diff --git a/VERSION-vendor b/VERSION-vendor index 574c0c4849f85c628c2a957fe77782683386204c..5261b0fae07b481c8cdc0cfe74c2656f565c1bbc 100644 --- a/VERSION-vendor +++ b/VERSION-vendor @@ -1 +1 @@ -18.09.0.333 +18.09.0.334 diff --git a/docker.spec b/docker.spec index ad1f71bcaccc6b89d4226833fba5e01859bc585c..d4b4e3c6e032d25fd8e41a5c61d301fbda1cafdf 100644 --- a/docker.spec +++ b/docker.spec @@ -1,6 +1,6 @@ Name: docker-engine Version: 18.09.0 -Release: 333 +Release: 334 Epoch: 2 Summary: The open-source application container engine Group: Tools/Docker @@ -227,6 +227,12 @@ fi %endif %changelog +* Fri Apr 12 2024 chenjiankun - 18.09.0-334 +- Type:CVE +- CVE:CVE-2024-29018 +- SUG:NA +- DESC:fix CVE-2024-29018 + * Tue Mar 19 2024 chenjiankun - 18.09.0-333 - Type:CVE - CVE:CVE-2024-24557 diff --git a/git-commit b/git-commit index 25795bb7b5136b8704b3707060ec73220c2640ad..adf942aaf29a512be4269c25d8bb13aa331e8492 100644 --- a/git-commit +++ b/git-commit @@ -1 +1 @@ -d4909fb9ae2862823e5687c224cb5d346b7e5f9f +7f38c42f244001db2c04d6d99264b6b51b0a4357 diff --git a/patch/0274-docker-fix-CVE-2024-29018.patch b/patch/0274-docker-fix-CVE-2024-29018.patch new file mode 100644 index 0000000000000000000000000000000000000000..fc110e0c811578edcf19712061f07c6024a7ceb9 --- /dev/null +++ b/patch/0274-docker-fix-CVE-2024-29018.patch @@ -0,0 +1,101 @@ +From e90f75c9e91427aa6254a89a10c619a17e2be594 Mon Sep 17 00:00:00 2001 +From: chenjiankun +Date: Thu, 28 Mar 2024 17:16:11 +0800 +Subject: [PATCH] docker: fix CVE-2024-29018 + +libnet: Don't forward to upstream resolvers on internal nw + +Commit cbc2a71 makes `connect` syscall fail fast when a container is +only attached to an internal network. Thanks to that, if such a +container tries to resolve an "external" domain, the embedded resolver +returns an error immediately instead of waiting for a timeout. + +This commit makes sure the embedded resolver doesn't even try to forward +to upstream servers. + +Conflict:libnetwork/resolver.go,sandbox_dns_unix.go +Reference:https://github.com/moby/moby/commit/790c3039d0ca5ed86ecd099b4b571496607628bc +--- + .../vendor/github.com/docker/libnetwork/endpoint.go | 13 ++++++++++++- + .../vendor/github.com/docker/libnetwork/resolver.go | 9 +++++++++ + .../docker/libnetwork/sandbox_dns_unix.go | 6 +++++- + 3 files changed, 26 insertions(+), 2 deletions(-) + +diff --git a/components/engine/vendor/github.com/docker/libnetwork/endpoint.go b/components/engine/vendor/github.com/docker/libnetwork/endpoint.go +index 822f88bd3..914169199 100644 +--- a/components/engine/vendor/github.com/docker/libnetwork/endpoint.go ++++ b/components/engine/vendor/github.com/docker/libnetwork/endpoint.go +@@ -550,7 +550,13 @@ func (ep *endpoint) sbJoin(sb *sandbox, options ...EndpointOption) (err error) { + return sb.setupDefaultGW() + } + +- moveExtConn := sb.getGatewayEndpoint() != extEp ++ currentExtEp := sb.getGatewayEndpoint() ++ // Enable upstream forwarding if the sandbox gained external connectivity. ++ if sb.resolver != nil { ++ sb.resolver.SetForwardingPolicy(currentExtEp != nil) ++ } ++ ++ moveExtConn := currentExtEp != extEp + + if moveExtConn { + if extEp != nil { +@@ -786,6 +792,11 @@ func (ep *endpoint) sbLeave(sb *sandbox, force bool, options ...EndpointOption) + + // New endpoint providing external connectivity for the sandbox + extEp = sb.getGatewayEndpoint() ++ // Disable upstream forwarding if the sandbox lost external connectivity. ++ if sb.resolver != nil { ++ sb.resolver.SetForwardingPolicy(extEp != nil) ++ } ++ + if moveExtConn && extEp != nil { + logrus.Debugf("Programming external connectivity on endpoint %s (%s)", extEp.Name(), extEp.ID()) + extN, err := extEp.getNetworkFromStore() +diff --git a/components/engine/vendor/github.com/docker/libnetwork/resolver.go b/components/engine/vendor/github.com/docker/libnetwork/resolver.go +index 04afe7a1d..0e44352d7 100644 +--- a/components/engine/vendor/github.com/docker/libnetwork/resolver.go ++++ b/components/engine/vendor/github.com/docker/libnetwork/resolver.go +@@ -24,6 +24,9 @@ type Resolver interface { + // SetupFunc() provides the setup function that should be run + // in the container's network namespace. + SetupFunc(int) func() ++ // SetForwardingPolicy re-configures the embedded DNS resolver to either enable or disable forwarding DNS queries to ++ // external servers. ++ SetForwardingPolicy(bool) + // NameServer() returns the IP of the DNS resolver for the + // containers. + NameServer() string +@@ -196,6 +199,12 @@ func (r *resolver) SetExtServers(extDNS []extDNSEntry) { + } + } + ++// SetForwardingPolicy re-configures the embedded DNS resolver to either enable or disable forwarding DNS queries to ++// external servers. ++func (r *resolver) SetForwardingPolicy(policy bool) { ++ r.proxyDNS = policy ++} ++ + func (r *resolver) NameServer() string { + return r.listenAddress + } +diff --git a/components/engine/vendor/github.com/docker/libnetwork/sandbox_dns_unix.go b/components/engine/vendor/github.com/docker/libnetwork/sandbox_dns_unix.go +index db1b66b19..484987a83 100644 +--- a/components/engine/vendor/github.com/docker/libnetwork/sandbox_dns_unix.go ++++ b/components/engine/vendor/github.com/docker/libnetwork/sandbox_dns_unix.go +@@ -27,7 +27,11 @@ const ( + func (sb *sandbox) startResolver(restore bool) { + sb.resolverOnce.Do(func() { + var err error +- sb.resolver = NewResolver(resolverIPSandbox, true, sb.Key(), sb) ++ // The resolver is started with proxyDNS=false if the sandbox does not currently ++ // have a gateway. So, if the Sandbox is only connected to an 'internal' network, ++ // it will not forward DNS requests to external resolvers. The resolver's ++ // proxyDNS setting is then updated as network Endpoints are added/removed. ++ sb.resolver = NewResolver(resolverIPSandbox, sb.getGatewayEndpoint() != nil, sb.Key(), sb) + defer func() { + if err != nil { + sb.resolver = nil +-- +2.33.0 + diff --git a/series.conf b/series.conf index afdd5b3970241869597558e7f454cf97cff10d00..1e1a80e865a6ab655f4b8858af6dfb6f34c0b916 100644 --- a/series.conf +++ b/series.conf @@ -271,4 +271,5 @@ patch/0270-Update-daemon_linux.go-for-preventing-off-by-one.patch patch/0271-libnetwork-processEndpointDelete-Fix-deadlock-betwee.patch patch/0272-Fixes-41871-Update-daemon-daemon.go-resume-healthche.patch patch/0273-backport-fix-CVE-2024-24557.patch +patch/0274-docker-fix-CVE-2024-29018.patch #end