diff --git a/VERSION-vendor b/VERSION-vendor index e145489bbdc105a0b7474bb86edd7c6e3b513783..3f787290eadc71f19ea9f8c0f84dfd9317f36c67 100644 --- a/VERSION-vendor +++ b/VERSION-vendor @@ -1 +1 @@ -18.09.0.263 +18.09.0.264 diff --git a/docker-engine-openeuler.spec b/docker-engine-openeuler.spec index 18c82ca2229283e622ada979a82c8f2f3726eb3b..19dbf4a1c1ec0a8e919b6f11f08ac439b9d9d3b4 100644 --- a/docker-engine-openeuler.spec +++ b/docker-engine-openeuler.spec @@ -1,6 +1,6 @@ Name: docker-engine Version: 18.09.0 -Release: 263 +Release: 264 Epoch: 1 Summary: The open-source application container engine Group: Tools/Docker @@ -199,6 +199,12 @@ fi %endif %changelog +* Mon Apr 01 2024 zhongjiawei - 18.09.0-264 +- Type:CVE +- CVE:CVE-2024-29018 +- SUG:NA +- DESC:fix CVE-2024-29018 + * Tue Mar 19 2024 chenjiankun - 18.09.0-263 - Type:CVE - CVE:CVE-2024-24557 diff --git a/patch/0274-backport-fix-CVE-2024-29018.patch b/patch/0274-backport-fix-CVE-2024-29018.patch new file mode 100644 index 0000000000000000000000000000000000000000..1f4994f711f9a643dbcaabf78406d027729af035 --- /dev/null +++ b/patch/0274-backport-fix-CVE-2024-29018.patch @@ -0,0 +1,101 @@ +From e90f75c9e91427aa6254a89a10c619a17e2be594 Mon Sep 17 00:00:00 2001 +From: chenjiankun +Date: Thu, 28 Mar 2024 17:16:11 +0800 +Subject: [PATCH] docker: fix CVE-2024-29018 + +libnet: Don't forward to upstream resolvers on internal nw + +Commit cbc2a71 makes `connect` syscall fail fast when a container is +only attached to an internal network. Thanks to that, if such a +container tries to resolve an "external" domain, the embedded resolver +returns an error immediately instead of waiting for a timeout. + +This commit makes sure the embedded resolver doesn't even try to forward +to upstream servers. + +Conflict:libnetwork/resolver.go,sandbox_dns_unix.go +Reference:https://github.com/moby/moby/commit/790c3039d0ca5ed86ecd099b4b571496607628bc +--- + .../vendor/github.com/docker/libnetwork/endpoint.go | 13 ++++++++++++- + .../vendor/github.com/docker/libnetwork/resolver.go | 9 +++++++++ + .../docker/libnetwork/sandbox_dns_unix.go | 6 +++++- + 3 files changed, 26 insertions(+), 2 deletions(-) + +diff --git a/components/engine/vendor/github.com/docker/libnetwork/endpoint.go b/components/engine/vendor/github.com/docker/libnetwork/endpoint.go +index 822f88bd3..914169199 100644 +--- a/components/engine/vendor/github.com/docker/libnetwork/endpoint.go ++++ b/components/engine/vendor/github.com/docker/libnetwork/endpoint.go +@@ -550,7 +550,13 @@ func (ep *endpoint) sbJoin(sb *sandbox, options ...EndpointOption) (err error) { + return sb.setupDefaultGW() + } + +- moveExtConn := sb.getGatewayEndpoint() != extEp ++ currentExtEp := sb.getGatewayEndpoint() ++ // Enable upstream forwarding if the sandbox gained external connectivity. ++ if sb.resolver != nil { ++ sb.resolver.SetForwardingPolicy(currentExtEp != nil) ++ } ++ ++ moveExtConn := currentExtEp != extEp + + if moveExtConn { + if extEp != nil { +@@ -786,6 +792,11 @@ func (ep *endpoint) sbLeave(sb *sandbox, force bool, options ...EndpointOption) + + // New endpoint providing external connectivity for the sandbox + extEp = sb.getGatewayEndpoint() ++ // Disable upstream forwarding if the sandbox lost external connectivity. ++ if sb.resolver != nil { ++ sb.resolver.SetForwardingPolicy(extEp != nil) ++ } ++ + if moveExtConn && extEp != nil { + logrus.Debugf("Programming external connectivity on endpoint %s (%s)", extEp.Name(), extEp.ID()) + extN, err := extEp.getNetworkFromStore() +diff --git a/components/engine/vendor/github.com/docker/libnetwork/resolver.go b/components/engine/vendor/github.com/docker/libnetwork/resolver.go +index 04afe7a1d..0e44352d7 100644 +--- a/components/engine/vendor/github.com/docker/libnetwork/resolver.go ++++ b/components/engine/vendor/github.com/docker/libnetwork/resolver.go +@@ -24,6 +24,9 @@ type Resolver interface { + // SetupFunc() provides the setup function that should be run + // in the container's network namespace. + SetupFunc(int) func() ++ // SetForwardingPolicy re-configures the embedded DNS resolver to either enable or disable forwarding DNS queries to ++ // external servers. ++ SetForwardingPolicy(bool) + // NameServer() returns the IP of the DNS resolver for the + // containers. + NameServer() string +@@ -196,6 +199,12 @@ func (r *resolver) SetExtServers(extDNS []extDNSEntry) { + } + } + ++// SetForwardingPolicy re-configures the embedded DNS resolver to either enable or disable forwarding DNS queries to ++// external servers. ++func (r *resolver) SetForwardingPolicy(policy bool) { ++ r.proxyDNS = policy ++} ++ + func (r *resolver) NameServer() string { + return r.listenAddress + } +diff --git a/components/engine/vendor/github.com/docker/libnetwork/sandbox_dns_unix.go b/components/engine/vendor/github.com/docker/libnetwork/sandbox_dns_unix.go +index db1b66b19..484987a83 100644 +--- a/components/engine/vendor/github.com/docker/libnetwork/sandbox_dns_unix.go ++++ b/components/engine/vendor/github.com/docker/libnetwork/sandbox_dns_unix.go +@@ -27,7 +27,11 @@ const ( + func (sb *sandbox) startResolver(restore bool) { + sb.resolverOnce.Do(func() { + var err error +- sb.resolver = NewResolver(resolverIPSandbox, true, sb.Key(), sb) ++ // The resolver is started with proxyDNS=false if the sandbox does not currently ++ // have a gateway. So, if the Sandbox is only connected to an 'internal' network, ++ // it will not forward DNS requests to external resolvers. The resolver's ++ // proxyDNS setting is then updated as network Endpoints are added/removed. ++ sb.resolver = NewResolver(resolverIPSandbox, sb.getGatewayEndpoint() != nil, sb.Key(), sb) + defer func() { + if err != nil { + sb.resolver = nil +-- +2.33.0 + diff --git a/series.conf b/series.conf index 16ce041354c9b3db053e64264dcec57e64bad23c..1d57b58b91a3934ff1b1df31e9b9547b36b8c6c8 100644 --- a/series.conf +++ b/series.conf @@ -262,4 +262,5 @@ patch/0270-Update-daemon_linux.go-for-preventing-off-by-one.patch patch/0271-libnetwork-processEndpointDelete-Fix-deadlock-betwee.patch patch/0272-Fixes-41871-Update-daemon-daemon.go-resume-healthche.patch patch/0273-backport-fix-CVE-2024-24557.patch +patch/0274-backport-fix-CVE-2024-29018.patch #end