From e9b3122db70a27aa2a98552eab5862527525489f Mon Sep 17 00:00:00 2001 From: chenjiankun Date: Wed, 8 May 2024 12:26:31 +0800 Subject: [PATCH] backport: fix CVE-2024-32473 fix #I9HX2H (cherry picked from commit 5543a47ad1906dfe98d2721d6f1a9343d4764499) --- VERSION-vendor | 2 +- docker-engine-openeuler.spec | 8 ++- patch/0275-backport-fix-CVE-2024-32473.patch | 60 ++++++++++++++++++++ series.conf | 1 + 4 files changed, 69 insertions(+), 2 deletions(-) create mode 100644 patch/0275-backport-fix-CVE-2024-32473.patch diff --git a/VERSION-vendor b/VERSION-vendor index 3f78729..36a4168 100644 --- a/VERSION-vendor +++ b/VERSION-vendor @@ -1 +1 @@ -18.09.0.264 +18.09.0.265 diff --git a/docker-engine-openeuler.spec b/docker-engine-openeuler.spec index 19dbf4a..4a1b9fe 100644 --- a/docker-engine-openeuler.spec +++ b/docker-engine-openeuler.spec @@ -1,6 +1,6 @@ Name: docker-engine Version: 18.09.0 -Release: 264 +Release: 265 Epoch: 1 Summary: The open-source application container engine Group: Tools/Docker @@ -199,6 +199,12 @@ fi %endif %changelog +* Wed May 08 2024 chenjiankun - 18.09.0-265 +- Type:CVE +- CVE:CVE-2024-32473 +- SUG:NA +- DESC:fix CVE-2024-32473 + * Mon Apr 01 2024 zhongjiawei - 18.09.0-264 - Type:CVE - CVE:CVE-2024-29018 diff --git a/patch/0275-backport-fix-CVE-2024-32473.patch b/patch/0275-backport-fix-CVE-2024-32473.patch new file mode 100644 index 0000000..ca98e45 --- /dev/null +++ b/patch/0275-backport-fix-CVE-2024-32473.patch @@ -0,0 +1,60 @@ +From ed5ed46f0aee11f3e4e0fcc2b2ce391460bd4550 Mon Sep 17 00:00:00 2001 +From: chenjiankun +Date: Wed, 8 May 2024 10:03:36 +0800 +Subject: [PATCH] docker: Disable IPv6 for endpoints in '--ipv6=false' networks + +No IPAM IPv6 address is given to an interface in a network with +'--ipv6=false', but the kernel would assign a link-local address and, +in a macvlan/ipvlan network, the interface may get a SLAAC-assigned +address. + +So, disable IPv6 on the interface to avoid that. + +Signed-off-by: Rob Murray + +Conflict:no +Reference:https://github.com/moby/moby/commit/7cef0d9cd1cf221d8c0b7b7aeda69552649e0642 + +--- + .../docker/libnetwork/osl/interface_linux.go | 21 ++++++++++++------- + 1 file changed, 14 insertions(+), 7 deletions(-) + +diff --git a/components/engine/vendor/github.com/docker/libnetwork/osl/interface_linux.go b/components/engine/vendor/github.com/docker/libnetwork/osl/interface_linux.go +index a924af4bd..63d0e5650 100644 +--- a/components/engine/vendor/github.com/docker/libnetwork/osl/interface_linux.go ++++ b/components/engine/vendor/github.com/docker/libnetwork/osl/interface_linux.go +@@ -377,17 +377,24 @@ func setInterfaceIP(nlh *netlink.Handle, iface netlink.Link, i *nwIface) error { + } + + func setInterfaceIPv6(nlh *netlink.Handle, iface netlink.Link, i *nwIface) error { +- if i.AddressIPv6() == nil { ++ addr := i.AddressIPv6() ++ // IPv6 must be enabled on the interface if and only if the network is ++ // IPv6-enabled. For an interface on an IPv4-only network, if IPv6 isn't ++ // disabled, the interface will be put into IPv6 multicast groups making ++ // it unexpectedly susceptible to NDP cache poisoning, route injection, etc. ++ // (At present, there will always be a pre-configured IPv6 address if the ++ // network is IPv6-enabled.) ++ if err := setIPv6(i.ns.path, i.DstName(), addr != nil); err != nil { ++ return fmt.Errorf("failed to configure ipv6: %v", err) ++ } ++ if addr == nil { + return nil + } +- if err := checkRouteConflict(nlh, i.AddressIPv6(), netlink.FAMILY_V6); err != nil { ++ if err := checkRouteConflict(nlh, addr, netlink.FAMILY_V6); err != nil { + return err + } +- if err := setIPv6(i.ns.path, i.DstName(), true); err != nil { +- return fmt.Errorf("failed to enable ipv6: %v", err) +- } +- ipAddr := &netlink.Addr{IPNet: i.AddressIPv6(), Label: "", Flags: syscall.IFA_F_NODAD} +- return nlh.AddrAdd(iface, ipAddr) ++ nlAddr := &netlink.Addr{IPNet: addr, Label: "", Flags: syscall.IFA_F_NODAD} ++ return nlh.AddrAdd(iface, nlAddr) + } + + func setInterfaceLinkLocalIPs(nlh *netlink.Handle, iface netlink.Link, i *nwIface) error { +-- +2.33.0 + diff --git a/series.conf b/series.conf index 1d57b58..1cae74c 100644 --- a/series.conf +++ b/series.conf @@ -263,4 +263,5 @@ patch/0271-libnetwork-processEndpointDelete-Fix-deadlock-betwee.patch patch/0272-Fixes-41871-Update-daemon-daemon.go-resume-healthche.patch patch/0273-backport-fix-CVE-2024-24557.patch patch/0274-backport-fix-CVE-2024-29018.patch +patch/0275-backport-fix-CVE-2024-32473.patch #end -- Gitee