diff options
| author | Praveen Kumar <praveen.kumar@windriver.com> | 2025-03-26 19:50:07 +0000 |
|---|---|---|
| committer | Bruce Ashfield <bruce.ashfield@gmail.com> | 2025-04-02 02:21:33 +0000 |
| commit | 2bfcc55701824f37bf2d0dc3ef5f719d22e9919f (patch) | |
| tree | 209bb7a391aea0142dbda31fb21d5a3fe2f836d5 | |
| parent | bc324b3fe89d1b1bf6e58b0e37ff81049f7e7c98 (diff) | |
| download | meta-virtualization-2bfcc55701824f37bf2d0dc3ef5f719d22e9919f.tar.gz | |
docker-moby: Fix CVE-2024-36620
moby v25.0.0 - v26.0.2 is vulnerable to NULL Pointer Dereference
via daemon/images/image_history.go.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-36620
Upstream-patch:
https://github.com/moby/moby/commit/ab570ab3d62038b3d26f96a9bb585d0b6095b9b4
Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
| -rw-r--r-- | recipes-containers/docker/docker-moby_git.bb | 1 | ||||
| -rw-r--r-- | recipes-containers/docker/files/CVE-2024-36620.patch | 40 |
2 files changed, 41 insertions, 0 deletions
diff --git a/recipes-containers/docker/docker-moby_git.bb b/recipes-containers/docker/docker-moby_git.bb index 0abb0b3f..a1879ed2 100644 --- a/recipes-containers/docker/docker-moby_git.bb +++ b/recipes-containers/docker/docker-moby_git.bb | |||
| @@ -56,6 +56,7 @@ SRC_URI = "\ | |||
| 56 | file://0001-libnetwork-use-GO-instead-of-go.patch \ | 56 | file://0001-libnetwork-use-GO-instead-of-go.patch \ |
| 57 | file://0001-cli-use-external-GO111MODULE-and-cross-compiler.patch \ | 57 | file://0001-cli-use-external-GO111MODULE-and-cross-compiler.patch \ |
| 58 | file://0001-dynbinary-use-go-cross-compiler.patch;patchdir=src/import \ | 58 | file://0001-dynbinary-use-go-cross-compiler.patch;patchdir=src/import \ |
| 59 | file://CVE-2024-36620.patch;patchdir=src/import \ | ||
| 59 | " | 60 | " |
| 60 | 61 | ||
| 61 | DOCKER_COMMIT = "${SRCREV_moby}" | 62 | DOCKER_COMMIT = "${SRCREV_moby}" |
diff --git a/recipes-containers/docker/files/CVE-2024-36620.patch b/recipes-containers/docker/files/CVE-2024-36620.patch new file mode 100644 index 00000000..7bce4137 --- /dev/null +++ b/recipes-containers/docker/files/CVE-2024-36620.patch | |||
| @@ -0,0 +1,40 @@ | |||
| 1 | From ab570ab3d62038b3d26f96a9bb585d0b6095b9b4 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Christopher Petito <47751006+krissetto@users.noreply.github.com> | ||
| 3 | Date: Fri, 19 Apr 2024 10:44:30 +0000 | ||
| 4 | Subject: [PATCH] nil dereference fix on image history Created value | ||
| 5 | |||
| 6 | Issue was caused by the changes here https://github.com/moby/moby/pull/45504 | ||
| 7 | First released in v25.0.0-beta.1 | ||
| 8 | |||
| 9 | CVE: CVE-2024-36620 | ||
| 10 | |||
| 11 | Upstream-Status: | ||
| 12 | Backport [https://github.com/moby/moby/commit/ab570ab3d62038b3d26f96a9bb585d0b6095b9b4] | ||
| 13 | |||
| 14 | Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com> | ||
| 15 | --- | ||
| 16 | daemon/images/image_history.go | 6 +++++- | ||
| 17 | 1 file changed, 5 insertions(+), 1 deletion(-) | ||
| 18 | |||
| 19 | diff --git a/daemon/images/image_history.go b/daemon/images/image_history.go | ||
| 20 | index dcf7a906aa..e5adda8639 100644 | ||
| 21 | --- a/daemon/images/image_history.go | ||
| 22 | +++ b/daemon/images/image_history.go | ||
| 23 | @@ -41,10 +41,14 @@ func (i *ImageService) ImageHistory(ctx context.Context, name string) ([]*image. | ||
| 24 | layer.ReleaseAndLog(i.layerStore, l) | ||
| 25 | layerCounter++ | ||
| 26 | } | ||
| 27 | + var created int64 | ||
| 28 | + if h.Created != nil { | ||
| 29 | + created = h.Created.Unix() | ||
| 30 | + } | ||
| 31 | |||
| 32 | history = append([]*image.HistoryResponseItem{{ | ||
| 33 | ID: "<missing>", | ||
| 34 | - Created: h.Created.Unix(), | ||
| 35 | + Created: created, | ||
| 36 | CreatedBy: h.CreatedBy, | ||
| 37 | Comment: h.Comment, | ||
| 38 | Size: layerSize, | ||
| 39 | -- | ||
| 40 | 2.40.0 | ||