--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: docker...@packages.debian.org, secur...@debian.org
Control: affects -1 + src:docker.io
User: release.debian....@packages.debian.org
Usertags: pu
Control: tags -1 + security
[ Reason ]
CVE-2024-41110
[ Impact ]
Authentification bypass
[ Tests ]
Yes added to test suite
[ Risks ]
Low code is tested. Patch is official
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
- Fix CVE-2024-41110
- Fix of salsaCI to bookworm
[ Other info ]
May be worth a DSA due to popcon
diff -Nru docker.io-20.10.24+dfsg1/debian/changelog docker.io-20.10.24+dfsg1/debian/changelog
--- docker.io-20.10.24+dfsg1/debian/changelog 2023-04-05 15:19:59.000000000 +0000
+++ docker.io-20.10.24+dfsg1/debian/changelog 2024-10-12 15:19:49.000000000 +0000
@@ -1,3 +1,15 @@
+docker.io (20.10.24+dfsg1-1+deb12u1) bookworm-security; urgency=high
+
+ * Team upload
+ * Fix CVE-2024-41110: Authz zero length regression
+ A security vulnerability has been detected in Docker Engine,
+ which could allow an attacker
+ to bypass authorization plugins (AuthZ) under specific
+ circumstances. The base likelihood of this being exploited is low.
+ (Closes: #1084993)
+
+ -- Bastien Roucari??s <ro...@debian.org> Sat, 12 Oct 2024 15:19:49 +0000
+
docker.io (20.10.24+dfsg1-1) unstable; urgency=medium
* Team upload.
diff -Nru docker.io-20.10.24+dfsg1/debian/gbp.conf docker.io-20.10.24+dfsg1/debian/gbp.conf
--- docker.io-20.10.24+dfsg1/debian/gbp.conf 2023-01-14 08:55:59.000000000 +0000
+++ docker.io-20.10.24+dfsg1/debian/gbp.conf 2024-10-12 15:19:49.000000000 +0000
@@ -1,2 +1,2 @@
[DEFAULT]
-debian-branch = master
+debian-branch = debian/bookworm
diff -Nru docker.io-20.10.24+dfsg1/debian/.gitlab-ci.yml docker.io-20.10.24+dfsg1/debian/.gitlab-ci.yml
--- docker.io-20.10.24+dfsg1/debian/.gitlab-ci.yml 2023-01-14 08:55:59.000000000 +0000
+++ docker.io-20.10.24+dfsg1/debian/.gitlab-ci.yml 1970-01-01 00:00:00.000000000 +0000
@@ -1,29 +0,0 @@
----
-# https://docs.gitlab.com/ce/ci/yaml/#include
-include:
- - remote: https://salsa.debian.org/onlyjob/ci/raw/master/onlyjob-ci.yml
-
-## "amd64-unstable" always runs by default followed by lintian.
-
-## Only for arch:all packages:
-binary-indep:
- extends: .build-indep
-
-## Job to check Build-Depends versioning:
-amd64-testing_unstable:
- extends: .build
- variables:
- arch: amd64
- dist: testing_unstable
-
-i386-unstable:
- extends: .build
- variables:
- arch: i386
- dist: unstable
-
-amd64-experimental:
- extends: .build
- variables:
- arch: amd64
- dist: experimental
diff -Nru docker.io-20.10.24+dfsg1/debian/gitlab-ci.yml docker.io-20.10.24+dfsg1/debian/gitlab-ci.yml
--- docker.io-20.10.24+dfsg1/debian/gitlab-ci.yml 2023-01-14 08:55:59.000000000 +0000
+++ docker.io-20.10.24+dfsg1/debian/gitlab-ci.yml 2024-10-12 15:19:49.000000000 +0000
@@ -4,3 +4,5 @@
---
include:
- https://salsa.debian.org/go-team/infra/pkg-go-tools/-/raw/master/pipeline/test-archive.yml
+variables:
+ RELEASE: 'bookworm'
diff -Nru docker.io-20.10.24+dfsg1/debian/patches/CVE-2024-41110.patch docker.io-20.10.24+dfsg1/debian/patches/CVE-2024-41110.patch
--- docker.io-20.10.24+dfsg1/debian/patches/CVE-2024-41110.patch 1970-01-01 00:00:00.000000000 +0000
+++ docker.io-20.10.24+dfsg1/debian/patches/CVE-2024-41110.patch 2024-10-12 15:19:49.000000000 +0000
@@ -0,0 +1,180 @@
+From 88c4b7690840044ce15489699294ec7c5dadf5dd Mon Sep 17 00:00:00 2001
+From: Jameson Hyde <jameson.h...@docker.com>
+Date: Mon, 26 Nov 2018 14:15:22 -0500
+Subject: CVE-2024-41110 [PATCH] Authz plugin security fixes for 0-length content and path
+ validation Signed-off-by: Jameson Hyde <jameson.h...@docker.com>
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+fix comments
+
+[debian description]
+A security vulnerability has been detected in certain versions of Docker Engine,
+which could allow an attacker to bypass authorization plugins (AuthZ)
+under specific circumstances. The base likelihood of this being exploited
+is low.
