From 99f5ab96c606363b0c8c2123039fdb1e2dcb0ec4 Mon Sep 17 00:00:00 2001
From: chenjiankun <chenjiankun1@huawei.com>
Date: Wed, 8 May 2024 12:20:18 +0800
Subject: [PATCH] backport: fix CVE-2024-32473

fix #I9HX2H

(cherry picked from commit 29ff8159f389c51ebfe76fa3926ce722a65b7ba8)
---
 VERSION-vendor                               |  2 +-
 docker.spec                                  |  8 ++-
 git-commit                                   |  2 +-
 patch/0275-backport-fix-CVE-2024-32473.patch | 60 ++++++++++++++++++++
 series.conf                                  |  1 +
 5 files changed, 70 insertions(+), 3 deletions(-)
 create mode 100644 patch/0275-backport-fix-CVE-2024-32473.patch

diff --git a/VERSION-vendor b/VERSION-vendor
index 5261b0f..666a0bb 100644
--- a/VERSION-vendor
+++ b/VERSION-vendor
@@ -1 +1 @@
-18.09.0.334
+18.09.0.335
diff --git a/docker.spec b/docker.spec
index 970bf9d..b6e209b 100644
--- a/docker.spec
+++ b/docker.spec
@@ -1,6 +1,6 @@
 Name: docker-engine
 Version: 18.09.0
-Release: 334
+Release: 335
 Epoch: 2
 Summary: The open-source application container engine
 Group: Tools/Docker
@@ -213,6 +213,12 @@ fi
 %endif
 
 %changelog
+* Wed May 08 2024 chenjiankun<chenjiankun1@huawei.com> - 18.09.0-335
+- Type:CVE
+- CVE:CVE-2024-32473
+- SUG:NA
+- DESC:fix CVE-2024-32473
+
 * Fri Apr 12 2024 chenjiankun<chenjiankun1@huawei.com> - 18.09.0-334
 - Type:CVE
 - CVE:CVE-2024-29018
diff --git a/git-commit b/git-commit
index adf942a..039776e 100644
--- a/git-commit
+++ b/git-commit
@@ -1 +1 @@
-7f38c42f244001db2c04d6d99264b6b51b0a4357
+4ca0e267ad268d13264a7d191f69d163410352cf
diff --git a/patch/0275-backport-fix-CVE-2024-32473.patch b/patch/0275-backport-fix-CVE-2024-32473.patch
new file mode 100644
index 0000000..ca98e45
--- /dev/null
+++ b/patch/0275-backport-fix-CVE-2024-32473.patch
@@ -0,0 +1,60 @@
+From ed5ed46f0aee11f3e4e0fcc2b2ce391460bd4550 Mon Sep 17 00:00:00 2001
+From: chenjiankun <chenjiankun1@huawei.com>
+Date: Wed, 8 May 2024 10:03:36 +0800
+Subject: [PATCH] docker: Disable IPv6 for endpoints in '--ipv6=false' networks
+
+No IPAM IPv6 address is given to an interface in a network with
+'--ipv6=false', but the kernel would assign a link-local address and,
+in a macvlan/ipvlan network, the interface may get a SLAAC-assigned
+address.
+
+So, disable IPv6 on the interface to avoid that.
+
+Signed-off-by: Rob Murray <rob.murray@docker.com>
+
+Conflict:no
+Reference:https://github.com/moby/moby/commit/7cef0d9cd1cf221d8c0b7b7aeda69552649e0642
+
+---
+ .../docker/libnetwork/osl/interface_linux.go  | 21 ++++++++++++-------
+ 1 file changed, 14 insertions(+), 7 deletions(-)
+
+diff --git a/components/engine/vendor/github.com/docker/libnetwork/osl/interface_linux.go b/components/engine/vendor/github.com/docker/libnetwork/osl/interface_linux.go
+index a924af4bd..63d0e5650 100644
+--- a/components/engine/vendor/github.com/docker/libnetwork/osl/interface_linux.go
++++ b/components/engine/vendor/github.com/docker/libnetwork/osl/interface_linux.go
+@@ -377,17 +377,24 @@ func setInterfaceIP(nlh *netlink.Handle, iface netlink.Link, i *nwIface) error {
+ }
+ 
+ func setInterfaceIPv6(nlh *netlink.Handle, iface netlink.Link, i *nwIface) error {
+-	if i.AddressIPv6() == nil {
++	addr := i.AddressIPv6()
++	// IPv6 must be enabled on the interface if and only if the network is
++	// IPv6-enabled. For an interface on an IPv4-only network, if IPv6 isn't
++	// disabled, the interface will be put into IPv6 multicast groups making
++	// it unexpectedly susceptible to NDP cache poisoning, route injection, etc.
++	// (At present, there will always be a pre-configured IPv6 address if the
++	// network is IPv6-enabled.)
++	if err := setIPv6(i.ns.path, i.DstName(), addr != nil); err != nil {
++		return fmt.Errorf("failed to configure ipv6: %v", err)
++	}
++	if addr == nil {
+ 		return nil
+ 	}
+-	if err := checkRouteConflict(nlh, i.AddressIPv6(), netlink.FAMILY_V6); err != nil {
++	if err := checkRouteConflict(nlh, addr, netlink.FAMILY_V6); err != nil {
+ 		return err
+ 	}
+-	if err := setIPv6(i.ns.path, i.DstName(), true); err != nil {
+-		return fmt.Errorf("failed to enable ipv6: %v", err)
+-	}
+-	ipAddr := &netlink.Addr{IPNet: i.AddressIPv6(), Label: "", Flags: syscall.IFA_F_NODAD}
+-	return nlh.AddrAdd(iface, ipAddr)
++	nlAddr := &netlink.Addr{IPNet: addr, Label: "", Flags: syscall.IFA_F_NODAD}
++	return nlh.AddrAdd(iface, nlAddr)
+ }
+ 
+ func setInterfaceLinkLocalIPs(nlh *netlink.Handle, iface netlink.Link, i *nwIface) error {
+-- 
+2.33.0
+
diff --git a/series.conf b/series.conf
index c6c4801..3fa752a 100644
--- a/series.conf
+++ b/series.conf
@@ -269,4 +269,5 @@ patch/0271-libnetwork-processEndpointDelete-Fix-deadlock-betwee.patch
 patch/0272-Fixes-41871-Update-daemon-daemon.go-resume-healthche.patch
 patch/0273-backport-fix-CVE-2024-24557.patch
 patch/0274-docker-fix-CVE-2024-29018.patch
+patch/0275-backport-fix-CVE-2024-32473.patch
 #end
-- 
Gitee