From: Bruce Ashfield <bruce.ashfield@gmail.com>
To: sdoshi@mvista.com
Cc: meta-virtualization@lists.yoctoproject.org
Subject: Re: [meta-virtualization][scarthgap][PATCH] docker-moby: Security fix for CVE-2024-41110
Date: Mon, 9 Feb 2026 20:16:04 +0000 [thread overview]
Message-ID: <aYpAhI4cIs3g5iOV@gmail.com> (raw)
In-Reply-To: <20260204180523.368701-1-sdoshi@mvista.com>
This doesn't apply on top of the scarthgap I just pushed,
can you rebase and resubmit ?
Bruce
In message: [meta-virtualization][scarthgap][PATCH] docker-moby: Security fix for CVE-2024-41110
on 04/02/2026 Siddharth Doshi via lists.yoctoproject.org wrote:
> From: Siddharth Doshi <sdoshi@mvista.com>
>
> The patches are taken from LTS branch 20.10 of moby.
>
> Upstream-Status: Backport from [https://github.com/moby/moby/commit/88c4b7690840044ce15489699294ec7c5dadf5dd]
>
> Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
> ---
> recipes-containers/docker/docker-moby_git.bb | 2 +
> .../docker/files/CVE-2024-41110_1.patch | 177 ++++++++++++++++++
> .../docker/files/CVE-2024-41110_2.patch | 99 ++++++++++
> 3 files changed, 278 insertions(+)
> create mode 100644 recipes-containers/docker/files/CVE-2024-41110_1.patch
> create mode 100644 recipes-containers/docker/files/CVE-2024-41110_2.patch
>
> diff --git a/recipes-containers/docker/docker-moby_git.bb b/recipes-containers/docker/docker-moby_git.bb
> index d274b002..c28749dd 100644
> --- a/recipes-containers/docker/docker-moby_git.bb
> +++ b/recipes-containers/docker/docker-moby_git.bb
> @@ -58,6 +58,8 @@ SRC_URI = "\
> file://0001-dynbinary-use-go-cross-compiler.patch;patchdir=src/import \
> file://CVE-2024-36620.patch;patchdir=src/import \
> file://CVE-2024-36621.patch;patchdir=src/import \
> + file://CVE-2024-41110_1.patch;patchdir=src/import \
> + file://CVE-2024-41110_2.patch;patchdir=src/import \
> "
>
> DOCKER_COMMIT = "${SRCREV_moby}"
> diff --git a/recipes-containers/docker/files/CVE-2024-41110_1.patch b/recipes-containers/docker/files/CVE-2024-41110_1.patch
> new file mode 100644
> index 00000000..7f74348a
> --- /dev/null
> +++ b/recipes-containers/docker/files/CVE-2024-41110_1.patch
> @@ -0,0 +1,177 @@
> +From 88c4b7690840044ce15489699294ec7c5dadf5dd Mon Sep 17 00:00:00 2001
> +From: Jameson Hyde <jameson.hyde@docker.com>
> +Date: Mon, 26 Nov 2018 14:15:22 -0500
> +Subject: [PATCH] Authz plugin security fixes for 0-length content and path
> + validation Signed-off-by: Jameson Hyde <jameson.hyde@docker.com>
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +fix comments
> +
> +(cherry picked from commit 9659c3a52bac57e615b5fb49b0652baca448643e)
> +Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
> +(cherry picked from commit 2ac8a479c53d9b8e67c55f1e283da9d85d2b3415)
> +Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
> +
> +Upstream-Status: Backport from [https://github.com/moby/moby/commit/88c4b7690840044ce15489699294ec7c5dadf5dd]
> +CVE: CVE-2024-41110
> +Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
> +---
> + pkg/authorization/authz.go | 38 ++++++++++++++++++---
> + pkg/authorization/authz_unix_test.go | 49 ++++++++++++++++++++++++++--
> + 2 files changed, 80 insertions(+), 7 deletions(-)
