diff options
| -rw-r--r-- | recipes-containers/docker-distribution/docker-distribution_git.bb | 1 | ||||
| -rw-r--r-- | recipes-containers/docker-distribution/files/0001-Fix-registry-token-authentication-bug.patch | 49 |
2 files changed, 50 insertions, 0 deletions
diff --git a/recipes-containers/docker-distribution/docker-distribution_git.bb b/recipes-containers/docker-distribution/docker-distribution_git.bb index 50b6b302..5b5f75bb 100644 --- a/recipes-containers/docker-distribution/docker-distribution_git.bb +++ b/recipes-containers/docker-distribution/docker-distribution_git.bb | |||
| @@ -9,6 +9,7 @@ SRC_URI = "git://github.com/docker/distribution.git;branch=release/2.8;name=dist | |||
| 9 | file://0001-build-use-to-use-cross-go-compiler.patch \ | 9 | file://0001-build-use-to-use-cross-go-compiler.patch \ |
| 10 | file://0001-Fix-runaway-allocation-on-v2-_catalog.patch \ | 10 | file://0001-Fix-runaway-allocation-on-v2-_catalog.patch \ |
| 11 | file://0001-panicwrap-Use-dup3-on-riscv64-linux.patch \ | 11 | file://0001-panicwrap-Use-dup3-on-riscv64-linux.patch \ |
| 12 | file://0001-Fix-registry-token-authentication-bug.patch \ | ||
| 12 | " | 13 | " |
| 13 | 14 | ||
| 14 | PACKAGES =+ "docker-registry" | 15 | PACKAGES =+ "docker-registry" |
diff --git a/recipes-containers/docker-distribution/files/0001-Fix-registry-token-authentication-bug.patch b/recipes-containers/docker-distribution/files/0001-Fix-registry-token-authentication-bug.patch new file mode 100644 index 00000000..8d3e98f9 --- /dev/null +++ b/recipes-containers/docker-distribution/files/0001-Fix-registry-token-authentication-bug.patch | |||
| @@ -0,0 +1,49 @@ | |||
| 1 | From ff9eed251cfd7dd279ea231a289cc784fd7f829f Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Milos Gajdos <milosthegajdos@gmail.com> | ||
| 3 | Date: Sat, 1 Feb 2025 15:30:18 -0800 | ||
| 4 | Subject: [PATCH] Fix registry token authentication bug | ||
| 5 | |||
| 6 | When a JWT contains a JWK header without a certificate chain, | ||
| 7 | the original code only checked if the KeyID (kid) matches one of the trusted keys, | ||
| 8 | but doesn't verify that the actual key material matches. | ||
| 9 | |||
| 10 | As a result, if an attacker guesses the kid, they can inject an | ||
| 11 | untrusted key which would then be used to grant access to protected | ||
| 12 | data. | ||
| 13 | |||
| 14 | This fixes the issue such as only the trusted key is verified. | ||
| 15 | |||
| 16 | Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com> | ||
| 17 | |||
| 18 | CVE: CVE-2025-24976 | ||
| 19 | |||
| 20 | Upstream-Status: Backport [https://github.com/distribution/distribution/commit/f4a500caf68169dccb0b54cb90523e68ee1ac2be] | ||
| 21 | |||
| 22 | Signed-off-by: Chen Qi <Qi.Chen@windriver.com> | ||
| 23 | --- | ||
| 24 | registry/auth/token/token.go | 5 +++-- | ||
| 25 | 1 file changed, 3 insertions(+), 2 deletions(-) | ||
| 26 | |||
| 27 | diff --git a/registry/auth/token/token.go b/registry/auth/token/token.go | ||
| 28 | index f803415f..fbcf5bfa 100644 | ||
| 29 | --- a/registry/auth/token/token.go | ||
| 30 | +++ b/registry/auth/token/token.go | ||
| 31 | @@ -290,12 +290,13 @@ func parseAndVerifyRawJWK(rawJWK *json.RawMessage, verifyOpts VerifyOptions) (pu | ||
| 32 | x5cVal, ok := pubKey.GetExtendedField("x5c").([]interface{}) | ||
| 33 | if !ok { | ||
| 34 | // The JWK should be one of the trusted root keys. | ||
| 35 | - if _, trusted := verifyOpts.TrustedKeys[pubKey.KeyID()]; !trusted { | ||
| 36 | + trustedKey, trusted := verifyOpts.TrustedKeys[pubKey.KeyID()] | ||
| 37 | + if !trusted { | ||
| 38 | return nil, errors.New("untrusted JWK with no certificate chain") | ||
| 39 | } | ||
| 40 | |||
| 41 | // The JWK is one of the trusted keys. | ||
| 42 | - return | ||
| 43 | + return trustedKey, nil | ||
| 44 | } | ||
| 45 | |||
| 46 | // Ensure each item in the chain is of the correct type. | ||
| 47 | -- | ||
| 48 | 2.25.1 | ||
| 49 | |||