pool/docker
SHA256
17
0
Fork 1
Code Issues Pull Requests Activity

Compare commits

base: pool:slfo-1.2
Branches Tags
pool:factory pool:slfo-main pool:slfo-1.2
..
compare: pool:slfo-main
Branches Tags
pool:slfo-main pool:slfo-1.2 pool:factory

3 Commits
slfo-1.2 ... slfo-main

Author SHA256 Message Date
vlefebvre
8424502df6 Fix CVE-2025-58181, bsc#1253904 
- Places a hard cap on the amount of mechanisms that can be specified and
  encoded in the payload. (bcs#1253904, CVE-2025-58181)
  * 0007-CVE-2025-58181-fix-vendor-crypto-ssh.patch
 2026-02-05 14:40:36 +01:00
Aleksa Sarai
cab94f9484 daemon.json: add --selinux-enabled to default config 
Docker needs this flag to be set in order to actually use SELinux on
SELinux systems. It's no-op for non-SELinux systems.

SUSE-Bug: https://bugzilla.suse.com/show_bug.cgi?id=1252290
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
 2026-01-30 09:56:43 +01:00
Aleksa Sarai
4c9bf25f0c docker: update to 28.5.1 
- Update to Docker 28.5.1-ce. See upstream changelog online at
  <https://docs.docker.com/engine/release-notes/28/#2851>
- Rebased patches:
  * 0001-SECRETS-SUSE-always-clear-our-internal-secrets.patch
  * 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
  * 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch
  * 0004-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
  * 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
  * 0006-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
  * cli-0001-openSUSE-point-users-to-docker-buildx-package.patch
  * cli-0002-SECRETS-SUSE-default-to-DOCKER_BUILDKIT-0-for-docker.patch
- Update to docker-buildx v0.29.0. Upstream changelog:
  <https://github.com/docker/buildx/releases/tag/v0.29.0>
- Remove git-core recommends also on openSUSE: the below argument
  is valid for those users too.
- Remove git-core recommends on SLE. Most SLE systems have
  installRecommends=yes by default and thus end up installing git with Docker.
  bsc#1250508

  This feature is mostly intended for developers ("docker build git://") so
  most users already have the dependency installed, and the error when git is
  missing is fairly straightforward (so they can easily figure out what they
  need to install).
- Update warnings and errors related to "docker buildx ..." so that they
  reference our openSUSE docker-buildx packages.
  + cli-0001-openSUSE-point-users-to-docker-buildx-package.patch
- Enable building docker-buildx for SLE15 systems with SUSEConnect secret
  injection enabled. PED-12534 PED-8905 bsc#1247594

  As docker-buildx does not support our SUSEConnect secret injection (and some
  users depend "docker build" working transparently), patch the docker CLI so
  that "docker build" will no longer automatically call "docker buildx build",
  effectively making DOCKER_BUILDKIT=0 the default configuration. Users can
  manually use "docker buildx ..." commands or set DOCKER_BUILDKIT=1 in order
  to opt-in to using docker-buildx.

  Users can silence the "docker build" warning by setting DOCKER_BUILDKIT=0
  explicitly.

  In order to inject SCC credentials with docker-buildx, users should use

    RUN --mount=type=secret,id=SCCcredentials zypper -n ...

  in their Dockerfiles, and

    docker buildx build --secret id=SCCcredentials,src=/etc/zypp/credentials.d/SCCcredentials,type=file .

  when doing their builds.

  + cli-0002-SECRETS-SUSE-default-to-DOCKER_BUILDKIT-0-for-docker.patch

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
 2025-10-22 15:41:29 +11:00
9 changed files with 98 additions and 26 deletions
Expand all files Collapse all files

8
0001-SECRETS-SUSE-always-clear-our-internal-secrets.patch
View File

@@ -1,7 +1,7 @@
From 8d12a0ed33fc4e099c59b4d977b2ce18cdc600e1 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <cyphar@cyphar.com>
Date: Wed, 4 Jun 2025 15:01:37 +1000
Subject: [PATCH 1/6] SECRETS: SUSE: always clear our internal secrets
Subject: [PATCH 1/7] SECRETS: SUSE: always clear our internal secrets
In the future SUSEConnect support patch, we will add swarm secrets with
the ID suse_* containing credentials pertinent to SUSEConnect.
@@ -31,7 +31,7 @@ Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
create mode 100644 daemon/suse_secrets.go
diff --git a/daemon/start.go b/daemon/start.go
index a914a0fe3145..0930ff91d1a2 100644
index a914a0fe31..0930ff91d1 100644
--- a/daemon/start.go
+++ b/daemon/start.go
@@ -146,6 +146,16 @@ func (daemon *Daemon) containerStart(ctx context.Context, daemonCfg *configStore
@@ -53,7 +53,7 @@ index a914a0fe3145..0930ff91d1a2 100644
return err
diff --git a/daemon/suse_secrets.go b/daemon/suse_secrets.go
new file mode 100644
index 000000000000..b8f3d9f9c094
index 0000000000..b8f3d9f9c0
--- /dev/null
+++ b/daemon/suse_secrets.go
@@ -0,0 +1,44 @@
@@ -102,5 +102,5 @@ index 000000000000..b8f3d9f9c094
+ c.SecretReferences = without
+}
--
2.51.0
2.52.0