> +
> +diff --git a/pkg/authorization/authz.go b/pkg/authorization/authz.go
> +index 1eb44315dd..4c2e90b251 100644
> +--- a/pkg/authorization/authz.go
> ++++ b/pkg/authorization/authz.go
> +@@ -8,6 +8,8 @@ import (
> + "io"
> + "mime"
> + "net/http"
> ++ "net/url"
> ++ "regexp"
> + "strings"
> +
> + "github.com/containerd/log"
> +@@ -53,10 +55,23 @@ type Ctx struct {
> + authReq *Request
> + }
> +
> ++func isChunked(r *http.Request) bool {
> ++ // RFC 7230 specifies that content length is to be ignored if Transfer-Encoding is chunked
> ++ if strings.ToLower(r.Header.Get("Transfer-Encoding")) == "chunked" {
> ++ return true
> ++ }
> ++ for _, v := range r.TransferEncoding {
> ++ if 0 == strings.Compare(strings.ToLower(v), "chunked") {
> ++ return true
> ++ }
> ++ }
> ++ return false
> ++}
> ++
> + // AuthZRequest authorized the request to the docker daemon using authZ plugins
> + func (ctx *Ctx) AuthZRequest(w http.ResponseWriter, r *http.Request) error {
> + var body []byte
> +- if sendBody(ctx.requestURI, r.Header) && r.ContentLength > 0 && r.ContentLength < maxBodySize {
> ++ if sendBody(ctx.requestURI, r.Header) && (r.ContentLength > 0 || isChunked(r)) && r.ContentLength < maxBodySize {
> + var err error
> + body, r.Body, err = drainBody(r.Body)
> + if err != nil {
> +@@ -109,7 +124,6 @@ func (ctx *Ctx) AuthZResponse(rm ResponseModifier, r *http.Request) error {
> + if sendBody(ctx.requestURI, rm.Header()) {
> + ctx.authReq.ResponseBody = rm.RawBody()
> + }
> +-
> + for _, plugin := range ctx.plugins {
> + log.G(context.TODO()).Debugf("AuthZ response using plugin %s", plugin.Name())
> +
> +@@ -147,10 +161,26 @@ func drainBody(body io.ReadCloser) ([]byte, io.ReadCloser, error) {
> + return nil, newBody, err
> + }
> +
> ++func isAuthEndpoint(urlPath string) (bool, error) {
> ++ // eg www.test.com/v1.24/auth/optional?optional1=something&optional2=something (version optional)
> ++ matched, err := regexp.MatchString(`^[^\/]+\/(v\d[\d\.]*\/)?auth.*`, urlPath)
> ++ if err != nil {
> ++ return false, err
> ++ }
> ++ return matched, nil
> ++}
> ++
> + // sendBody returns true when request/response body should be sent to AuthZPlugin
> +-func sendBody(url string, header http.Header) bool {
> ++func sendBody(inURL string, header http.Header) bool {
> ++ u, err := url.Parse(inURL)
> ++ // Assume no if the URL cannot be parsed - an empty request will still be forwarded to the plugin and should be rejected
> ++ if err != nil {
> ++ return false
> ++ }
> ++
> + // Skip body for auth endpoint
> +- if strings.HasSuffix(url, "/auth") {
> ++ isAuth, err := isAuthEndpoint(u.Path)
> ++ if isAuth || err != nil {
> + return false
> + }
> +
> +diff --git a/pkg/authorization/authz_unix_test.go b/pkg/authorization/authz_unix_test.go
> +index c9b18d96e9..275f1dd3d0 100644
> +--- a/pkg/authorization/authz_unix_test.go
> ++++ b/pkg/authorization/authz_unix_test.go
> +@@ -174,8 +174,8 @@ func TestDrainBody(t *testing.T) {
> +
> + func TestSendBody(t *testing.T) {
> + var (
> +- url = "nothing.com"
> + testcases = []struct {
> ++ url string
> + contentType string
> + expected bool
> + }{
> +@@ -219,15 +219,58 @@ func TestSendBody(t *testing.T) {
