-
Notifications
You must be signed in to change notification settings - Fork 563
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
docker-compose: patch CVE-2024-45337 (#11819)
Signed-off-by: Muhammad Falak R Wani <[email protected]> Co-authored-by: jslobodzian <[email protected]> (cherry picked from commit 0158d9e)
- Loading branch information
1 parent
db2fd14
commit a73e7c7
Showing
2 changed files
with
85 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,80 @@ | ||
| From 66fd5d19c5ea8c7f4f7ff69bcc93a7c8231ce4cf Mon Sep 17 00:00:00 2001 | ||
| From: Roland Shoemaker <[email protected]> | ||
| Date: Tue, 3 Dec 2024 09:03:03 -0800 | ||
| Subject: [PATCH] ssh: make the public key cache a 1-entry FIFO cache | ||
|
|
||
| Users of the the ssh package seem to extremely commonly misuse the | ||
| PublicKeyCallback API, assuming that the key passed in the last call | ||
| before a connection is established is the key used for authentication. | ||
| Some users then make authorization decisions based on this key. This | ||
| property is not documented, and may not be correct, due to the caching | ||
| behavior of the package, resulting in users making incorrect | ||
| authorization decisions about the connection. | ||
|
|
||
| This change makes the cache a one entry FIFO cache, making the assumed | ||
| property, that the last call to PublicKeyCallback represents the key | ||
| actually used for authentication, actually hold. | ||
|
|
||
| Thanks to Damien Tournoud, Patrick Dawkins, Vince Parker, and | ||
| Jules Duvivier from the Platform.sh / Upsun engineering team | ||
| for reporting this issue. | ||
|
|
||
| Fixes golang/go#70779 | ||
| Fixes CVE-2024-45337 | ||
|
|
||
| Change-Id: Ife7c7b4045d8b6bcd7e3a417bdfae370c709797f | ||
| Reviewed-on: https://go-review.googlesource.com/c/crypto/+/635315 | ||
| Reviewed-by: Roland Shoemaker <[email protected]> | ||
| Auto-Submit: Gopher Robot <[email protected]> | ||
| Reviewed-by: Damien Neil <[email protected]> | ||
| Reviewed-by: Nicola Murino <[email protected]> | ||
| LUCI-TryBot-Result: Go LUCI <[email protected]> | ||
| Signed-off-by: Muhammad Falak R Wani <[email protected]> | ||
| --- | ||
| vendor/golang.org/x/crypto/ssh/server.go | 15 +++++++++++---- | ||
| 1 file changed, 11 insertions(+), 4 deletions(-) | ||
|
|
||
| diff --git a/vendor/golang.org/x/crypto/ssh/server.go b/vendor/golang.org/x/crypto/ssh/server.go | ||
| index c2dfe32..39dcc09 100644 | ||
| --- a/vendor/golang.org/x/crypto/ssh/server.go | ||
| +++ b/vendor/golang.org/x/crypto/ssh/server.go | ||
| @@ -149,7 +149,7 @@ func (s *ServerConfig) AddHostKey(key Signer) { | ||
| } | ||
|
|
||
| // cachedPubKey contains the results of querying whether a public key is | ||
| -// acceptable for a user. | ||
| +// acceptable for a user. This is a FIFO cache. | ||
| type cachedPubKey struct { | ||
| user string | ||
| pubKeyData []byte | ||
| @@ -157,7 +157,13 @@ type cachedPubKey struct { | ||
| perms *Permissions | ||
| } | ||
|
|
||
| -const maxCachedPubKeys = 16 | ||
| +// maxCachedPubKeys is the number of cache entries we store. | ||
| +// | ||
| +// Due to consistent misuse of the PublicKeyCallback API, we have reduced this | ||
| +// to 1, such that the only key in the cache is the most recently seen one. This | ||
| +// forces the behavior that the last call to PublicKeyCallback will always be | ||
| +// with the key that is used for authentication. | ||
| +const maxCachedPubKeys = 1 | ||
|
|
||
| // pubKeyCache caches tests for public keys. Since SSH clients | ||
| // will query whether a public key is acceptable before attempting to | ||
| @@ -179,9 +185,10 @@ func (c *pubKeyCache) get(user string, pubKeyData []byte) (cachedPubKey, bool) { | ||
|
|
||
| // add adds the given tuple to the cache. | ||
| func (c *pubKeyCache) add(candidate cachedPubKey) { | ||
| - if len(c.keys) < maxCachedPubKeys { | ||
| - c.keys = append(c.keys, candidate) | ||
| + if len(c.keys) >= maxCachedPubKeys { | ||
| + c.keys = c.keys[1:] | ||
| } | ||
| + c.keys = append(c.keys, candidate) | ||
| } | ||
|
|
||
| // ServerConn is an authenticated SSH connection, as seen from the | ||
| -- | ||
| 2.34.1 | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,7 +1,7 @@ | ||
| Summary: Define and run multi-container applications with Docker | ||
| Name: docker-compose | ||
| Version: 2.27.0 | ||
| Release: 1%{?dist} | ||
| Release: 2%{?dist} | ||
| License: ASL 2.0 | ||
| Vendor: Microsoft Corporation | ||
| Distribution: Azure Linux | ||
|
|
@@ -12,6 +12,7 @@ Source0: https://github.com/docker/compose/archive/refs/tags/v%{version}. | |
| # NOTE: govendor-v1 format is for inplace CVE updates so that we do not have to overwrite in the blob-store. | ||
| # After fixing any possible CVE for the vendored source, we must bump v1 -> v2 | ||
| Source1: %{name}-%{version}-govendor-v1.tar.gz | ||
| Patch0: CVE-2024-45337.patch | ||
| BuildRequires: golang | ||
| Requires: docker-cli | ||
| Obsoletes: moby-compose < %{version}-%{release} | ||
|
|
@@ -44,6 +45,9 @@ install -D -m0755 bin/build/docker-compose %{buildroot}/%{_libexecdir}/docker/cl | |
| %{_libexecdir}/docker/cli-plugins/docker-compose | ||
|
|
||
| %changelog | ||
| * Wed Jan 08 2025 Muhammad Falak <[email protected]> - 2.27.0-2 | ||
| - Patch CVE-2024-45337 | ||
|
|
||
| * Thu May 02 2024 CBL-Mariner Servicing Account <[email protected]> - 2.27.0-1 | ||
| - Auto-upgrade to 2.27.0 - address CVE-2024-23653 | ||
|
|
||
|
|
||