pool/docker-stable
SHA256
17
0
Fork 0
Code Issues Pull Requests Activity

Compare commits

base: pool:slfo-1.2
Branches Tags
pool:factory pool:slfo-main pool:slfo-1.2
..
compare: pool:slfo-main
Branches Tags
pool:factory pool:slfo-main pool:slfo-1.2

3 Commits
slfo-1.2 ... slfo-main

Author SHA256 Message Date
vlefebvre
bf59a84620 Backport the missing patch and sync to Factory 
* Adding a missing backported patch:
  - 0016-bsc1254206-daemon-overlay2-remove-world-writable-per.patch
* Reorder the patches to sync with Factory
 2026-02-24 17:53:04 +01:00
vlefebvre
6de0656a64 Fix CVE-2025-58181 bsc#1253904 
- Places a hard cap on the amount of mechanisms that can be specified and
  encoded in the payload. (bsc#1253904, CVE-2025-58181)
  * 0017-CVE-2025-58181-fix-vendor-crypto-ssh-3.patch
 2026-02-20 13:18:22 +01:00
rcmadhankumar
e077bad719 remove strings.Split and add parseToken function 
fixes bsc#1240513
fixes CVE-2025-30204
 2026-02-11 16:05:39 +05:30
6 changed files with 225 additions and 5 deletions
Expand all files Collapse all files

41
0016-bsc1254206-daemon-overlay2-remove-world-writable-per.patch Normal file
View File

@@ -0,0 +1,41 @@
From 446bfce439f9df2bd068c37bf6203a8fd3c9e2fa Mon Sep 17 00:00:00 2001
From: Jaroslav Jindrak <dzejrou@gmail.com>
Date: Tue, 5 Mar 2024 14:25:50 +0100
Subject: [PATCH 16/18] bsc1254206: daemon: overlay2: remove world writable
permission from the lower file
In de2447c, the creation of the 'lower' file was changed from using
os.Create to using ioutils.AtomicWriteFile, which ignores the system's
umask. This means that even though the requested permission in the
source code was always 0666, it was 0644 on systems with default
umask of 0022 prior to de2447c, so the move to AtomicFile potentially
increased the file's permissions.
This is not a security issue because the parent directory does not
allow writes into the file, but it can confuse security scanners on
Linux-based systems into giving false positives.
Signed-off-by: Jaroslav Jindrak <dzejrou@gmail.com>
(cherry picked from commit cadb124ab679f7e48c917473e28ff7f270d27dd9)
SUSE-Bugs: bsc#1220339 bsc#1254206
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
---
daemon/graphdriver/overlay2/overlay.go | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/daemon/graphdriver/overlay2/overlay.go b/daemon/graphdriver/overlay2/overlay.go
index 3f06a837c8..e29417c479 100644
--- a/daemon/graphdriver/overlay2/overlay.go
+++ b/daemon/graphdriver/overlay2/overlay.go
@@ -409,7 +409,7 @@ func (d *Driver) create(id, parent string, opts *graphdriver.CreateOpts) (retErr
return err
}
if lower != "" {
- if err := ioutils.AtomicWriteFile(path.Join(dir, lowerFile), []byte(lower), 0o666); err != nil {
+ if err := ioutils.AtomicWriteFile(path.Join(dir, lowerFile), []byte(lower), 0o644); err != nil {
return err
}
}
--
2.52.0

89
0017-CVE-2025-30204-fix-Remove-strings.Split-and-add-pars.patch Normal file
View File