> + contentType: "",
> + expected: false,
> + },
> ++ {
> ++ url: "nothing.com/auth",
> ++ contentType: "",
> ++ expected: false,
> ++ },
> ++ {
> ++ url: "nothing.com/auth",
> ++ contentType: "application/json;charset=UTF8",
> ++ expected: false,
> ++ },
> ++ {
> ++ url: "nothing.com/auth?p1=test",
> ++ contentType: "application/json;charset=UTF8",
> ++ expected: false,
> ++ },
> ++ {
> ++ url: "nothing.com/test?p1=/auth",
> ++ contentType: "application/json;charset=UTF8",
> ++ expected: true,
> ++ },
> ++ {
> ++ url: "nothing.com/something/auth",
> ++ contentType: "application/json;charset=UTF8",
> ++ expected: true,
> ++ },
> ++ {
> ++ url: "nothing.com/auth/test",
> ++ contentType: "application/json;charset=UTF8",
> ++ expected: false,
> ++ },
> ++ {
> ++ url: "nothing.com/v1.24/auth/test",
> ++ contentType: "application/json;charset=UTF8",
> ++ expected: false,
> ++ },
> ++ {
> ++ url: "nothing.com/v1/auth/test",
> ++ contentType: "application/json;charset=UTF8",
> ++ expected: false,
> ++ },
> + }
> + )
> +
> + for _, testcase := range testcases {
> + header := http.Header{}
> + header.Set("Content-Type", testcase.contentType)
> ++ if testcase.url == "" {
> ++ testcase.url = "nothing.com"
> ++ }
> +
> +- if b := sendBody(url, header); b != testcase.expected {
> +- t.Fatalf("Unexpected Content-Type; Expected: %t, Actual: %t", testcase.expected, b)
> ++ if b := sendBody(testcase.url, header); b != testcase.expected {
> ++ t.Fatalf("sendBody failed: url: %s, content-type: %s; Expected: %t, Actual: %t", testcase.url, testcase.contentType, testcase.expected, b)
> + }
> + }
> + }
> +--
> +2.44.4
> +
> diff --git a/recipes-containers/docker/files/CVE-2024-41110_2.patch b/recipes-containers/docker/files/CVE-2024-41110_2.patch
> new file mode 100644
> index 00000000..48f21b52
> --- /dev/null
> +++ b/recipes-containers/docker/files/CVE-2024-41110_2.patch
> @@ -0,0 +1,99 @@
> +From 8fc313c00169d14f1712d5661306d9e0c8838257 Mon Sep 17 00:00:00 2001
> +From: Jameson Hyde <jameson.hyde@docker.com>
> +Date: Sat, 1 Dec 2018 11:25:49 -0500
> +Subject: [PATCH 2/2] If url includes scheme, urlPath will drop hostname, which
> + would not match the auth check
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +Signed-off-by: Jameson Hyde <jameson.hyde@docker.com>
> +(cherry picked from commit 754fb8d9d03895ae3ab60d2ad778152b0d835206)
> +Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
> +(cherry picked from commit 5282cb25d09db924fa92fdb8fb7a9bd20bb845b7)
> +Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
> +
> +Upstream-Status: Backport from [https://github.com/moby/moby/commit/7ff423cc1c991d8dc0a7b5d1d93e1cf3efaac169]
> +CVE: CVE-2024-41110
> +Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
> +---
> + pkg/authorization/authz.go | 6 ++---
> + pkg/authorization/authz_unix_test.go | 35 ++++++++++++++++++++++++++++
> + 2 files changed, 38 insertions(+), 3 deletions(-)
> +
> +diff --git a/pkg/authorization/authz.go b/pkg/authorization/authz.go
> +index 4c2e90b251..d568a2b597 100644
> +--- a/pkg/authorization/authz.go
> ++++ b/pkg/authorization/authz.go
> +@@ -57,11 +57,11 @@ type Ctx struct {
> +
> + func isChunked(r *http.Request) bool {
