[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1085026: marked as done (bookworm-pu: package docker.io/20.10.24+dfsg1+deb12u1)

Your message dated Sat, 09 Nov 2024 10:51:02 +0000
with message-id <b0a29248bc631362ed06a8879f93b8cdae5414d0.camel@adam-barratt.org.uk>
and subject line Closing bugs released with 12.8
has caused the Debian Bug report #1085026,
regarding bookworm-pu: package docker.io/20.10.24+dfsg1+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1085026: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085026
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: docker.io@packages.debian.org, security@debian.org
Control: affects -1 + src:docker.io
User: release.debian.org@packages.debian.org
Usertags: pu
Control: tags -1 + security


[ Reason ]
CVE-2024-41110

[ Impact ]
Authentification bypass

[ Tests ]
Yes added to test suite

[ Risks ]
Low code is tested. Patch is official

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
- Fix CVE-2024-41110
- Fix of salsaCI to bookworm

[ Other info ]
May be worth a DSA due to popcon

diff -Nru docker.io-20.10.24+dfsg1/debian/changelog docker.io-20.10.24+dfsg1/debian/changelog
--- docker.io-20.10.24+dfsg1/debian/changelog	2023-04-05 15:19:59.000000000 +0000
+++ docker.io-20.10.24+dfsg1/debian/changelog	2024-10-12 15:19:49.000000000 +0000
@@ -1,3 +1,15 @@
+docker.io (20.10.24+dfsg1-1+deb12u1) bookworm-security; urgency=high
+
+  * Team upload
+  * Fix CVE-2024-41110: Authz zero length regression
+    A security vulnerability has been detected in Docker Engine,
+    which could allow an attacker
+    to bypass authorization plugins (AuthZ) under specific
+    circumstances. The base likelihood of this being exploited is low.
+    (Closes: #1084993)
+
+ -- Bastien Roucariès <rouca@debian.org>  Sat, 12 Oct 2024 15:19:49 +0000
+
 docker.io (20.10.24+dfsg1-1) unstable; urgency=medium
 