6
0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
View File

@@ -1,7 +1,7 @@
From c12e6960ee87d7944001e22f0ce3ada72a6a9cea Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Wed, 8 Mar 2017 12:41:54 +1100
Subject: [PATCH 2/6] SECRETS: daemon: allow directory creation in /run/secrets
Subject: [PATCH 2/7] SECRETS: daemon: allow directory creation in /run/secrets
Since FileMode can have the directory bit set, allow a SecretStore
implementation to return secrets that are actually directories. This is
@@ -14,7 +14,7 @@ Signed-off-by: Aleksa Sarai <asarai@suse.de>
1 file changed, 20 insertions(+), 3 deletions(-)
diff --git a/daemon/container_operations_unix.go b/daemon/container_operations_unix.go
index f6d9449609b7..520b7f80f162 100644
index f6d9449609..520b7f80f1 100644
--- a/daemon/container_operations_unix.go
+++ b/daemon/container_operations_unix.go
@@ -3,6 +3,7 @@
@@ -69,5 +69,5 @@ index f6d9449609b7..520b7f80f162 100644
return errors.Wrap(err, "error setting ownership for secret")
}
--
2.51.0
2.52.0

8
0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch
View File

@@ -1,7 +1,7 @@
From 915d237a25cc9639de24ad3e36f3d299be137e8a Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Wed, 8 Mar 2017 11:43:29 +1100
Subject: [PATCH 3/6] SECRETS: SUSE: implement SUSE container secrets
Subject: [PATCH 3/7] SECRETS: SUSE: implement SUSE container secrets
This allows for us to pass in host credentials to a container, allowing
for SUSEConnect to work with containers.
@@ -22,7 +22,7 @@ Signed-off-by: Aleksa Sarai <asarai@suse.de>
2 files changed, 443 insertions(+)
diff --git a/daemon/start.go b/daemon/start.go
index 0930ff91d1a2..02d2f8429c19 100644
index 0930ff91d1..02d2f8429c 100644
--- a/daemon/start.go
+++ b/daemon/start.go
@@ -156,6 +156,11 @@ func (daemon *Daemon) containerStart(ctx context.Context, daemonCfg *configStore
@@ -38,7 +38,7 @@ index 0930ff91d1a2..02d2f8429c19 100644
if err != nil {
return err
diff --git a/daemon/suse_secrets.go b/daemon/suse_secrets.go
index b8f3d9f9c094..5ab96651080b 100644
index b8f3d9f9c0..5ab9665108 100644
--- a/daemon/suse_secrets.go
+++ b/daemon/suse_secrets.go
@@ -18,15 +18,378 @@
@@ -500,5 +500,5 @@ index b8f3d9f9c094..5ab96651080b 100644
+ return nil
+}
--
2.51.0
2.52.0

6
0004-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
View File

@@ -1,7 +1,7 @@
From c078332b3a52f0e220fd19f476c30dee50f7c1e3 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Mon, 22 May 2023 15:44:54 +1000
Subject: [PATCH 4/6] BUILD: SLE12: revert "graphdriver/btrfs: use kernel UAPI
Subject: [PATCH 4/7] BUILD: SLE12: revert "graphdriver/btrfs: use kernel UAPI
headers"
This reverts commit 3208dcabdc8997340b255f5b880fef4e3f54580d.
@@ -16,7 +16,7 @@ Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
1 file changed, 4 insertions(+), 9 deletions(-)
diff --git a/daemon/graphdriver/btrfs/btrfs.go b/daemon/graphdriver/btrfs/btrfs.go
index fa0cb3ed25d8..871f6b3f8c1f 100644
index fa0cb3ed25..871f6b3f8c 100644
--- a/daemon/graphdriver/btrfs/btrfs.go
+++ b/daemon/graphdriver/btrfs/btrfs.go
@@ -4,17 +4,12 @@ package btrfs
@@ -42,5 +42,5 @@ index fa0cb3ed25d8..871f6b3f8c1f 100644
static void set_name_btrfs_ioctl_vol_args_v2(struct btrfs_ioctl_vol_args_v2* btrfs_struct, const char* value) {
snprintf(btrfs_struct->name, BTRFS_SUBVOL_NAME_MAX, "%s", value);
--
2.51.0
2.52.0

