Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: docker...@packages.debian.org, secur...@debian.org Control: affects -1 + src:docker.io User: release.debian....@packages.debian.org Usertags: pu Control: tags -1 + security
[ Reason ] CVE-2024-41110 [ Impact ] Authentification bypass [ Tests ] Yes added to test suite [ Risks ] Low code is tested. Patch is official [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] - Fix CVE-2024-41110 - Fix of salsaCI to bookworm [ Other info ] May be worth a DSA due to popcon
diff -Nru docker.io-20.10.24+dfsg1/debian/changelog docker.io-20.10.24+dfsg1/debian/changelog --- docker.io-20.10.24+dfsg1/debian/changelog 2023-04-05 15:19:59.000000000 +0000 +++ docker.io-20.10.24+dfsg1/debian/changelog 2024-10-12 15:19:49.000000000 +0000 @@ -1,3 +1,15 @@ +docker.io (20.10.24+dfsg1-1+deb12u1) bookworm-security; urgency=high + + * Team upload + * Fix CVE-2024-41110: Authz zero length regression + A security vulnerability has been detected in Docker Engine, + which could allow an attacker + to bypass authorization plugins (AuthZ) under specific + circumstances. The base likelihood of this being exploited is low. + (Closes: #1084993) + + -- Bastien Roucari??s <ro...@debian.org> Sat, 12 Oct 2024 15:19:49 +0000 + docker.io (20.10.24+dfsg1-1) unstable; urgency=medium * Team upload. diff -Nru docker.io-20.10.24+dfsg1/debian/gbp.conf docker.io-20.10.24+dfsg1/debian/gbp.conf --- docker.io-20.10.24+dfsg1/debian/gbp.conf 2023-01-14 08:55:59.000000000 +0000 +++ docker.io-20.10.24+dfsg1/debian/gbp.conf 2024-10-12 15:19:49.000000000 +0000 @@ -1,2 +1,2 @@ [DEFAULT] -debian-branch = master +debian-branch = debian/bookworm diff -Nru docker.io-20.10.24+dfsg1/debian/.gitlab-ci.yml docker.io-20.10.24+dfsg1/debian/.gitlab-ci.yml --- docker.io-20.10.24+dfsg1/debian/.gitlab-ci.yml 2023-01-14 08:55:59.000000000 +0000 +++ docker.io-20.10.24+dfsg1/debian/.gitlab-ci.yml 1970-01-01 00:00:00.000000000 +0000 @@ -1,29 +0,0 @@ ---- -# https://docs.gitlab.com/ce/ci/yaml/#include -include: - - remote: https://salsa.debian.org/onlyjob/ci/raw/master/onlyjob-ci.yml - -## "amd64-unstable" always runs by default followed by lintian. - -## Only for arch:all packages: -binary-indep: - extends: .build-indep - -## Job to check Build-Depends versioning: -amd64-testing_unstable: - extends: .build - variables: - arch: amd64 - dist: testing_unstable - -i386-unstable: - extends: .build - variables: - arch: i386 - dist: unstable - -amd64-experimental: - extends: .build - variables: - arch: amd64 - dist: experimental diff -Nru docker.io-20.10.24+dfsg1/debian/gitlab-ci.yml docker.io-20.10.24+dfsg1/debian/gitlab-ci.yml --- docker.io-20.10.24+dfsg1/debian/gitlab-ci.yml 2023-01-14 08:55:59.000000000 +0000 +++ docker.io-20.10.24+dfsg1/debian/gitlab-ci.yml 2024-10-12 15:19:49.000000000 +0000 @@ -4,3 +4,5 @@ --- include: - https://salsa.debian.org/go-team/infra/pkg-go-tools/-/raw/master/pipeline/test-archive.yml +variables: + RELEASE: 'bookworm' diff -Nru docker.io-20.10.24+dfsg1/debian/patches/CVE-2024-41110.patch docker.io-20.10.24+dfsg1/debian/patches/CVE-2024-41110.patch --- docker.io-20.10.24+dfsg1/debian/patches/CVE-2024-41110.patch 1970-01-01 00:00:00.000000000 +0000 +++ docker.io-20.10.24+dfsg1/debian/patches/CVE-2024-41110.patch 2024-10-12 15:19:49.000000000 +0000 @@ -0,0 +1,180 @@ +From 88c4b7690840044ce15489699294ec7c5dadf5dd Mon Sep 17 00:00:00 2001 +From: Jameson Hyde <jameson.h...