   * Team upload.
diff -Nru docker.io-20.10.24+dfsg1/debian/gbp.conf docker.io-20.10.24+dfsg1/debian/gbp.conf
--- docker.io-20.10.24+dfsg1/debian/gbp.conf	2023-01-14 08:55:59.000000000 +0000
+++ docker.io-20.10.24+dfsg1/debian/gbp.conf	2024-10-12 15:19:49.000000000 +0000
@@ -1,2 +1,2 @@
 [DEFAULT]
-debian-branch = master
+debian-branch = debian/bookworm
diff -Nru docker.io-20.10.24+dfsg1/debian/.gitlab-ci.yml docker.io-20.10.24+dfsg1/debian/.gitlab-ci.yml
--- docker.io-20.10.24+dfsg1/debian/.gitlab-ci.yml	2023-01-14 08:55:59.000000000 +0000
+++ docker.io-20.10.24+dfsg1/debian/.gitlab-ci.yml	1970-01-01 00:00:00.000000000 +0000
@@ -1,29 +0,0 @@
----
-# https://docs.gitlab.com/ce/ci/yaml/#include
-include:
-  - remote: https://salsa.debian.org/onlyjob/ci/raw/master/onlyjob-ci.yml
-
-## "amd64-unstable" always runs by default followed by lintian.
-
-## Only for arch:all packages:
-binary-indep:
-  extends: .build-indep
-
-## Job to check Build-Depends versioning:
-amd64-testing_unstable:
-  extends: .build
-  variables:
-    arch: amd64
-    dist: testing_unstable
-
-i386-unstable:
-  extends: .build
-  variables:
-    arch: i386
-    dist: unstable
-
-amd64-experimental:
-  extends: .build
-  variables:
-    arch: amd64
-    dist: experimental
diff -Nru docker.io-20.10.24+dfsg1/debian/gitlab-ci.yml docker.io-20.10.24+dfsg1/debian/gitlab-ci.yml
--- docker.io-20.10.24+dfsg1/debian/gitlab-ci.yml	2023-01-14 08:55:59.000000000 +0000
+++ docker.io-20.10.24+dfsg1/debian/gitlab-ci.yml	2024-10-12 15:19:49.000000000 +0000
@@ -4,3 +4,5 @@
 ---
 include:
   - https://salsa.debian.org/go-team/infra/pkg-go-tools/-/raw/master/pipeline/test-archive.yml
+variables:
+  RELEASE: 'bookworm'
diff -Nru docker.io-20.10.24+dfsg1/debian/patches/CVE-2024-41110.patch docker.io-20.10.24+dfsg1/debian/patches/CVE-2024-41110.patch
--- docker.io-20.10.24+dfsg1/debian/patches/CVE-2024-41110.patch	1970-01-01 00:00:00.000000000 +0000
+++ docker.io-20.10.24+dfsg1/debian/patches/CVE-2024-41110.patch	2024-10-12 15:19:49.000000000 +0000
@@ -0,0 +1,180 @@
+From 88c4b7690840044ce15489699294ec7c5dadf5dd Mon Sep 17 00:00:00 2001
+From: Jameson Hyde <jameson.hyde@docker.com>
+Date: Mon, 26 Nov 2018 14:15:22 -0500
+Subject: CVE-2024-41110 [PATCH] Authz plugin security fixes for 0-length content and path
+ validation Signed-off-by: Jameson Hyde <jameson.hyde@docker.com>
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+fix comments
+
+[debian description]
+A security vulnerability has been detected in certain versions of Docker Engine,
+which could allow an attacker to bypass authorization plugins (AuthZ)
+under specific circumstances. The base likelihood of this being exploited
+is low.
+
+(cherry picked from commit 9659c3a52bac57e615b5fb49b0652baca448643e)
+Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
+(cherry picked from commit 2ac8a479c53d9b8e67c55f1e283da9d85d2b3415)
+Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
+origin: https://github.com/moby/moby/commit/88c4b7690840044ce15489699294ec7c5dadf5dd
+debian-bug: https://bugs.debian.org/1084993
+bug: https://github.com/moby/moby/security/advisories/GHSA-v23v-6jw2-98fq
+---
+ pkg/authorization/authz.go           | 38 ++++++++++++++++++---
+ pkg/authorization/authz_unix_test.go | 49 ++++++++++++++++++++++++++--
+ 2 files changed, 80 insertions(+), 7 deletions(-)
+
+diff --git a/pkg/authorization/authz.go b/pkg/authorization/authz.go
+index 590ac8dddd883..da748865dd9e2 100644
+--- a/engine/pkg/authorization/authz.go
++++ b/engine/pkg/authorization/authz.go
+@@ -7,6 +7,8 @@ import (
+ 	"io"
+ 	"mime"
+ 	"net/http"
++	"net/url"
++	"regexp"
+ 	"strings"
+ 
+ 	"github.com/docker/docker/pkg/ioutils"
+@@ -52,10 +54,23 @@ type Ctx struct {
+ 	authReq *Request
+ }
+ 
++func isChunked(r *http.Request) bool {
++	// RFC 7230 specifies that content length is to be ignored if Transfer-Encoding is chunked
++	if strings.ToLower(r.Header.Get("Transfer-Encoding")) == "chunked" {
++		return true
++	}
++	for _, v := range r.TransferEncoding {
++		if 0 == strings.Compare(strings.ToLower(v), "chunked") {
++			return true
++		}
++	}
++	return false
++}
++
+ // AuthZRequest authorized the request to the docker daemon using authZ plugins
+ func (ctx *Ctx) AuthZRequest(w http.ResponseWriter, r *http.Request) error {
+ 	var body []byte
+-	if sendBody(ctx.requestURI, r.Header) && r.ContentLength > 0 && r.ContentLength < maxBodySize {