10
0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
View File

@@ -1,7 +1,7 @@
From e9aff2856f7b827ebb6964b5fd33fc51e2b6f0ec Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Fri, 29 Jun 2018 17:59:30 +1000
Subject: [PATCH 5/6] bsc1073877: apparmor: clobber docker-default profile on
Subject: [PATCH 5/7] bsc1073877: apparmor: clobber docker-default profile on
start
In the process of making docker-default reloading far less expensive,
@@ -22,7 +22,7 @@ Signed-off-by: Aleksa Sarai <asarai@suse.de>
3 files changed, 17 insertions(+), 6 deletions(-)
diff --git a/daemon/apparmor_default.go b/daemon/apparmor_default.go
index a1048e303c1e..e087f6b9265f 100644
index a1048e303c..e087f6b926 100644
--- a/daemon/apparmor_default.go
+++ b/daemon/apparmor_default.go
@@ -23,6 +23,15 @@ func DefaultApparmorProfile() string {
@@ -54,7 +54,7 @@ index a1048e303c1e..e087f6b9265f 100644
return nil
}
diff --git a/daemon/apparmor_default_unsupported.go b/daemon/apparmor_default_unsupported.go
index 37974bbb9778..095aa728a7a8 100644
index 37974bbb97..095aa728a7 100644
--- a/daemon/apparmor_default_unsupported.go
+++ b/daemon/apparmor_default_unsupported.go
@@ -2,6 +2,10 @@
@@ -69,7 +69,7 @@ index 37974bbb9778..095aa728a7a8 100644
return nil
}
diff --git a/daemon/daemon.go b/daemon/daemon.go
index 2e0a36eb102b..f28c6e061fa9 100644
index 2e0a36eb10..f28c6e061f 100644
--- a/daemon/daemon.go
+++ b/daemon/daemon.go
@@ -878,8 +878,9 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S
@@ -85,5 +85,5 @@ index 2e0a36eb102b..f28c6e061fa9 100644
}
--
2.51.0
2.52.0

14
0006-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
View File

@@ -1,7 +1,7 @@
From d4db647a40c0c8992dc2eeb862e8bafaff58cca3 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Wed, 11 Oct 2023 21:19:12 +1100
Subject: [PATCH 6/6] SLE12: revert "apparmor: remove version-conditionals from
Subject: [PATCH 6/7] SLE12: revert "apparmor: remove version-conditionals from
template"
This reverts the following commits:
@@ -26,7 +26,7 @@ Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
create mode 100644 pkg/aaparser/aaparser.go
diff --git a/contrib/apparmor/main.go b/contrib/apparmor/main.go
index 899d8378edae..93f98cbd20e5 100644
index 899d8378ed..93f98cbd20 100644
--- a/contrib/apparmor/main.go
+++ b/contrib/apparmor/main.go
@@ -6,9 +6,13 @@ import (
@@ -69,7 +69,7 @@ index 899d8378edae..93f98cbd20e5 100644
log.Fatalf("executing template failed: %v", err)
}
diff --git a/contrib/apparmor/template.go b/contrib/apparmor/template.go
index 58afcbe845ee..e6d0b6d37c58 100644
index 58afcbe845..e6d0b6d37c 100644
--- a/contrib/apparmor/template.go
+++ b/contrib/apparmor/template.go
@@ -20,9 +20,11 @@ profile /usr/bin/docker (attach_disconnected, complain) {
@@ -158,7 +158,7 @@ index 58afcbe845ee..e6d0b6d37c58 100644
/usr/bin/xz rm,
diff --git a/pkg/aaparser/aaparser.go b/pkg/aaparser/aaparser.go
new file mode 100644
index 000000000000..89b48b2dba58
index 0000000000..89b48b2dba
--- /dev/null
+++ b/pkg/aaparser/aaparser.go
@@ -0,0 +1,86 @@
@@ -249,7 +249,7 @@ index 000000000000..89b48b2dba58
+ return numericVersion, nil
+}
diff --git a/vendor/github.com/moby/profiles/apparmor/apparmor.go b/vendor/github.com/moby/profiles/apparmor/apparmor.go
index 445eed64e979..871b1f7d63c2 100644
index 445eed64e9..871b1f7d63 100644
--- a/vendor/github.com/moby/profiles/apparmor/apparmor.go
+++ b/vendor/github.com/moby/profiles/apparmor/apparmor.go
@@ -11,10 +11,14 @@ import (
@@ -292,7 +292,7 @@ index 445eed64e979..871b1f7d63c2 100644
}
diff --git a/vendor/github.com/moby/profiles/apparmor/template.go b/vendor/github.com/moby/profiles/apparmor/template.go
index 2ebcc218a702..682425f71e64 100644
index 2ebcc218a7..682425f71e 100644
--- a/vendor/github.com/moby/profiles/apparmor/template.go
+++ b/vendor/github.com/moby/profiles/apparmor/template.go
@@ -22,6 +22,7 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
@@ -322,5 +322,5 @@ index 2ebcc218a702..682425f71e64 100644
}
`
--
2.51.0
2.52.0