+
+(cherry picked from commit 9659c3a52bac57e615b5fb49b0652baca448643e)
+Signed-off-by: Pawe?? Gronowski <pawel.gronow...@docker.com>
+(cherry picked from commit 2ac8a479c53d9b8e67c55f1e283da9d85d2b3415)
+Signed-off-by: Pawe?? Gronowski <pawel.gronow...@docker.com>
+origin: https://github.com/moby/moby/commit/88c4b7690840044ce15489699294ec7c5dadf5dd
+debian-bug: https://bugs.debian.org/1084993
+bug: https://github.com/moby/moby/security/advisories/GHSA-v23v-6jw2-98fq
+---
+ pkg/authorization/authz.go | 38 ++++++++++++++++++---
+ pkg/authorization/authz_unix_test.go | 49 ++++++++++++++++++++++++++--
+ 2 files changed, 80 insertions(+), 7 deletions(-)
+
+diff --git a/pkg/authorization/authz.go b/pkg/authorization/authz.go
+index 590ac8dddd883..da748865dd9e2 100644
+--- a/engine/pkg/authorization/authz.go
++++ b/engine/pkg/authorization/authz.go
+@@ -7,6 +7,8 @@ import (
+ "io"
+ "mime"
+ "net/http"
++ "net/url"
++ "regexp"
+ "strings"
+
+ "github.com/docker/docker/pkg/ioutils"
+@@ -52,10 +54,23 @@ type Ctx struct {
+ authReq *Request
+ }
+
++func isChunked(r *http.Request) bool {
++ // RFC 7230 specifies that content length is to be ignored if Transfer-Encoding is chunked
++ if strings.ToLower(r.Header.Get("Transfer-Encoding")) == "chunked" {
++ return true
++ }
++ for _, v := range r.TransferEncoding {
++ if 0 == strings.Compare(strings.ToLower(v), "chunked") {
++ return true
++ }
++ }
++ return false
++}
++
+ // AuthZRequest authorized the request to the docker daemon using authZ plugins
+ func (ctx *Ctx) AuthZRequest(w http.ResponseWriter, r *http.Request) error {
+ var body []byte
+- if sendBody(ctx.requestURI, r.Header) && r.ContentLength > 0 && r.ContentLength < maxBodySize {
++ if sendBody(ctx.requestURI, r.Header) && (r.ContentLength > 0 || isChunked(r)) && r.ContentLength < maxBodySize {
+ var err error
+ body, r.Body, err = drainBody(r.Body)
+ if err != nil {
+@@ -108,7 +123,6 @@ func (ctx *Ctx) AuthZResponse(rm ResponseModifier, r *http.Request) error {
+ if sendBody(ctx.requestURI, rm.Header()) {
+ ctx.authReq.ResponseBody = rm.RawBody()
+ }
+-
+ for _, plugin := range ctx.plugins {
+ logrus.Debugf("AuthZ response using plugin %s", plugin.Name())
+
+@@ -146,10 +160,26 @@ func drainBody(body io.ReadCloser) ([]byte, io.ReadCloser, error) {
+ return nil, newBody, err
+ }
+
++func isAuthEndpoint(urlPath string) (bool, error) {
++ // eg www.test.com/v1.24/auth/optional?optional1=something&optional2=something (version optional)
++ matched, err := regexp.MatchString(`^[^\/]+\/(v\d[\d\.]*\/)?auth.*`, urlPath)
++ if err != nil {
++ return false, err
++ }
++ return matched, nil
++}
++
+ // sendBody returns true when request/response body should be sent to AuthZPlugin
+-func sendBody(url string, header http.Header) bool {
++func sendBody(inURL string, header http.Header) bool {
