.1 Patch: https://github.com/moby/moby/commit/8e3bcf197488 Analysis: - Moby through v25.0.3 has a race condition vulnerability in the streamformatter package. It can trigger multiple concurrent write operations resulting in data corruption. [1] - The fix adds a mutex to prevent concurrent writes and protect against data corruption. [2] Reference: [1] https://nvd.nist.gov/vuln/detail/CVE-2024-36623 [2] https://github.com/moby/moby/commit/8e3bcf197488 Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> --- Changes in v3: * Fix patch format Changes in v2: * Fix from identity * Clean up whitespace recipes-containers/docker/docker-moby_git.bb | 1 + .../docker/files/CVE-2024-36623.patch | 51 +++++++++++++++++++ 2 files changed, 52 insertions(+) create mode 100644 recipes-containers/docker/files/CVE-2024-36623.patch diff --git a/recipes-containers/docker/docker-moby_git.bb b/recipes-containers/docker/docker-moby_git.bb index d274b002..e1ece0fd 100644 --- a/recipes-containers/docker/docker-moby_git.bb +++ b/recipes-containers/docker/docker-moby_git.bb @@ -58,6 +58,7 @@ SRC_URI = "\ file://0001-dynbinary-use-go-cross-compiler.patch;patchdir=src/import \ file://CVE-2024-36620.patch;patchdir=src/import \ file://CVE-2024-36621.patch;patchdir=src/import \ + file://CVE-2024-36623.patch;patchdir=src/import \ " DOCKER_COMMIT = "${SRCREV_moby}" diff --git a/recipes-containers/docker/files/CVE-2024-36623.patch b/recipes-containers/docker/files/CVE-2024-36623.patch new file mode 100644 index 00000000..e2a26479 --- /dev/null +++ b/recipes-containers/docker/files/CVE-2024-36623.patch @@ -0,0 +1,51 @@ +From a04fb7404d9b12a8357891f1e4d709faf029b695 Mon Sep 17 00:00:00 2001 +From: Paweł Gronowski <pawel.gronowski@docker.com> +Date: Thu, 22 Feb 2024 18:01:40 +0100 +Subject: [PATCH] pkg/streamformatter: Make `progressOutput` concurrency safe + +Sync access to the underlying `io.Writer` with a mutex. + +Upstream-Status: Backport [https://github.com/moby/moby/commit/8e3bcf197488] +CVE: CVE-2024-36623 + +Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com> +(cherry picked from commit 5689dabfb357b673abdb4391eef426f297d7d1bb) +Signed-off-by: Albin Kerouanton <albinker@gmail.com> +(cherry picked from commit 8e3bcf19748838b30e34d612832d1dc9d90363b8) +Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> +--- + pkg/streamformatter/streamformatter.go | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/pkg/streamformatter/streamformatter.go b/pkg/streamformatter/streamformatter.go +index b0456e580d..098df6b523 100644 +--- a/pkg/streamformatter/streamformatter.go ++++ b/pkg/streamformatter/streamformatter.go +@@ -5,6 +5,7 @@ import ( + "encoding/json" + "fmt" + "io" ++ "sync" + + "github.com/docker/docker/pkg/jsonmessage" + "github.com/docker/docker/pkg/progress" +@@ -109,6 +110,7 @@ type progressOutput struct { + sf formatProgress + out io.Writer + newLines bool ++ mu sync.Mutex + } + + // WriteProgress formats progress information from a ProgressReader. +@@ -120,6 +122,9 @@ func (out *progressOutput) WriteProgress(prog progress.Progress) error { + jsonProgress := jsonmessage.JSONProgress{Current: prog.Current, Total: prog.Total, HideCounts: prog.HideCounts, Units: prog.Units} + formatted = out.sf.formatProgress(prog.ID, prog.Action, &jsonProgress, prog.Aux) + } ++ ++ out.mu.Lock() ++ defer out.mu.Unlock() + _, err := out.out.Write(formatted) + if err != nil { + return err +-- +2.44.1 -- 2.44.1 ^ permalink raw reply related [flat|nested] 11+ messages in thread
