From: Sudhir Dumbhare <sudum...@cisco.com> Upstream Repository: https://github.com/moby/moby.git
Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2024-36623 Type: Security Fix CVE: CVE-2024-36623 Score: 8.1 Patch: https://github.com/moby/moby/commit/8e3bcf197488 Analysis: - Moby through v25.0.3 has a race condition vulnerability in the streamformatter package. It can trigger multiple concurrent write operations resulting in data corruption. [1] - The fix adds a mutex to prevent concurrent writes and protect against data corruption. [2] Reference: [1] https://nvd.nist.gov/vuln/detail/CVE-2024-36623 [2] https://github.com/moby/moby/commit/8e3bcf197488 Signed-off-by: Sudhir Dumbhare <sudum...@cisco.com> --- Changes in v2: * Fix from identity * Clean up whitespace recipes-containers/docker/docker-moby_git.bb | 1 + .../docker/files/CVE-2024-36623.patch | 47 +++++++++++++++++++ 2 files changed, 48 insertions(+) create mode 100644 recipes-containers/docker/files/CVE-2024-36623.patch diff --git a/recipes-containers/docker/docker-moby_git.bb b/recipes-containers/docker/docker-moby_git.bb index d274b002..e1ece0fd 100644 --- a/recipes-containers/docker/docker-moby_git.bb +++ b/recipes-containers/docker/docker-moby_git.bb @@ -58,6 +58,7 @@ SRC_URI = "\ file://0001-dynbinary-use-go-cross-compiler.patch;patchdir=src/import \ file://CVE-2024-36620.patch;patchdir=src/import \ file://CVE-2024-36621.patch;patchdir=src/import \ + file://CVE-2024-36623.patch;patchdir=src/import \ " DOCKER_COMMIT = "${SRCREV_moby}" diff --git a/recipes-containers/docker/files/CVE-2024-36623.patch b/recipes-containers/docker/files/CVE-2024-36623.patch new file mode 100644 index 00000000..3878a8b1 --- /dev/null +++ b/recipes-containers/docker/files/CVE-2024-36623.patch @@ -0,0 +1,47 @@ +commit 5becb76fa5a5cb9de135b82017dbc7da7d345614 +Author: Paweł Gronowski <pawel.gronow...@docker.com> +Date: Thu Feb 22 18:01:40 2024 +0100 + + pkg/streamformatter: Make `progressOutput` concurrency safe + + Sync access to the underlying `io.Writer` with a mutex. + + Upstream-Status: Backport [https://github.com/moby/moby/commit/8e3bcf197488] + CVE: CVE-2024-36623 + + Signed-off-by: Paweł Gronowski <pawel.gronow...@docker.com> + (cherry picked from commit 5689dabfb357b673abdb4391eef426f297d7d1bb) + Signed-off-by: Albin Kerouanton <albin...@gmail.com> + (cherry picked from commit 8e3bcf19748838b30e34d612832d1dc9d90363b8) + Signed-off-by: Sudhir Dumbhare <sudum...@cisco.com> + +diff --git a/pkg/streamformatter/streamformatter.go b/pkg/streamformatter/streamformatter.go +index b0456e580d..098df6b523 100644 +--- a/pkg/streamformatter/streamformatter.go ++++ b/pkg/streamformatter/streamformatter.go +@@ -5,6 +5,7 @@ import ( + "encoding/json" + "fmt" + "io" ++ "sync" + + "github.com/docker/docker/pkg/jsonmessage" + "github.com/docker/docker/pkg/progress" +@@ -109,6 +110,7 @@ type progressOutput struct { + sf formatProgress + out io.Writer + newLines bool ++ mu sync.Mutex + } + + // WriteProgress formats progress information from a ProgressReader. +@@ -120,6 +122,9 @@ func (out *progressOutput) WriteProgress(prog progress.Progress) error { + jsonProgress := jsonmessage.JSONProgress{Current: prog.Current, Total: prog.Total, HideCounts: prog.HideCounts, Units: prog.Units} + formatted = out.sf.formatProgress(prog.ID, prog.Action, &jsonProgress, prog.Aux) + } ++ ++ out.mu.Lock() ++ defer out.mu.Unlock() + _, err := out.out.Write(formatted) + if err != nil { + return err -- 2.23.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#9365): https://lists.yoctoproject.org/g/meta-virtualization/message/9365 Mute This Topic: https://lists.yoctoproject.org/mt/115049072/21656 Group Owner: meta-virtualization+ow...@lists.yoctoproject.org Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