@@ -0,0 +1,89 @@
From fd9e9c4ed1fb52dc66c342366c1e6ebfab9fb671 Mon Sep 17 00:00:00 2001
From: rcmadhankumar <madhankumar.chellamuthu@suse.com>
Date: Thu, 5 Feb 2026 13:33:44 +0530
Subject: [PATCH] CVE-2025-30204 fix: Remove strings.Split and add parseToken
function
--
CVE-2025-30204
golang-jwt is a Go implementation of JSON Web Tokens. Starting in
version 3.2.0 and prior to versions 5.2.2 and 4.5.2, the function
parse.ParseUnverified splits (via a call to strings.Split) its argument
(which is untrusted data) on periods. As a result, in the face of a
malicious request whose Authorization header consists of Bearer
followed by many period characters, a call to that function incurs
allocations to the tune of O(n) bytes (where n stands for the length
of the function's argument), with a constant factor of about 16.
This issue is fixed in 5.2.2 and 4.5.2.
reference commit: https://github.com/golang-jwt/jwt/commit/0951d184286dece21f73c85673fd308786ffe9c3
Fixes bsc#1240513
Fixes CVE-2025-30204
---
vendor/github.com/golang-jwt/jwt/v4/parser.go | 36 +++++++++++++++++--
1 file changed, 33 insertions(+), 3 deletions(-)
diff --git a/vendor/github.com/golang-jwt/jwt/v4/parser.go b/vendor/github.com/golang-jwt/jwt/v4/parser.go
index 2f61a69d7f..9484f285f7 100644
--- a/vendor/github.com/golang-jwt/jwt/v4/parser.go
+++ b/vendor/github.com/golang-jwt/jwt/v4/parser.go
@@ -7,6 +7,8 @@ import (
"strings"
)
+const tokenDelimiter = "."
+
type Parser struct {
// If populated, only these methods will be considered valid.
//
@@ -116,9 +118,10 @@ func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyf
// It's only ever useful in cases where you know the signature is valid (because it has
// been checked previously in the stack) and you want to extract values from it.
func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Token, parts []string, err error) {
- parts = strings.Split(tokenString, ".")
- if len(parts) != 3 {
- return nil, parts, NewValidationError("token contains an invalid number of segments", ValidationErrorMalformed)
+ var ok bool
+ parts, ok = splitToken(tokenString)
+ if !ok {
+ return nil, nil, NewValidationError("token contains an invalid number of segments", ValidationErrorMalformed)
}
token = &Token{Raw: tokenString}
@@ -168,3 +171,30 @@ func (p *Parser) ParseUnverified(tokenString string, claims Claims) (token *Toke
return token, parts, nil
}
+
+// splitToken splits a token string into three parts: header, claims, and signature. It will only
+// return true if the token contains exactly two delimiters and three parts. In all other cases, it
+// will return nil parts and false.
+func splitToken(token string) ([]string, bool) {
+ parts := make([]string, 3)
+ header, remain, ok := strings.Cut(token, tokenDelimiter)
+ if !ok {
+ return nil, false
+ }
+ parts[0] = header
+ claims, remain, ok := strings.Cut(remain, tokenDelimiter)
+ if !ok {
+ return nil, false
+ }
+ parts[1] = claims
+ // One more cut to ensure the signature is the last part of the token and there are no more
+ // delimiters. This avoids an issue where malicious input could contain additional delimiters
+ // causing unecessary overhead parsing tokens.
+ signature, _, unexpected := strings.Cut(remain, tokenDelimiter)
+ if unexpected {
+ return nil, false
+ }
+ parts[2] = signature
+
+ return parts, true
+}
--
2.52.0

61
0018-CVE-2025-58181-fix-vendor-crypto-ssh-3.patch Normal file
View File

@@ -0,0 +1,61 @@
From df8c92d0412c56f802e46c847cbcecf5b12e37e3 Mon Sep 17 00:00:00 2001
From: Valentin LEFEBVRE <valentin.lefebvre@suse.com>
Date: Wed, 18 Feb 2026 16:22:29 +0100
Subject: [PATCH 18/18] CVE-2025-58181: fix vendor crypto/ssh (#3)
curb GSSAPI DoS risk by limiting number of specified OIDS
Previously, an attacker could specify an integer up to 0xFFFFFFFF
that would directly allocate memory despite the observability of
the rest of the payload. This change places a hard cap on the
amount of mechanisms that can be specified and encoded in the
payload. Additionally, it performs a small sanity check to deny
payloads whose stated size is contradictory to the observed payload.
Thank you to Jakub Ciolek for reporting this issue.
Fixes CVE-2025-58181
Fixes golang/go#76363
Change-Id: I0307ab3e906a3f2ae763b5f9f0310f7073f84485
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/721961
Auto-Submit: Roland Shoemaker <roland@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
[vlefebvre: Adapt for SUSE-v28.5.1]
Signed-off-by: vlefebvre <valentin.lefebvre@suse.com>
---
vendor/golang.org/x/crypto/ssh/ssh_gss.go | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/vendor/golang.org/x/crypto/ssh/ssh_gss.go b/vendor/golang.org/x/crypto/ssh/ssh_gss.go
index 24bd7c8e83..a6249a1227 100644
--- a/vendor/golang.org/x/crypto/ssh/ssh_gss.go
+++ b/vendor/golang.org/x/crypto/ssh/ssh_gss.go
@@ -106,6 +106,13 @@ func parseGSSAPIPayload(payload []byte) (*userAuthRequestGSSAPI, error) {
if !ok {
return nil, errors.New("parse uint32 failed")
}
+ // Each ASN.1 encoded OID must have a minimum
+ // of 2 bytes; 64 maximum mechanisms is an
+ // arbitrary, but reasonable ceiling.
+ const maxMechs = 64
+ if n > maxMechs || int(n)*2 > len(rest) {
+ return nil, errors.New("invalid mechanism count")
+ }
s := &userAuthRequestGSSAPI{
N: n,
OIDS: make([]asn1.ObjectIdentifier, n),
@@ -122,7 +129,6 @@ func parseGSSAPIPayload(payload []byte) (*userAuthRequestGSSAPI, error) {
if rest, err = asn1.Unmarshal(desiredMech, &s.OIDS[i]); err != nil {
return nil, err
}
-
}
return s, nil
}
--
2.52.0

