From cf982c9fad8fe654058d80f53c558fa6f23a5193 Mon Sep 17 00:00:00 2001 From: Chen Qi Date: Wed, 5 Mar 2025 18:19:01 -0800 Subject: docker-distribution: fix CVE-2025-24976 Backport patch to fix CVE-2025-24976. Signed-off-by: Chen Qi Signed-off-by: Bruce Ashfield --- ...001-Fix-registry-token-authentication-bug.patch | 49 ++++++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 recipes-containers/docker-distribution/files/0001-Fix-registry-token-authentication-bug.patch (limited to 'recipes-containers/docker-distribution/files/0001-Fix-registry-token-authentication-bug.patch') diff --git a/recipes-containers/docker-distribution/files/0001-Fix-registry-token-authentication-bug.patch b/recipes-containers/docker-distribution/files/0001-Fix-registry-token-authentication-bug.patch new file mode 100644 index 00000000..8d3e98f9 --- /dev/null +++ b/recipes-containers/docker-distribution/files/0001-Fix-registry-token-authentication-bug.patch @@ -0,0 +1,49 @@ +From ff9eed251cfd7dd279ea231a289cc784fd7f829f Mon Sep 17 00:00:00 2001 +From: Milos Gajdos +Date: Sat, 1 Feb 2025 15:30:18 -0800 +Subject: [PATCH] Fix registry token authentication bug + +When a JWT contains a JWK header without a certificate chain, +the original code only checked if the KeyID (kid) matches one of the trusted keys, +but doesn't verify that the actual key material matches. + +As a result, if an attacker guesses the kid, they can inject an +untrusted key which would then be used to grant access to protected +data. + +This fixes the issue such as only the trusted key is verified. + +Signed-off-by: Milos Gajdos + +CVE: CVE-2025-24976 + +Upstream-Status: Backport [https://github.com/distribution/distribution/commit/f4a500caf68169dccb0b54cb90523e68ee1ac2be] + +Signed-off-by: Chen Qi +--- + registry/auth/token/token.go | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/registry/auth/token/token.go b/registry/auth/token/token.go +index f803415f..fbcf5bfa 100644 +--- a/registry/auth/token/token.go ++++ b/registry/auth/token/token.go +@@ -290,12 +290,13 @@ func parseAndVerifyRawJWK(rawJWK *json.RawMessage, verifyOpts VerifyOptions) (pu + x5cVal, ok := pubKey.GetExtendedField("x5c").([]interface{}) + if !ok { + // The JWK should be one of the trusted root keys. +- if _, trusted := verifyOpts.TrustedKeys[pubKey.KeyID()]; !trusted { ++ trustedKey, trusted := verifyOpts.TrustedKeys[pubKey.KeyID()] ++ if !trusted { + return nil, errors.New("untrusted JWK with no certificate chain") + } + + // The JWK is one of the trusted keys. +- return ++ return trustedKey, nil + } + + // Ensure each item in the chain is of the correct type. +-- +2.25.1 + -- cgit v1.2.3-54-g00ecf