@docker.com> +Date: Mon, 26 Nov 2018 14:15:22 -0500 +Subject: CVE-2024-41110 [PATCH] Authz plugin security fixes for 0-length content and path + validation Signed-off-by: Jameson Hyde <jameson.h...@docker.com> +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +fix comments + +[debian description] +A security vulnerability has been detected in certain versions of Docker Engine, +which could allow an attacker to bypass authorization plugins (AuthZ) +under specific circumstances. The base likelihood of this being exploited +is low. + +(cherry picked from commit 9659c3a52bac57e615b5fb49b0652baca448643e) +Signed-off-by: Pawe?? Gronowski <pawel.gronow...@docker.com> +(cherry picked from commit 2ac8a479c53d9b8e67c55f1e283da9d85d2b3415) +Signed-off-by: Pawe?? Gronowski <pawel.gronow...@docker.com> +origin: https://github.com/moby/moby/commit/88c4b7690840044ce15489699294ec7c5dadf5dd +debian-bug: https://bugs.debian.org/1084993 +bug: https://github.com/moby/moby/security/advisories/GHSA-v23v-6jw2-98fq +--- + pkg/authorization/authz.go | 38 ++++++++++++++++++--- + pkg/authorization/authz_unix_test.go | 49 ++++++++++++++++++++++++++-- + 2 files changed, 80 insertions(+), 7 deletions(-) + +diff --git a/pkg/authorization/authz.go b/pkg/authorization/authz.go +index 590ac8dddd883..da748865dd9e2 100644 +--- a/engine/pkg/authorization/authz.go ++++ b/engine/pkg/authorization/authz.go +@@ -7,6 +7,8 @@ import ( + "io" + "mime" + "net/http" ++ "net/url" ++ "regexp" + "strings" + + "github.com/docker/docker/pkg/ioutils" +@@ -52,10 +54,23 @@ type Ctx struct { + authReq *Request + } + ++func isChunked(r *http.Request) bool { ++ // RFC 7230 specifies that content length is to be ignored if Transfer-Encoding is chunked ++ if strings.ToLower(r.Header.Get("Transfer-Encoding")) == "chunked" { ++ return true ++ } ++ for _, v := range r.TransferEncoding { ++ if 0 == strings.Compare(strings.ToLower(v), "chunked") { ++ return true ++ } ++ } ++ return false ++} ++ + // AuthZRequest authorized the request to the docker daemon using authZ plugins + func (ctx *Ctx) AuthZRequest(w http.ResponseWriter, r *http.Request) error { + var body []byte +- if sendBody(ctx.requestURI, r.Header) && r.ContentLength > 0 && r.ContentLength < maxBodySize { ++ if sendBody(ctx.requestURI, r.Header) && (r.ContentLength > 0 || isChunked(r)) && r.ContentLength < maxBodySize { + var err error + body, r.Body, err = drainBody(r.Body) + if err != nil { +@@ -108,7 +123,6 @@ func (ctx *Ctx) AuthZResponse(rm ResponseModifier, r *http.Request) error { + if sendBody(ctx.requestURI, rm.Header()) { + ctx.authReq.ResponseBody = rm.RawBody() + } +- + for _, plugin := range ctx.plugins { + logrus.Debugf("AuthZ response using plugin %s", plugin.Name()) + +@@ -146,10 +160,26 @@ func drainBody(body io.ReadCloser) ([]byte, io.ReadCloser, error) { + return nil, newBody, err + } + ++func isAuthEndpoint(urlPath string) (bool, error) { ++ // eg www.test.com/v1.24/auth/optional?optional1=something&optional2=something (version optional) ++ matched, err := regexp.MatchString(`^[^\/]+\/(v\d[\d\.]