From b38bd9f95947361291ff36f42d73d9ce0295d612 Mon Sep 17 00:00:00 2001
From: shechenglong <shechenglong@xfusion.com>
Date: Thu, 17 Apr 2025 17:27:01 +0800
Subject: [PATCH] daemon: overlay2: remove world writable permission from the
 lower file

Signed-off-by: shechenglong <shechenglong@xfusion.com>
---
 ...remove-world-writable-permission-fro.patch | 43 +++++++++++++++++++
 moby.spec                                     |  6 ++-
 2 files changed, 48 insertions(+), 1 deletion(-)
 create mode 100644 1014-daemon-overlay2-remove-world-writable-permission-fro.patch

diff --git a/1014-daemon-overlay2-remove-world-writable-permission-fro.patch b/1014-daemon-overlay2-remove-world-writable-permission-fro.patch
new file mode 100644
index 0000000..cfde8f3
--- /dev/null
+++ b/1014-daemon-overlay2-remove-world-writable-permission-fro.patch
@@ -0,0 +1,43 @@
+From d0d85f6438af71ddd15d0441ec219daba192d4e5 Mon Sep 17 00:00:00 2001
+From: Jaroslav Jindrak <dzejrou@gmail.com>
+Date: Tue, 5 Mar 2024 14:25:50 +0100
+Subject: [PATCH 022/172] daemon: overlay2: remove world writable permission
+ from the lower file
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+In de2447c, the creation of the 'lower' file was changed from using
+os.Create to using ioutils.AtomicWriteFile, which ignores the system's
+umask. This means that even though the requested permission in the
+source code was always 0666, it was 0644 on systems with default
+umask of 0022 prior to de2447c, so the move to AtomicFile potentially
+increased the file's permissions.
+
+This is not a security issue because the parent directory does not
+allow writes into the file, but it can confuse security scanners on
+Linux-based systems into giving false positives.
+
+Signed-off-by: Jaroslav Jindrak <dzejrou@gmail.com>
+(cherry picked from commit cadb124ab679f7e48c917473e28ff7f270d27dd9)
+Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
+---
+ daemon/graphdriver/overlay2/overlay.go | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/daemon/graphdriver/overlay2/overlay.go b/daemon/graphdriver/overlay2/overlay.go
+index 4f61ac8c08..4cf157e90f 100644
+--- a/daemon/graphdriver/overlay2/overlay.go
++++ b/daemon/graphdriver/overlay2/overlay.go
+@@ -406,7 +406,7 @@ func (d *Driver) create(id, parent string, opts *graphdriver.CreateOpts) (retErr
+ 		return err
+ 	}
+ 	if lower != "" {
+-		if err := ioutils.AtomicWriteFile(path.Join(dir, lowerFile), []byte(lower), 0o666); err != nil {
++		if err := ioutils.AtomicWriteFile(path.Join(dir, lowerFile), []byte(lower), 0o644); err != nil {
+ 			return err
+ 		}
+ 	}
+-- 
+2.27.0
+
diff --git a/moby.spec b/moby.spec
index 46b21af..18c3aec 100644
--- a/moby.spec
+++ b/moby.spec
@@ -7,7 +7,7 @@
 
 Name: 	  moby
 Version:  25.0.3
-Release:  25
+Release:  26
 Summary:  The open-source application container engine
 License:  Apache-2.0
 URL:	  https://www.docker.com
@@ -37,6 +37,7 @@ Patch1010:  1010-fix-CVE-2024-36621.patch
 Patch1011:  1011-fix-CVE-2024-36620.patch
 Patch1012:  1012-fix-CVE-2024-36623.patch
 Patch1013:  1013-Don-t-enforce-new-validation-rules-for-existing-netw.patch
+Patch1014:  1014-daemon-overlay2-remove-world-writable-permission-fro.patch
 # Patch 2001-2999 for tini
 Patch2001:  2001-tini.c-a-function-declaration-without-a-prototype-is.patch
 Requires(meta): %{name}-engine = %{version}-%{release}
@@ -228,6 +229,9 @@ fi
 %systemd_postun_with_restart docker.service
 
 %changelog
+* Thu Apr 17 2025 shechenglong <shechenglong@xfusion.com> - 25.0.3-26
+- daemon: overlay2: remove world writable permission from the lower file
+
 * Thu Apr 17 2025 shechenglong <shechenglong@xfusion.com> - 25.0.3-25
 - Don't enforce new validation rules for existing networks
 
-- 
Gitee