* [meta-virtualization] [scarthgap] [PATCH v4] docker-moby 25.0.3: fix CVE-2024-36623 2025-09-04 9:13 ` [meta-virtualization] [scarthgap] [PATCH v3] " Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2025-09-24 17:53 ` Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) 2025-10-14 18:09 ` Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) 0 siblings, 1 reply; 11+ messages in thread From: Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2025-09-24 17:53 UTC (permalink / raw) To: meta-virtualization From: Sudhir Dumbhare <sudumbha@cisco.com> Upstream Repository: https://github.com/moby/moby.git Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2024-36623 Type: Security Fix CVE: CVE-2024-36623 Score: 8.1 Patch: https://github.com/moby/moby/commit/8e3bcf197488 Analysis: - Moby through v25.0.3 has a race condition vulnerability in the streamformatter package. It can trigger multiple concurrent write operations resulting in data corruption. [1] - The fix adds a mutex to prevent concurrent writes and protect against data corruption. [2] Reference: [1] https://nvd.nist.gov/vuln/detail/CVE-2024-36623 [2] https://github.com/moby/moby/commit/8e3bcf197488 Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> --- Changes in v4: * Fix non-ASCII Changes in v3: * Fix patch format Changes in v2: * Fix from identity * Clean up whitespace recipes-containers/docker/docker-moby_git.bb | 1 + .../docker/files/CVE-2024-36623.patch | 55 +++++++++++++++++++ 2 files changed, 56 insertions(+) create mode 100644 recipes-containers/docker/files/CVE-2024-36623.patch diff --git a/recipes-containers/docker/docker-moby_git.bb b/recipes-containers/docker/docker-moby_git.bb index d274b002..624da11c 100644 --- a/recipes-containers/docker/docker-moby_git.bb +++ b/recipes-containers/docker/docker-moby_git.bb @@ -58,6 +58,7 @@ SRC_URI = "\ file://0001-dynbinary-use-go-cross-compiler.patch;patchdir=src/import \ file://CVE-2024-36620.patch;patchdir=src/import \ file://CVE-2024-36621.patch;patchdir=src/import \ + file://CVE-2024-36623.patch;patchdir=src/import \ " DOCKER_COMMIT = "${SRCREV_moby}" diff --git a/recipes-containers/docker/files/CVE-2024-36623.patch b/recipes-containers/docker/files/CVE-2024-36623.patch new file mode 100644 index 00000000..6b2be770 --- /dev/null +++ b/recipes-containers/docker/files/CVE-2024-36623.patch @@ -0,0 +1,55 @@ +From 3d0828dcdd9fbbd997231013ff2dabb9dd320558 Mon Sep 17 00:00:00 2001 +From: Paweł Gronowski <pawel.gronowski@docker.com> +Date: Thu, 22 Feb 2024 18:01:40 +0100 +Subject: [PATCH] pkg/streamformatter: Make `progressOutput` concurrency safe +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Sync access to the underlying `io.Writer` with a mutex. + +Upstream-Status: Backport [https://github.com/moby/moby/commit/8e3bcf197488] +CVE: CVE-2024-36623 + +Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com> +(cherry picked from commit 5689dabfb357b673abdb4391eef426f297d7d1bb) +Signed-off-by: Albin Kerouanton <albinker@gmail.com> +(cherry picked from commit 8e3bcf19748838b30e34d612832d1dc9d90363b8) +Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com> +--- + pkg/streamformatter/streamformatter.go | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/pkg/streamformatter/streamformatter.go b/pkg/streamformatter/streamformatter.go +index b0456e580d..098df6b523 100644 +--- a/pkg/streamformatter/streamformatter.go ++++ b/pkg/streamformatter/streamformatter.go +@@ -5,6 +5,7 @@ import ( + "encoding/json" + "fmt" + "io" ++ "sync" + + "github.com/docker/docker/pkg/jsonmessage" + "github.com/docker/docker/pkg/progress" +@@ -109,6 +110,7 @@ type progressOutput struct { + sf formatProgress + out io.Writer + newLines bool ++ mu sync.Mutex + } + + // WriteProgress formats progress information from a ProgressReader. +@@ -120,6 +122,9 @@ func (out *progressOutput) WriteProgress(prog progress.Progress) error { + jsonProgress := jsonmessage.JSONProgress{Current: prog.Current, Total: prog.Total, HideCounts: prog.HideCounts, Units: prog.Units} + formatted = out.sf.formatProgress(prog.ID, prog.Action, &jsonProgress, prog.Aux) + } ++ ++ out.mu.Lock() ++ defer out.mu.Unlock() + _, err := out.out.Write(formatted) + if err != nil { + return err +-- +2.44.1 + -- 2.44.1 ^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [meta-virtualization] [scarthgap] [PATCH v4] docker-moby 25.0.3: fix CVE-2024-36623 2025-09-24 17:53 ` [meta-virtualization] [scarthgap] [PATCH v4] " Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2025-10-14 18:09 ` Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) 2025-10-14 20:35 ` Bruce Ashfield 0 siblings, 1 reply; 11+ messages in thread From: Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2025-10-14 18:09 UTC (permalink / raw) To: meta-virtualization ping ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [meta-virtualization] [scarthgap] [PATCH v4] docker-moby 25.0.3: fix CVE-2024-36623 2025-10-14 18:09 ` Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) @ 2025-10-14 20:35 ` Bruce Ashfield 0 siblings, 0 replies; 11+ messages in thread From: Bruce Ashfield @ 2025-10-14 20:35 UTC (permalink / raw) To: sudumbha; +Cc: meta-virtualization [-- Attachment #1: Type: text/plain, Size: 866 bytes --] All of your patches come through corrupted. Cheers, Bruce On Tue, Oct 14, 2025 at 2:09 PM Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.yoctoproject.org <sudumbha= cisco.com@lists.yoctoproject.org> wrote: > ping > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#9418): > https://lists.yoctoproject.org/g/meta-virtualization/message/9418 > Mute This Topic: https://lists.yoctoproject.org/mt/115416924/1050810 > Group Owner: meta-virtualization+owner@lists.yoctoproject.org > Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [ > bruce.ashfield@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- > > -- - Thou shalt not follow the NULL pointer, for chaos and madness await thee at its end - "Use the force Harry" - Gandalf, Star Trek II [-- Attachment #2: Type: text/html, Size: 2130 bytes --] ^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2025-10-14 20:35 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <CADkTA4OB4YTqY9_TZjX0YiHsXjaFezoKO1W5x7M1H_PeQ8hV-A@@cisco.com>
2025-07-31 21:31 ` [meta-virtualization] [scarthgap] [PATCH] docker-moby 25.0.3: fix CVE-2024-36623 Sudhir Dumbhare
2025-08-04 12:54 ` Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco)
2025-08-04 13:04 ` Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco)
2025-08-25 10:57 ` Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco)
2025-08-25 10:59 ` Bruce Ashfield
2025-09-03 17:08 ` [meta-virtualization] [scarthgap] [PATCH v2] " Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco)
2025-09-04 0:03 ` Bruce Ashfield
2025-09-04 9:13 ` [meta-virtualization] [scarthgap] [PATCH v3] " Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco)
2025-09-24 17:53 ` [meta-virtualization] [scarthgap] [PATCH v4] " Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco)
2025-10-14 18:09 ` Sudhir Dumbhare -X (sudumbha - E INFOCHIPS PRIVATE LIMITED at Cisco)
2025-10-14 20:35 ` Bruce Ashfield
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.