61
0007-CVE-2025-58181-fix-vendor-crypto-ssh.patch Normal file
View File

@@ -0,0 +1,61 @@
From 18f10de4708821f26b25bb0605fab7ddc45895cc Mon Sep 17 00:00:00 2001
From: vlefebvre <valentin.lefebvre@suse.com>
Date: Wed, 4 Feb 2026 17:11:29 +0100
Subject: [PATCH 7/7] CVE-2025-58181: fix vendor crypto/ssh
curb GSSAPI DoS risk by limiting number of specified OIDS
Previously, an attacker could specify an integer up to 0xFFFFFFFF
that would directly allocate memory despite the observability of
the rest of the payload. This change places a hard cap on the
amount of mechanisms that can be specified and encoded in the
payload. Additionally, it performs a small sanity check to deny
payloads whose stated size is contradictory to the observed payload.
Thank you to Jakub Ciolek for reporting this issue.
Fixes CVE-2025-58181
Fixes golang/go#76363
Change-Id: I0307ab3e906a3f2ae763b5f9f0310f7073f84485
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/721961
Auto-Submit: Roland Shoemaker <roland@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
[vlefebvre: Adapt for SUSE-v28.5.1]
Signed-off-by: vlefebvre <valentin.lefebvre@suse.com>
---
vendor/golang.org/x/crypto/ssh/ssh_gss.go | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/vendor/golang.org/x/crypto/ssh/ssh_gss.go b/vendor/golang.org/x/crypto/ssh/ssh_gss.go
index 24bd7c8e83..a6249a1227 100644
--- a/vendor/golang.org/x/crypto/ssh/ssh_gss.go
+++ b/vendor/golang.org/x/crypto/ssh/ssh_gss.go
@@ -106,6 +106,13 @@ func parseGSSAPIPayload(payload []byte) (*userAuthRequestGSSAPI, error) {
if !ok {
return nil, errors.New("parse uint32 failed")
}
+ // Each ASN.1 encoded OID must have a minimum
+ // of 2 bytes; 64 maximum mechanisms is an
+ // arbitrary, but reasonable ceiling.
+ const maxMechs = 64
+ if n > maxMechs || int(n)*2 > len(rest) {
+ return nil, errors.New("invalid mechanism count")
+ }
s := &userAuthRequestGSSAPI{
N: n,
OIDS: make([]asn1.ObjectIdentifier, n),
@@ -122,7 +129,6 @@ func parseGSSAPIPayload(payload []byte) (*userAuthRequestGSSAPI, error) {
if rest, err = asn1.Unmarshal(desiredMech, &s.OIDS[i]); err != nil {
return nil, err
}
-
}
return s, nil
}
--
2.52.0

7
docker.changes
View File

@@ -1,3 +1,10 @@
-------------------------------------------------------------------
Wed Feb 4 16:30:32 UTC 2026 - Valentin Lefebvre <valentin.lefebvre@suse.com>
- Places a hard cap on the amount of mechanisms that can be specified and
encoded in the payload. (bcs#1253904, CVE-2025-58181)
* 0007-CVE-2025-58181-fix-vendor-crypto-ssh.patch
-------------------------------------------------------------------
Mon Oct 27 23:55:45 UTC 2025 - Aleksa Sarai <asarai@suse.com>

4
docker.spec
View File

@@ -109,6 +109,8 @@ Patch200: 0004-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
Patch201: 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
# UPSTREAM: Revert of upstream patches to make apparmor work on SLE 12.
Patch202: 0006-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
# Fix CVE-2025-58181
Patch300: 0007-CVE-2025-58181-fix-vendor-crypto-ssh.patch
BuildRequires: audit
BuildRequires: bash-completion
BuildRequires: ca-certificates
@@ -370,6 +372,8 @@ cp %{SOURCE130} .
%patch -P201 -p1
# Solves apparmor issues on SLE-12, but okay for newer SLE versions too.
%patch -P202 -p1
# bsc#1253904 CVE-2025-58181 only for docker < v29.1.0
%patch -P300 -p1
%build
%sysusers_generate_pre %{SOURCE160} %{name} docker.conf