++ u, err := url.Parse(inURL)
++ // Assume no if the URL cannot be parsed - an empty request will still be forwarded to the plugin and should be rejected
++ if err != nil {
++ return false
++ }
++
+ // Skip body for auth endpoint
+- if strings.HasSuffix(url, "/auth") {
++ isAuth, err := isAuthEndpoint(u.Path)
++ if isAuth || err != nil {
+ return false
+ }
+
+diff --git a/pkg/authorization/authz_unix_test.go b/pkg/authorization/authz_unix_test.go
+index 835cb703839be..1fce6d03b76a8 100644
+--- a/engine/pkg/authorization/authz_unix_test.go
++++ b/engine/pkg/authorization/authz_unix_test.go
+@@ -175,8 +175,8 @@ func TestDrainBody(t *testing.T) {
+
+ func TestSendBody(t *testing.T) {
+ var (
+- url = "nothing.com"
+ testcases = []struct {
++ url string
+ contentType string
+ expected bool
+ }{
+@@ -220,15 +220,58 @@ func TestSendBody(t *testing.T) {
+ contentType: "",
+ expected: false,
+ },
++ {
++ url: "nothing.com/auth",
++ contentType: "",
++ expected: false,
++ },
++ {
++ url: "nothing.com/auth",
++ contentType: "application/json;charset=UTF8",
++ expected: false,
++ },
++ {
++ url: "nothing.com/auth?p1=test",
++ contentType: "application/json;charset=UTF8",
++ expected: false,
++ },
++ {
++ url: "nothing.com/test?p1=/auth",
++ contentType: "application/json;charset=UTF8",
++ expected: true,
++ },
++ {
++ url: "nothing.com/something/auth",
++ contentType: "application/json;charset=UTF8",
++ expected: true,
++ },
++ {
++ url: "nothing.com/auth/test",
++ contentType: "application/json;charset=UTF8",
++ expected: false,
++ },
++ {
++ url: "nothing.com/v1.24/auth/test",
++ contentType: "application/json;charset=UTF8",
++ expected: false,
++ },
++ {
++ url: "nothing.com/v1/auth/test",
++ contentType: "application/json;charset=UTF8",
++ expected: false,
++ },
+ }
+ )
+
+ for _, testcase := range testcases {
+ header := http.Header{}
+ header.Set("Content-Type", testcase.contentType)
++ if testcase.url == "" {
++ testcase.url = "nothing.com"
++ }
+
+- if b := sendBody(url, header); b != testcase.expected {
+- t.Fatalf("Unexpected Content-Type; Expected: %t, Actual: %t", testcase.expected, b)
++ if b := sendBody(testcase.url, header); b != testcase.expected {
++ t.Fatalf("sendBody failed: url: %s, content-type: %s; Expected: %t, Actual: %t", testcase.url, testcase.contentType, testcase.expected, b)
+ }
+ }
+ }
+
diff -Nru docker.io-20.10.24+dfsg1/debian/patches/series docker.io-20.10.24+dfsg1/debian/patches/series
--- docker.io-20.10.24+dfsg1/debian/patches/series 2023-01-20 08:06:33.000000000 +0000
+++ docker.io-20.10.24+dfsg1/debian/patches/series 2024-10-12 15:19:49.000000000 +0000
@@ -29,3 +29,4 @@
test--skip-TestGetRootUIDGID.patch
test--skip-TestStateRunStop.patch
avoid-consul.patch
+CVE-2024-41110.patch
signature.asc
Description: This is a digitally signed message part.
--- End Message ---