*\/)?auth.*`, urlPath) ++ if err != nil { ++ return false, err ++ } ++ return matched, nil ++} ++ + // sendBody returns true when request/response body should be sent to AuthZPlugin +-func sendBody(url string, header http.Header) bool { ++func sendBody(inURL string, header http.Header) bool { ++ u, err := url.Parse(inURL) ++ // Assume no if the URL cannot be parsed - an empty request will still be forwarded to the plugin and should be rejected ++ if err != nil { ++ return false ++ } ++ + // Skip body for auth endpoint +- if strings.HasSuffix(url, "/auth") { ++ isAuth, err := isAuthEndpoint(u.Path) ++ if isAuth || err != nil { + return false + } + +diff --git a/pkg/authorization/authz_unix_test.go b/pkg/authorization/authz_unix_test.go +index 835cb703839be..1fce6d03b76a8 100644 +--- a/engine/pkg/authorization/authz_unix_test.go ++++ b/engine/pkg/authorization/authz_unix_test.go +@@ -175,8 +175,8 @@ func TestDrainBody(t *testing.T) { + + func TestSendBody(t *testing.T) { + var ( +- url = "nothing.com" + testcases = []struct { ++ url string + contentType string + expected bool + }{ +@@ -220,15 +220,58 @@ func TestSendBody(t *testing.T) { + contentType: "", + expected: false, + }, ++ { ++ url: "nothing.com/auth", ++ contentType: "", ++ expected: false, ++ }, ++ { ++ url: "nothing.com/auth", ++ contentType: "application/json;charset=UTF8", ++ expected: false, ++ }, ++ { ++ url: "nothing.com/auth?p1=test", ++ contentType: "application/json;charset=UTF8", ++ expected: false, ++ }, ++ { ++ url: "nothing.com/test?p1=/auth", ++ contentType: "application/json;charset=UTF8", ++ expected: true, ++ }, ++ { ++ url: "nothing.com/something/auth", ++ contentType: "application/json;charset=UTF8", ++ expected: true, ++ }, ++ { ++ url: "nothing.com/auth/test", ++ contentType: "application/json;charset=UTF8", ++ expected: false, ++ }, ++ { ++ url: "nothing.com/v1.24/auth/test", ++ contentType: "application/json;charset=UTF8", ++ expected: false, ++ }, ++ { ++ url: "nothing.com/v1/auth/test", ++ contentType: "application/json;charset=UTF8", ++ expected: false, ++ }, + } + ) + + for _, testcase := range testcases { + header := http.Header{} + header.Set("Content-Type", testcase.contentType) ++ if testcase.url == "" { ++ testcase.url = "nothing.com" ++ } + +- if b := sendBody(url, header); b != testcase.expected { +- t.Fatalf("Unexpected Content-Type; Expected: %t, Actual: %t", testcase.expected, b) ++ if b := sendBody(testcase.url, header); b != testcase.expected { ++ t.Fatalf("sendBody failed: url: %s, content-type: %s; Expected: %t, Actual: %t", testcase.url, testcase.contentType, testcase.expected, b) + } + } + } + diff -Nru docker.io-20.10.24+dfsg1/debian/patches/series docker.io-20.10.24+dfsg1/debian/patches/series --- docker.io-20.10.24+dfsg1/debian/patches/series 2023-01-20 08:06:33.000000000 +0000 +++ docker.io-20.10.24+dfsg1/debian/patches/series 2024-10-12 15:19:49.000000000 +0000 @@ -29,3 +29,4 @@ test--skip-TestGetRootUIDGID.patch test--skip-TestStateRunStop.patch avoid-consul.patch +CVE-2024-41110.patch
signature.asc
Description: This is a digitally signed message part.
