From 7382c72f669d486a7ce504633f879be4cfc89943 Mon Sep 17 00:00:00 2001
From: zhongjiawei <zhongjiawei1@huawei.com>
Date: Fri, 6 Dec 2024 11:08:58 +0800
Subject: [PATCH] docker:fix CVE-2024-36623

(cherry picked from commit bac17d509e0e29a47e18ba9950b23a4069b3713b)
---
 VERSION-vendor                                |  2 +-
 docker.spec                                   |  8 +++-
 git-commit                                    |  2 +-
 ...=> 0281-backport-fix-CVE-2024-36621.patch} |  0
 patch/0282-backport-fix-CVE-2024-36623.patch  | 48 +++++++++++++++++++
 series.conf                                   |  3 +-
 6 files changed, 59 insertions(+), 4 deletions(-)
 rename patch/{0281-docker-builder-next-fix-missing-lock-in-ensurelayer.patch => 0281-backport-fix-CVE-2024-36621.patch} (100%)
 create mode 100644 patch/0282-backport-fix-CVE-2024-36623.patch

diff --git a/VERSION-vendor b/VERSION-vendor
index ccb4857..f875d93 100644
--- a/VERSION-vendor
+++ b/VERSION-vendor
@@ -1 +1 @@
-18.09.0.344
+18.09.0.345
diff --git a/docker.spec b/docker.spec
index 9e04559..c3d5ea5 100644
--- a/docker.spec
+++ b/docker.spec
@@ -1,6 +1,6 @@
 Name: docker-engine
 Version: 18.09.0
-Release: 344
+Release: 345
 Epoch: 2
 Summary: The open-source application container engine
 Group: Tools/Docker
@@ -225,6 +225,12 @@ fi
 %endif
 
 %changelog
+* Fri Dec 06 2024 zhongjiawei<zhongjiawei1@huawei.com> - 2:18.09.0-345
+- Type:CVE
+- CVE:CVE-2024-36623
+- SUG:NA
+- DESC:fix CVE-2024-36623
+
 * Mon Dec 02 2024 zhongjiawei<zhongjiawei1@huawei.com> - 2:18.09.0-344
 - Type:CVE
 - CVE:CVE-2024-36621
diff --git a/git-commit b/git-commit
index bae7a93..95b46e0 100644
--- a/git-commit
+++ b/git-commit
@@ -1 +1 @@
-9da17b5107496bcb8d817baadfacf7b82a032262
+760d2ff23dc93f97e0066748ab1e8050e3aaaa25
diff --git a/patch/0281-docker-builder-next-fix-missing-lock-in-ensurelayer.patch b/patch/0281-backport-fix-CVE-2024-36621.patch
similarity index 100%
rename from patch/0281-docker-builder-next-fix-missing-lock-in-ensurelayer.patch
rename to patch/0281-backport-fix-CVE-2024-36621.patch
diff --git a/patch/0282-backport-fix-CVE-2024-36623.patch b/patch/0282-backport-fix-CVE-2024-36623.patch
new file mode 100644
index 0000000..4c077e6
--- /dev/null
+++ b/patch/0282-backport-fix-CVE-2024-36623.patch
@@ -0,0 +1,48 @@
+From 5e02d7625ef0472e0be29acb30e47255546ced58 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pawe=C5=82=20Gronowski?= <pawel.gronowski@docker.com>
+Date: Thu, 22 Feb 2024 18:01:40 +0100
+Subject: [PATCH] pkg/streamformatter: Make `progressOutput` concurrency safe
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Sync access to the underlying `io.Writer` with a mutex.
+
+Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
+---
+ components/engine/pkg/streamformatter/streamformatter.go | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/components/engine/pkg/streamformatter/streamformatter.go b/components/engine/pkg/streamformatter/streamformatter.go
+index 04917d49ab..eaa82e1010 100644
+--- a/components/engine/pkg/streamformatter/streamformatter.go
++++ b/components/engine/pkg/streamformatter/streamformatter.go
+@@ -5,6 +5,7 @@ import (
+ 	"encoding/json"
+ 	"fmt"
+ 	"io"
++	"sync"
+ 
+ 	"github.com/docker/docker/pkg/jsonmessage"
+ 	"github.com/docker/docker/pkg/progress"
+@@ -109,6 +110,7 @@ type progressOutput struct {
+ 	sf       formatProgress
+ 	out      io.Writer
+ 	newLines bool
++	mu       sync.Mutex
+ }
+ 
+ // WriteProgress formats progress information from a ProgressReader.
+@@ -120,6 +122,9 @@ func (out *progressOutput) WriteProgress(prog progress.Progress) error {
+ 		jsonProgress := jsonmessage.JSONProgress{Current: prog.Current, Total: prog.Total, HideCounts: prog.HideCounts, Units: prog.Units}
+ 		formatted = out.sf.formatProgress(prog.ID, prog.Action, &jsonProgress, prog.Aux)
+ 	}
++
++	out.mu.Lock()
++	defer out.mu.Unlock()
+ 	_, err := out.out.Write(formatted)
+ 	if err != nil {
+ 		return err
+-- 
+2.33.0
+
diff --git a/series.conf b/series.conf
index 015466a..cadbf6c 100644
--- a/series.conf
+++ b/series.conf
@@ -278,5 +278,6 @@ patch/0277-backport-fix-CVE-2024-41110.patch
 patch/0278-docker-add-clone3-seccomp-whitelist-for-arm64.patch
 patch/0279-docker-try-to-reconnect-when-containerd-grpc-return-.patch
 patch/0280-docker-support-calling-clone-when-clone3-is-not-supp.patch
-patch/0281-docker-builder-next-fix-missing-lock-in-ensurelayer.patch
+patch/0281-backport-fix-CVE-2024-36621.patch
+patch/0282-backport-fix-CVE-2024-36623.patch
 #end
-- 
Gitee