From 0158d9e973b849b2cb8334189f1ba2ca2a523c28 Mon Sep 17 00:00:00 2001 From: Muhammad Falak R Wani Date: Fri, 10 Jan 2025 01:36:30 +0530 Subject: [PATCH] docker-compose: patch CVE-2024-45337 (#11819) Signed-off-by: Muhammad Falak R Wani Co-authored-by: jslobodzian --- SPECS/docker-compose/CVE-2024-45337.patch | 80 +++++++++++++++++++++++ SPECS/docker-compose/docker-compose.spec | 6 +- 2 files changed, 85 insertions(+), 1 deletion(-) create mode 100644 SPECS/docker-compose/CVE-2024-45337.patch diff --git a/SPECS/docker-compose/CVE-2024-45337.patch b/SPECS/docker-compose/CVE-2024-45337.patch new file mode 100644 index 00000000000..868ef502b5d --- /dev/null +++ b/SPECS/docker-compose/CVE-2024-45337.patch @@ -0,0 +1,80 @@ +From 66fd5d19c5ea8c7f4f7ff69bcc93a7c8231ce4cf Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker +Date: Tue, 3 Dec 2024 09:03:03 -0800 +Subject: [PATCH] ssh: make the public key cache a 1-entry FIFO cache + +Users of the the ssh package seem to extremely commonly misuse the +PublicKeyCallback API, assuming that the key passed in the last call +before a connection is established is the key used for authentication. +Some users then make authorization decisions based on this key. This +property is not documented, and may not be correct, due to the caching +behavior of the package, resulting in users making incorrect +authorization decisions about the connection. + +This change makes the cache a one entry FIFO cache, making the assumed +property, that the last call to PublicKeyCallback represents the key +actually used for authentication, actually hold. + +Thanks to Damien Tournoud, Patrick Dawkins, Vince Parker, and +Jules Duvivier from the Platform.sh / Upsun engineering team +for reporting this issue. + +Fixes golang/go#70779 +Fixes CVE-2024-45337 + +Change-Id: Ife7c7b4045d8b6bcd7e3a417bdfae370c709797f +Reviewed-on: https://go-review.googlesource.com/c/crypto/+/635315 +Reviewed-by: Roland Shoemaker +Auto-Submit: Gopher Robot +Reviewed-by: Damien Neil +Reviewed-by: Nicola Murino +LUCI-TryBot-Result: Go LUCI +Signed-off-by: Muhammad Falak R Wani +--- + vendor/golang.org/x/crypto/ssh/server.go | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/vendor/golang.org/x/crypto/ssh/server.go b/vendor/golang.org/x/crypto/ssh/server.go +index c2dfe32..39dcc09 100644 +--- a/vendor/golang.org/x/crypto/ssh/server.go ++++ b/vendor/golang.org/x/crypto/ssh/server.go +@@ -149,7 +149,7 @@ func (s *ServerConfig) AddHostKey(key Signer) { + } + + // cachedPubKey contains the results of querying whether a public key is +-// acceptable for a user. ++// acceptable for a user. This is a FIFO cache. + type cachedPubKey struct { + user string + pubKeyData []byte +@@ -157,7 +157,13 @@ type cachedPubKey struct { + perms *Permissions + } + +-const maxCachedPubKeys = 16 ++// maxCachedPubKeys is the number of cache entries we store. ++// ++// Due to consistent misuse of the PublicKeyCallback API, we have reduced this ++// to 1, such that the only key in the cache is the most recently seen one. This ++// forces the behavior that the last call to PublicKeyCallback will always be ++// with the key that is used for authentication. ++const maxCachedPubKeys = 1 + + // pubKeyCache caches tests for public keys. Since SSH clients + // will query whether a public key is acceptable before attempting to +@@ -179,9 +185,10 @@ func (c *pubKeyCache) get(user string, pubKeyData []byte) (cachedPubKey, bool) { + + // add adds the given tuple to the cache. + func (c *pubKeyCache) add(candidate cachedPubKey) { +- if len(c.keys) < maxCachedPubKeys { +- c.keys = append(c.keys, candidate) ++ if len(c.keys) >= maxCachedPubKeys { ++ c.keys = c.keys[1:] + } ++ c.keys = append(c.keys, candidate) + } + + // ServerConn is an authenticated SSH connection, as seen from the +-- +2.34.1 + diff --git a/SPECS/docker-compose/docker-compose.spec b/SPECS/docker-compose/docker-compose.spec index 6301797a965..eec9881ad79 100644 --- a/SPECS/docker-compose/docker-compose.spec +++ b/SPECS/docker-compose/docker-compose.spec @@ -1,7 +1,7 @@ Summary: Define and run multi-container applications with Docker Name: docker-compose Version: 2.27.0 -Release: 1%{?dist} +Release: 2%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -12,6 +12,7 @@ Source0: https://github.com/docker/compose/archive/refs/tags/v%{version}. # NOTE: govendor-v1 format is for inplace CVE updates so that we do not have to overwrite in the blob-store. # After fixing any possible CVE for the vendored source, we must bump v1 -> v2 Source1: %{name}-%{version}-govendor-v1.tar.gz +Patch0: CVE-2024-45337.patch BuildRequires: golang Requires: docker-cli Obsoletes: moby-compose < %{version}-%{release} @@ -44,6 +45,9 @@ install -D -m0755 bin/build/docker-compose %{buildroot}/%{_libexecdir}/docker/cl %{_libexecdir}/docker/cli-plugins/docker-compose %changelog +* Wed Jan 08 2025 Muhammad Falak - 2.27.0-2 +- Patch CVE-2024-45337 + * Thu May 02 2024 CBL-Mariner Servicing Account - 2.27.0-1 - Auto-upgrade to 2.27.0 - address CVE-2024-23653