> + // RFC 7230 specifies that content length is to be ignored if Transfer-Encoding is chunked
> +- if strings.ToLower(r.Header.Get("Transfer-Encoding")) == "chunked" {
> ++ if strings.EqualFold(r.Header.Get("Transfer-Encoding"), "chunked") {
> + return true
> + }
> + for _, v := range r.TransferEncoding {
> +- if 0 == strings.Compare(strings.ToLower(v), "chunked") {
> ++ if strings.EqualFold(v, "chunked") {
> + return true
> + }
> + }
> +@@ -163,7 +163,7 @@ func drainBody(body io.ReadCloser) ([]byte, io.ReadCloser, error) {
> +
> + func isAuthEndpoint(urlPath string) (bool, error) {
> + // eg www.test.com/v1.24/auth/optional?optional1=something&optional2=something (version optional)
> +- matched, err := regexp.MatchString(`^[^\/]+\/(v\d[\d\.]*\/)?auth.*`, urlPath)
> ++ matched, err := regexp.MatchString(`^[^\/]*\/(v\d[\d\.]*\/)?auth.*`, urlPath)
> + if err != nil {
> + return false, err
> + }
> +diff --git a/pkg/authorization/authz_unix_test.go b/pkg/authorization/authz_unix_test.go
> +index 275f1dd3d0..66b4d20452 100644
> +--- a/pkg/authorization/authz_unix_test.go
> ++++ b/pkg/authorization/authz_unix_test.go
> +@@ -259,6 +259,41 @@ func TestSendBody(t *testing.T) {
> + contentType: "application/json;charset=UTF8",
> + expected: false,
> + },
> ++ {
> ++ url: "www.nothing.com/v1.24/auth/test",
> ++ contentType: "application/json;charset=UTF8",
> ++ expected: false,
> ++ },
> ++ {
> ++ url: "https://www.nothing.com/v1.24/auth/test",
> ++ contentType: "application/json;charset=UTF8",
> ++ expected: false,
> ++ },
> ++ {
> ++ url: "http://nothing.com/v1.24/auth/test",
> ++ contentType: "application/json;charset=UTF8",
> ++ expected: false,
> ++ },
> ++ {
> ++ url: "www.nothing.com/test?p1=/auth",
> ++ contentType: "application/json;charset=UTF8",
> ++ expected: true,
> ++ },
> ++ {
> ++ url: "http://www.nothing.com/test?p1=/auth",
> ++ contentType: "application/json;charset=UTF8",
> ++ expected: true,
> ++ },
> ++ {
> ++ url: "www.nothing.com/something/auth",
> ++ contentType: "application/json;charset=UTF8",
> ++ expected: true,
> ++ },
> ++ {
> ++ url: "https://www.nothing.com/something/auth",
> ++ contentType: "application/json;charset=UTF8",
> ++ expected: true,
> ++ },
> + }
> + )
> +
> +--
> +2.44.4
> +
> --
> 2.34.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#9556): https://lists.yoctoproject.org/g/meta-virtualization/message/9556
> Mute This Topic: https://lists.yoctoproject.org/mt/117639261/1050810
> Group Owner: meta-virtualization+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [bruce.ashfield@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
next prev parent reply other threads:[~2026-02-09 20:16 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-04 18:05 [meta-virtualization][scarthgap][PATCH] docker-moby: Security fix for CVE-2024-41110 Siddharth
2026-02-09 20:16 ` Bruce Ashfield [this message]
2026-02-11 17:57 ` [scarthgap][PATCH] " Siddharth Doshi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aYpAhI4cIs3g5iOV@gmail.com \
--to=bruce.ashfield@gmail.com \
--cc=meta-virtualization@lists.yoctoproject.org \
--cc=sdoshi@mvista.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.