MIRRORS/meta-virtualization
1
0
Fork 0
mirror of git://git.yoctoproject.org/meta-virtualization.git synced 2025-07-19 20:59:41 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

docker-distribution: fix CVE-2025-24976

Browse Source 
Backport patch to fix CVE-2025-24976.

Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
This commit is contained in:
Chen Qi 2025-03-05 18:19:01 -08:00 committed by Bruce Ashfield
parent b5a1645250
commit cf982c9fad
2 changed files with 50 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
recipes-containers/docker-distribution/docker-distribution_git.bb
View File

@ -9,6 +9,7 @@ SRC_URI = "git://github.com/docker/distribution.git;branch=release/2.8;name=dist
file://0001-build-use-to-use-cross-go-compiler.patch \ file://0001-build-use-to-use-cross-go-compiler.patch \
file://0001-Fix-runaway-allocation-on-v2-_catalog.patch \ file://0001-Fix-runaway-allocation-on-v2-_catalog.patch \
file://0001-panicwrap-Use-dup3-on-riscv64-linux.patch \ file://0001-panicwrap-Use-dup3-on-riscv64-linux.patch \
file://0001-Fix-registry-token-authentication-bug.patch \
" "
PACKAGES =+ "docker-registry" PACKAGES =+ "docker-registry"

49
recipes-containers/docker-distribution/files/0001-Fix-registry-token-authentication-bug.patch Normal file
View File

@ -0,0 +1,49 @@
From ff9eed251cfd7dd279ea231a289cc784fd7f829f Mon Sep 17 00:00:00 2001
From: Milos Gajdos <milosthegajdos@gmail.com>
Date: Sat, 1 Feb 2025 15:30:18 -0800
Subject: [PATCH] Fix registry token authentication bug
When a JWT contains a JWK header without a certificate chain,
the original code only checked if the KeyID (kid) matches one of the trusted keys,
but doesn't verify that the actual key material matches.
As a result, if an attacker guesses the kid, they can inject an
untrusted key which would then be used to grant access to protected
data.
This fixes the issue such as only the trusted key is verified.
Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
CVE: CVE-2025-24976
Upstream-Status: Backport [https://github.com/distribution/distribution/commit/f4a500caf68169dccb0b54cb90523e68ee1ac2be]
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
---
registry/auth/token/token.go | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/registry/auth/token/token.go b/registry/auth/token/token.go
index f803415f..fbcf5bfa 100644
--- a/registry/auth/token/token.go
+++ b/registry/auth/token/token.go
@@ -290,12 +290,13 @@ func parseAndVerifyRawJWK(rawJWK *json.RawMessage, verifyOpts VerifyOptions) (pu
x5cVal, ok := pubKey.GetExtendedField("x5c").([]interface{})
if !ok {
// The JWK should be one of the trusted root keys.
- if _, trusted := verifyOpts.TrustedKeys[pubKey.KeyID()]; !trusted {
+ trustedKey, trusted := verifyOpts.TrustedKeys[pubKey.KeyID()]
+ if !trusted {
return nil, errors.New("untrusted JWK with no certificate chain")
}
// The JWK is one of the trusted keys.
- return
+ return trustedKey, nil
}
// Ensure each item in the chain is of the correct type.
--
2.25.1