1 files changed, 49 insertions, 0 deletions
diff --git a/recipes-containers/docker-distribution/files/0001-Fix-registry-token-authentication-bug.patch b/recipes-containers/docker-distribution/files/0001-Fix-registry-token-authentication-bug.patch
new file mode 100644
index 00000000..8d3e98f9
--- /dev/null
+++ b/recipes-containers/docker-distribution/files/0001-Fix-registry-token-authentication-bug.patch
@@ -0,0 +1,49 @@
+From ff9eed251cfd7dd279ea231a289cc784fd7f829f Mon Sep 17 00:00:00 2001
+From: Milos Gajdos <milosthegajdos@gmail.com>
+Date: Sat, 1 Feb 2025 15:30:18 -0800
+Subject: [PATCH] Fix registry token authentication bug
+When a JWT contains a JWK header without a certificate chain,
+the original code only checked if the KeyID (kid) matches one of the trusted keys,
+but doesn't verify that the actual key material matches.
+As a result, if an attacker guesses the kid, they can inject an
+untrusted key which would then be used to grant access to protected
+data.
+This fixes the issue such as only the trusted key is verified.
+Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
+CVE: CVE-2025-24976
+Upstream-Status: Backport [https://github.com/distribution/distribution/commit/f4a500caf68169dccb0b54cb90523e68ee1ac2be]
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ registry/auth/token/token.go | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+diff --git a/registry/auth/token/token.go b/registry/auth/token/token.go
+index f803415f..fbcf5bfa 100644
+--- a/registry/auth/token/token.go
+++ b/registry/auth/token/token.go
+@@ -290,12 +290,13 @@ func parseAndVerifyRawJWK(rawJWK *json.RawMessage, verifyOpts VerifyOptions) (pu
+        x5cVal, ok := pubKey.GetExtendedField("x5c").([]interface{})
+        if !ok {
+                // The JWK should be one of the trusted root keys.
+-               if _, trusted := verifyOpts.TrustedKeys[pubKey.KeyID()]; !trusted {
+               trustedKey, trusted := verifyOpts.TrustedKeys[pubKey.KeyID()]
+               if !trusted {
+                        return nil, errors.New("untrusted JWK with no certificate chain")
+                }
+ 
+                // The JWK is one of the trusted keys.
+-               return
+               return trustedKey, nil
+        }
+ 
+        // Ensure each item in the chain is of the correct type.
+-- 
+2.25.1

diff --git a/recipes-containers/docker-distribution/files/0001-Fix-registry-token-authentication-bug.patch b/recipes-containers/docker-distribution/files/0001-Fix-registry-token-authentication-bug.patch new file mode 100644 index 00000000..8d3e98f9 --- /dev/null +++ b/recipes-containers/docker-distribution/files/0001-Fix-registry-token-authentication-bug.patch
@@ -0,0 +1,49 @@
	1	From ff9eed251cfd7dd279ea231a289cc784fd7f829f Mon Sep 17 00:00:00 2001
	2	From: Milos Gajdos <milosthegajdos@gmail.com>
	3	Date: Sat, 1 Feb 2025 15:30:18 -0800
	4	Subject: [PATCH] Fix registry token authentication bug
	5
	6	When a JWT contains a JWK header without a certificate chain,
	7	the original code only checked if the KeyID (kid) matches one of the trusted keys,
	8	but doesn't verify that the actual key material matches.
	9
	10	As a result, if an attacker guesses the kid, they can inject an
	11	untrusted key which would then be used to grant access to protected
	12	data.
	13
	14	This fixes the issue such as only the trusted key is verified.
	15
	16	Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
	17
	18	CVE: CVE-2025-24976
	19
	20	Upstream-Status: Backport [https://github.com/distribution/distribution/commit/f4a500caf68169dccb0b54cb90523e68ee1ac2be]
	21
	22	Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
	23	---
	24	registry/auth/token/token.go \| 5 +++--
	25	1 file changed, 3 insertions(+), 2 deletions(-)
	26
	27	diff --git a/registry/auth/token/token.go b/registry/auth/token/token.go
	28	index f803415f..fbcf5bfa 100644
	29	--- a/registry/auth/token/token.go
	30	+++ b/registry/auth/token/token.go
	31	@@ -290,12 +290,13 @@ func parseAndVerifyRawJWK(rawJWK *json.RawMessage, verifyOpts VerifyOptions) (pu
	32	x5cVal, ok := pubKey.GetExtendedField("x5c").([]interface{})
	33	if !ok {
	34	// The JWK should be one of the trusted root keys.
	35	- if _, trusted := verifyOpts.TrustedKeys[pubKey.KeyID()]; !trusted {
	36	+ trustedKey, trusted := verifyOpts.TrustedKeys[pubKey.KeyID()]
	37	+ if !trusted {
	38	return nil, errors.New("untrusted JWK with no certificate chain")
	39	}
	40
	41	// The JWK is one of the trusted keys.
	42	- return
	43	+ return trustedKey, nil
	44	}
	45
	46	// Ensure each item in the chain is of the correct type.
	47	--
	48	2.25.1
	49