3
docker-daemon.json
View File

@@ -4,6 +4,5 @@
"log-opts": {
"max-size": "10m",
"max-file": "5"
},
"selinux-enabled": true
}
}

24
docker-stable.changes
View File

@@ -1,8 +1,26 @@
-------------------------------------------------------------------
Mon Oct 27 23:55:45 UTC 2025 - Aleksa Sarai <asarai@suse.com>
Thu Feb 19 14:16:13 UTC 2026 - Valentin Lefebvre <valentin.lefebvre@suse.com>
- Enable SELinux in default daemon.json config (--selinux-enabled). This has no
practical impact on non-SELinux systems. bsc#1252290
- Places a hard cap on the amount of mechanisms that can be specified and
encoded in the payload. (bsc#1253904, CVE-2025-58181)
* 0018-CVE-2025-58181-fix-vendor-crypto-ssh-3.patch
-------------------------------------------------------------------
Wed Feb 11 10:29:11 UTC 2026 - Madhankumar Chellamuthu <madhankumar.chellamuthu@suse.com>
- Backport <https://github.com/golang-jwt/jwt/commit/0951d184286dece21f73c85673fd308786ffe9c3>
to remove strings.Split and add parseToken function, bsc#1240513
fixes CVE-2025-30204
+ 0017-CVE-2025-30204-fix-Remove-strings.Split-and-add-pars.patch
-------------------------------------------------------------------
Wed Nov 26 13:25:34 UTC 2025 - Aleksa Sarai <asarai@suse.com>
- Backport <https://github.com/moby/moby/pull/47498> to fix incorrect
permissions for overlayfs lowerdir. In practice the permissions of this
directory are immaterial but some security scanners falsely flag this as an
issue. bsc#1254206
+ 0016-bsc1254206-daemon-overlay2-remove-world-writable-per.patch
-------------------------------------------------------------------
Mon Sep 29 05:25:36 UTC 2025 - Aleksa Sarai <asarai@suse.com>

12
docker-stable.spec
View File

@@ -135,6 +135,12 @@ Patch208: 0012-CVE-2025-22868-vendor-jws-split-token-into-fixed-num.patch
Patch209: 0013-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch
# UPSTREAM: Backport of <https://github.com/moby/moby/pull/48517>. bsc#1247362
Patch210: 0015-bsc1247362-release-container-layer-on-export.patch
# UPSTREAM: Backport of <https://github.com/moby/moby/pull/47498>. bsc#1254206
Patch211: 0016-bsc1254206-daemon-overlay2-remove-world-writable-per.patch
# UPSTREAM: Backport of <https://github.com/golang-jwt/jwt/commit/0951d184286dece21f73c85673fd308786ffe9c3>. bsc#1240513
Patch212: 0017-CVE-2025-30204-fix-Remove-strings.Split-and-add-pars.patch
# UPSTREAM: Backport of <https://go-review.googlesource.com/c/crypto/+/721961> bsc#1253904
Patch213: 0018-CVE-2025-58181-fix-vendor-crypto-ssh-3.patch
# UPSTREAM: Backport of <https://github.com/moby/moby/pull/46307> and
# <https://github.com/moby/moby/pull/49061>.
Patch299: 0014-TESTS-backport-fixes-for-integration-tests.patch
@@ -422,6 +428,12 @@ cp %{SOURCE130} .
%patch -P209 -p1
# bsc#1247362
%patch -P210 -p1
# bsc#1254206
%patch -P211 -p1
# bsc#1240513
%patch -P212 -p1
# bsc#1253904
%patch -P213 -p1
%if %{with integration_tests}
# integration-tests patches
%patch -P299 -p1