++	if sendBody(ctx.requestURI, r.Header) && (r.ContentLength > 0 || isChunked(r)) && r.ContentLength < maxBodySize {
+ 		var err error
+ 		body, r.Body, err = drainBody(r.Body)
+ 		if err != nil {
+@@ -108,7 +123,6 @@ func (ctx *Ctx) AuthZResponse(rm ResponseModifier, r *http.Request) error {
+ 	if sendBody(ctx.requestURI, rm.Header()) {
+ 		ctx.authReq.ResponseBody = rm.RawBody()
+ 	}
+-
+ 	for _, plugin := range ctx.plugins {
+ 		logrus.Debugf("AuthZ response using plugin %s", plugin.Name())
+ 
+@@ -146,10 +160,26 @@ func drainBody(body io.ReadCloser) ([]byte, io.ReadCloser, error) {
+ 	return nil, newBody, err
+ }
+ 
++func isAuthEndpoint(urlPath string) (bool, error) {
++	// eg www.test.com/v1.24/auth/optional?optional1=something&optional2=something (version optional)
++	matched, err := regexp.MatchString(`^[^\/]+\/(v\d[\d\.]*\/)?auth.*`, urlPath)
++	if err != nil {
++		return false, err
++	}
++	return matched, nil
++}
++
+ // sendBody returns true when request/response body should be sent to AuthZPlugin
+-func sendBody(url string, header http.Header) bool {
++func sendBody(inURL string, header http.Header) bool {
++	u, err := url.Parse(inURL)
++	// Assume no if the URL cannot be parsed - an empty request will still be forwarded to the plugin and should be rejected
++	if err != nil {
++		return false
++	}
++
+ 	// Skip body for auth endpoint
+-	if strings.HasSuffix(url, "/auth") {
++	isAuth, err := isAuthEndpoint(u.Path)
++	if isAuth || err != nil {
+ 		return false
+ 	}
+ 
+diff --git a/pkg/authorization/authz_unix_test.go b/pkg/authorization/authz_unix_test.go
+index 835cb703839be..1fce6d03b76a8 100644
+--- a/engine/pkg/authorization/authz_unix_test.go
++++ b/engine/pkg/authorization/authz_unix_test.go
+@@ -175,8 +175,8 @@ func TestDrainBody(t *testing.T) {
+ 
+ func TestSendBody(t *testing.T) {
+ 	var (
+-		url       = "nothing.com"
+ 		testcases = []struct {
++			url         string
+ 			contentType string
+ 			expected    bool
+ 		}{
+@@ -220,15 +220,58 @@ func TestSendBody(t *testing.T) {
+ 				contentType: "",
+ 				expected:    false,
+ 			},
++			{
++				url:         "nothing.com/auth",
++				contentType: "",
++				expected:    false,
++			},
++			{
++				url:         "nothing.com/auth",
++				contentType: "application/json;charset=UTF8",
++				expected:    false,
++			},
++			{
++				url:         "nothing.com/auth?p1=test",
++				contentType: "application/json;charset=UTF8",
++				expected:    false,
++			},
++			{
++				url:         "nothing.com/test?p1=/auth",
++				contentType: "application/json;charset=UTF8",
++				expected:    true,
++			},
++			{
++				url:         "nothing.com/something/auth",
++				contentType: "application/json;charset=UTF8",
++				expected:    true,
++			},
++			{
++				url:         "nothing.com/auth/test",
++				contentType: "application/json;charset=UTF8",
++				expected:    false,
++			},
++			{
++				url:         "nothing.com/v1.24/auth/test",
++				contentType: "application/json;charset=UTF8",
++				expected:    false,
++			},
++			{
++				url:         "nothing.com/v1/auth/test",
++				contentType: "application/json;charset=UTF8",
++				expected:    false,
++			},
+ 		}
+ 	)
+ 
+ 	for _, testcase := range testcases {
+ 		header := http.Header{}
+ 		header.Set("Content-Type", testcase.contentType)
++		if testcase.url == "" {
++			testcase.url = "nothing.com"
++		}
+ 
+-		if b := sendBody(url, header); b != testcase.expected {
+-			t.Fatalf("Unexpected Content-Type; Expected: %t, Actual: %t", testcase.expected, b)
++		if b := sendBody(testcase.url, header); b != testcase.expected {
++			t.Fatalf("sendBody failed: url: %s, content-type: %s; Expected: %t, Actual: %t", testcase.url, testcase.contentType, testcase.expected, b)
+ 		}
+ 	}
+ }
+
diff -Nru docker.io-20.10.24+dfsg1/debian/patches/series docker.io-20.10.24+dfsg1/debian/patches/series
--- docker.io-20.10.24+dfsg1/debian/patches/series	2023-01-20 08:06:33.000000000 +0000
+++ docker.io-20.10.24+dfsg1/debian/patches/series	2024-10-12 15:19:49.000000000 +0000
@@ -29,3 +29,4 @@
 test--skip-TestGetRootUIDGID.patch
 test--skip-TestStateRunStop.patch
 avoid-consul.patch
+CVE-2024-41110.patch

Attachment: signature.asc
Description: This is a digitally signed message part.


--- End Message ---
--- Begin Message --- 
Source: release.debian.org
Version: 12.8

Hi,

Each of the updates tracked by these bugs was included in today's 12.8
bookworm point release.

Regards,

Adam

--- End Message ---
Reply to: