Compare commits
27 Commits
| Author | SHA256 | Date | |
|---|---|---|---|
| 06d8b0f589 | |||
| 9fdf569ad1 | |||
| adcce3dc4a | |||
| 9f2ae9a0e9 | |||
| b514845da4 | |||
| afd085f8d1 | |||
| d1b7ba8fc8 | |||
| a5d2f5f793 | |||
| de9874d400 | |||
| 0ca729154a | |||
| 9b1482be67 | |||
| b0b42715a7 | |||
| 8cf7456eae | |||
| 6be0f29427 | |||
| cbfcffb90f | |||
| df931afd90 | |||
| f8f5090fcb | |||
| 1571af50e2 | |||
| 92ad80cecc | |||
| 533ef8e35e | |||
| b430a54521 | |||
| 22f297a04a | |||
| 1dc8abd5ca | |||
| 8209c912ee | |||
| 924b24592b | |||
| cff1a2c48d | |||
| a81b7b9cba |
@@ -1,7 +1,7 @@
|
||||
From 8d12a0ed33fc4e099c59b4d977b2ce18cdc600e1 Mon Sep 17 00:00:00 2001
|
||||
From: Aleksa Sarai <cyphar@cyphar.com>
|
||||
Date: Wed, 4 Jun 2025 15:01:37 +1000
|
||||
Subject: [PATCH 1/7] SECRETS: SUSE: always clear our internal secrets
|
||||
Subject: [PATCH 1/6] SECRETS: SUSE: always clear our internal secrets
|
||||
|
||||
In the future SUSEConnect support patch, we will add swarm secrets with
|
||||
the ID suse_* containing credentials pertinent to SUSEConnect.
|
||||
@@ -31,7 +31,7 @@ Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
|
||||
create mode 100644 daemon/suse_secrets.go
|
||||
|
||||
diff --git a/daemon/start.go b/daemon/start.go
|
||||
index a914a0fe31..0930ff91d1 100644
|
||||
index a914a0fe3145..0930ff91d1a2 100644
|
||||
--- a/daemon/start.go
|
||||
+++ b/daemon/start.go
|
||||
@@ -146,6 +146,16 @@ func (daemon *Daemon) containerStart(ctx context.Context, daemonCfg *configStore
|
||||
@@ -53,7 +53,7 @@ index a914a0fe31..0930ff91d1 100644
|
||||
return err
|
||||
diff --git a/daemon/suse_secrets.go b/daemon/suse_secrets.go
|
||||
new file mode 100644
|
||||
index 0000000000..b8f3d9f9c0
|
||||
index 000000000000..b8f3d9f9c094
|
||||
--- /dev/null
|
||||
+++ b/daemon/suse_secrets.go
|
||||
@@ -0,0 +1,44 @@
|
||||
@@ -102,5 +102,5 @@ index 0000000000..b8f3d9f9c0
|
||||
+ c.SecretReferences = without
|
||||
+}
|
||||
--
|
||||
2.52.0
|
||||
2.51.0
|
||||
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
From c12e6960ee87d7944001e22f0ce3ada72a6a9cea Mon Sep 17 00:00:00 2001
|
||||
From: Aleksa Sarai <asarai@suse.de>
|
||||
Date: Wed, 8 Mar 2017 12:41:54 +1100
|
||||
Subject: [PATCH 2/7] SECRETS: daemon: allow directory creation in /run/secrets
|
||||
Subject: [PATCH 2/6] SECRETS: daemon: allow directory creation in /run/secrets
|
||||
|
||||
Since FileMode can have the directory bit set, allow a SecretStore
|
||||
implementation to return secrets that are actually directories. This is
|
||||
@@ -14,7 +14,7 @@ Signed-off-by: Aleksa Sarai <asarai@suse.de>
|
||||
1 file changed, 20 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/daemon/container_operations_unix.go b/daemon/container_operations_unix.go
|
||||
index f6d9449609..520b7f80f1 100644
|
||||
index f6d9449609b7..520b7f80f162 100644
|
||||
--- a/daemon/container_operations_unix.go
|
||||
+++ b/daemon/container_operations_unix.go
|
||||
@@ -3,6 +3,7 @@
|
||||
@@ -69,5 +69,5 @@ index f6d9449609..520b7f80f1 100644
|
||||
return errors.Wrap(err, "error setting ownership for secret")
|
||||
}
|
||||
--
|
||||
2.52.0
|
||||
2.51.0
|
||||
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
From 915d237a25cc9639de24ad3e36f3d299be137e8a Mon Sep 17 00:00:00 2001
|
||||
From: Aleksa Sarai <asarai@suse.de>
|
||||
Date: Wed, 8 Mar 2017 11:43:29 +1100
|
||||
Subject: [PATCH 3/7] SECRETS: SUSE: implement SUSE container secrets
|
||||
Subject: [PATCH 3/6] SECRETS: SUSE: implement SUSE container secrets
|
||||
|
||||
This allows for us to pass in host credentials to a container, allowing
|
||||
for SUSEConnect to work with containers.
|
||||
@@ -22,7 +22,7 @@ Signed-off-by: Aleksa Sarai <asarai@suse.de>
|
||||
2 files changed, 443 insertions(+)
|
||||
|
||||
diff --git a/daemon/start.go b/daemon/start.go
|
||||
index 0930ff91d1..02d2f8429c 100644
|
||||
index 0930ff91d1a2..02d2f8429c19 100644
|
||||
--- a/daemon/start.go
|
||||
+++ b/daemon/start.go
|
||||
@@ -156,6 +156,11 @@ func (daemon *Daemon) containerStart(ctx context.Context, daemonCfg *configStore
|
||||
@@ -38,7 +38,7 @@ index 0930ff91d1..02d2f8429c 100644
|
||||
if err != nil {
|
||||
return err
|
||||
diff --git a/daemon/suse_secrets.go b/daemon/suse_secrets.go
|
||||
index b8f3d9f9c0..5ab9665108 100644
|
||||
index b8f3d9f9c094..5ab96651080b 100644
|
||||
--- a/daemon/suse_secrets.go
|
||||
+++ b/daemon/suse_secrets.go
|
||||
@@ -18,15 +18,378 @@
|
||||
@@ -500,5 +500,5 @@ index b8f3d9f9c0..5ab9665108 100644
|
||||
+ return nil
|
||||
+}
|
||||
--
|
||||
2.52.0
|
||||
2.51.0
|
||||
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
From c078332b3a52f0e220fd19f476c30dee50f7c1e3 Mon Sep 17 00:00:00 2001
|
||||
From: Aleksa Sarai <asarai@suse.de>
|
||||
Date: Mon, 22 May 2023 15:44:54 +1000
|
||||
Subject: [PATCH 4/7] BUILD: SLE12: revert "graphdriver/btrfs: use kernel UAPI
|
||||
Subject: [PATCH 4/6] BUILD: SLE12: revert "graphdriver/btrfs: use kernel UAPI
|
||||
headers"
|
||||
|
||||
This reverts commit 3208dcabdc8997340b255f5b880fef4e3f54580d.
|
||||
@@ -16,7 +16,7 @@ Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
|
||||
1 file changed, 4 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/daemon/graphdriver/btrfs/btrfs.go b/daemon/graphdriver/btrfs/btrfs.go
|
||||
index fa0cb3ed25..871f6b3f8c 100644
|
||||
index fa0cb3ed25d8..871f6b3f8c1f 100644
|
||||
--- a/daemon/graphdriver/btrfs/btrfs.go
|
||||
+++ b/daemon/graphdriver/btrfs/btrfs.go
|
||||
@@ -4,17 +4,12 @@ package btrfs
|
||||
@@ -42,5 +42,5 @@ index fa0cb3ed25..871f6b3f8c 100644
|
||||
static void set_name_btrfs_ioctl_vol_args_v2(struct btrfs_ioctl_vol_args_v2* btrfs_struct, const char* value) {
|
||||
snprintf(btrfs_struct->name, BTRFS_SUBVOL_NAME_MAX, "%s", value);
|
||||
--
|
||||
2.52.0
|
||||
2.51.0
|
||||
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
From e9aff2856f7b827ebb6964b5fd33fc51e2b6f0ec Mon Sep 17 00:00:00 2001
|
||||
From: Aleksa Sarai <asarai@suse.de>
|
||||
Date: Fri, 29 Jun 2018 17:59:30 +1000
|
||||
Subject: [PATCH 5/7] bsc1073877: apparmor: clobber docker-default profile on
|
||||
Subject: [PATCH 5/6] bsc1073877: apparmor: clobber docker-default profile on
|
||||
start
|
||||
|
||||
In the process of making docker-default reloading far less expensive,
|
||||
@@ -22,7 +22,7 @@ Signed-off-by: Aleksa Sarai <asarai@suse.de>
|
||||
3 files changed, 17 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/daemon/apparmor_default.go b/daemon/apparmor_default.go
|
||||
index a1048e303c..e087f6b926 100644
|
||||
index a1048e303c1e..e087f6b9265f 100644
|
||||
--- a/daemon/apparmor_default.go
|
||||
+++ b/daemon/apparmor_default.go
|
||||
@@ -23,6 +23,15 @@ func DefaultApparmorProfile() string {
|
||||
@@ -54,7 +54,7 @@ index a1048e303c..e087f6b926 100644
|
||||
return nil
|
||||
}
|
||||
diff --git a/daemon/apparmor_default_unsupported.go b/daemon/apparmor_default_unsupported.go
|
||||
index 37974bbb97..095aa728a7 100644
|
||||
index 37974bbb9778..095aa728a7a8 100644
|
||||
--- a/daemon/apparmor_default_unsupported.go
|
||||
+++ b/daemon/apparmor_default_unsupported.go
|
||||
@@ -2,6 +2,10 @@
|
||||
@@ -69,7 +69,7 @@ index 37974bbb97..095aa728a7 100644
|
||||
return nil
|
||||
}
|
||||
diff --git a/daemon/daemon.go b/daemon/daemon.go
|
||||
index 2e0a36eb10..f28c6e061f 100644
|
||||
index 2e0a36eb102b..f28c6e061fa9 100644
|
||||
--- a/daemon/daemon.go
|
||||
+++ b/daemon/daemon.go
|
||||
@@ -878,8 +878,9 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S
|
||||
@@ -85,5 +85,5 @@ index 2e0a36eb10..f28c6e061f 100644
|
||||
}
|
||||
|
||||
--
|
||||
2.52.0
|
||||
2.51.0
|
||||
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
From d4db647a40c0c8992dc2eeb862e8bafaff58cca3 Mon Sep 17 00:00:00 2001
|
||||
From: Aleksa Sarai <asarai@suse.de>
|
||||
Date: Wed, 11 Oct 2023 21:19:12 +1100
|
||||
Subject: [PATCH 6/7] SLE12: revert "apparmor: remove version-conditionals from
|
||||
Subject: [PATCH 6/6] SLE12: revert "apparmor: remove version-conditionals from
|
||||
template"
|
||||
|
||||
This reverts the following commits:
|
||||
@@ -26,7 +26,7 @@ Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
|
||||
create mode 100644 pkg/aaparser/aaparser.go
|
||||
|
||||
diff --git a/contrib/apparmor/main.go b/contrib/apparmor/main.go
|
||||
index 899d8378ed..93f98cbd20 100644
|
||||
index 899d8378edae..93f98cbd20e5 100644
|
||||
--- a/contrib/apparmor/main.go
|
||||
+++ b/contrib/apparmor/main.go
|
||||
@@ -6,9 +6,13 @@ import (
|
||||
@@ -69,7 +69,7 @@ index 899d8378ed..93f98cbd20 100644
|
||||
log.Fatalf("executing template failed: %v", err)
|
||||
}
|
||||
diff --git a/contrib/apparmor/template.go b/contrib/apparmor/template.go
|
||||
index 58afcbe845..e6d0b6d37c 100644
|
||||
index 58afcbe845ee..e6d0b6d37c58 100644
|
||||
--- a/contrib/apparmor/template.go
|
||||
+++ b/contrib/apparmor/template.go
|
||||
@@ -20,9 +20,11 @@ profile /usr/bin/docker (attach_disconnected, complain) {
|
||||
@@ -158,7 +158,7 @@ index 58afcbe845..e6d0b6d37c 100644
|
||||
/usr/bin/xz rm,
|
||||
diff --git a/pkg/aaparser/aaparser.go b/pkg/aaparser/aaparser.go
|
||||
new file mode 100644
|
||||
index 0000000000..89b48b2dba
|
||||
index 000000000000..89b48b2dba58
|
||||
--- /dev/null
|
||||
+++ b/pkg/aaparser/aaparser.go
|
||||
@@ -0,0 +1,86 @@
|
||||
@@ -249,7 +249,7 @@ index 0000000000..89b48b2dba
|
||||
+ return numericVersion, nil
|
||||
+}
|
||||
diff --git a/vendor/github.com/moby/profiles/apparmor/apparmor.go b/vendor/github.com/moby/profiles/apparmor/apparmor.go
|
||||
index 445eed64e9..871b1f7d63 100644
|
||||
index 445eed64e979..871b1f7d63c2 100644
|
||||
--- a/vendor/github.com/moby/profiles/apparmor/apparmor.go
|
||||
+++ b/vendor/github.com/moby/profiles/apparmor/apparmor.go
|
||||
@@ -11,10 +11,14 @@ import (
|
||||
@@ -292,7 +292,7 @@ index 445eed64e9..871b1f7d63 100644
|
||||
}
|
||||
|
||||
diff --git a/vendor/github.com/moby/profiles/apparmor/template.go b/vendor/github.com/moby/profiles/apparmor/template.go
|
||||
index 2ebcc218a7..682425f71e 100644
|
||||
index 2ebcc218a702..682425f71e64 100644
|
||||
--- a/vendor/github.com/moby/profiles/apparmor/template.go
|
||||
+++ b/vendor/github.com/moby/profiles/apparmor/template.go
|
||||
@@ -22,6 +22,7 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
|
||||
@@ -322,5 +322,5 @@ index 2ebcc218a7..682425f71e 100644
|
||||
}
|
||||
`
|
||||
--
|
||||
2.52.0
|
||||
2.51.0
|
||||
|
||||
|
||||
@@ -1,61 +0,0 @@
|
||||
From 18f10de4708821f26b25bb0605fab7ddc45895cc Mon Sep 17 00:00:00 2001
|
||||
From: vlefebvre <valentin.lefebvre@suse.com>
|
||||
Date: Wed, 4 Feb 2026 17:11:29 +0100
|
||||
Subject: [PATCH 7/7] CVE-2025-58181: fix vendor crypto/ssh
|
||||
|
||||
curb GSSAPI DoS risk by limiting number of specified OIDS
|
||||
|
||||
Previously, an attacker could specify an integer up to 0xFFFFFFFF
|
||||
that would directly allocate memory despite the observability of
|
||||
the rest of the payload. This change places a hard cap on the
|
||||
amount of mechanisms that can be specified and encoded in the
|
||||
payload. Additionally, it performs a small sanity check to deny
|
||||
payloads whose stated size is contradictory to the observed payload.
|
||||
|
||||
Thank you to Jakub Ciolek for reporting this issue.
|
||||
|
||||
Fixes CVE-2025-58181
|
||||
Fixes golang/go#76363
|
||||
|
||||
Change-Id: I0307ab3e906a3f2ae763b5f9f0310f7073f84485
|
||||
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/721961
|
||||
Auto-Submit: Roland Shoemaker <roland@golang.org>
|
||||
Reviewed-by: Damien Neil <dneil@google.com>
|
||||
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
|
||||
|
||||
[vlefebvre: Adapt for SUSE-v28.5.1]
|
||||
|
||||
Signed-off-by: vlefebvre <valentin.lefebvre@suse.com>
|
||||
---
|
||||
vendor/golang.org/x/crypto/ssh/ssh_gss.go | 8 +++++++-
|
||||
1 file changed, 7 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/vendor/golang.org/x/crypto/ssh/ssh_gss.go b/vendor/golang.org/x/crypto/ssh/ssh_gss.go
|
||||
index 24bd7c8e83..a6249a1227 100644
|
||||
--- a/vendor/golang.org/x/crypto/ssh/ssh_gss.go
|
||||
+++ b/vendor/golang.org/x/crypto/ssh/ssh_gss.go
|
||||
@@ -106,6 +106,13 @@ func parseGSSAPIPayload(payload []byte) (*userAuthRequestGSSAPI, error) {
|
||||
if !ok {
|
||||
return nil, errors.New("parse uint32 failed")
|
||||
}
|
||||
+ // Each ASN.1 encoded OID must have a minimum
|
||||
+ // of 2 bytes; 64 maximum mechanisms is an
|
||||
+ // arbitrary, but reasonable ceiling.
|
||||
+ const maxMechs = 64
|
||||
+ if n > maxMechs || int(n)*2 > len(rest) {
|
||||
+ return nil, errors.New("invalid mechanism count")
|
||||
+ }
|
||||
s := &userAuthRequestGSSAPI{
|
||||
N: n,
|
||||
OIDS: make([]asn1.ObjectIdentifier, n),
|
||||
@@ -122,7 +129,6 @@ func parseGSSAPIPayload(payload []byte) (*userAuthRequestGSSAPI, error) {
|
||||
if rest, err = asn1.Unmarshal(desiredMech, &s.OIDS[i]); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
-
|
||||
}
|
||||
return s, nil
|
||||
}
|
||||
--
|
||||
2.52.0
|
||||
|
||||
0
docker-integration.sh
Executable file → Normal file
0
docker-integration.sh
Executable file → Normal file
@@ -1,9 +1,8 @@
|
||||
-------------------------------------------------------------------
|
||||
Wed Feb 4 16:30:32 UTC 2026 - Valentin Lefebvre <valentin.lefebvre@suse.com>
|
||||
Fri Nov 28 08:17:00 UTC 2025 - Aleksa Sarai <asarai@suse.com>
|
||||
|
||||
- Places a hard cap on the amount of mechanisms that can be specified and
|
||||
encoded in the payload. (bcs#1253904, CVE-2025-58181)
|
||||
* 0007-CVE-2025-58181-fix-vendor-crypto-ssh.patch
|
||||
- Add Requires containers-selinux on systems with selinux-policy installed.
|
||||
bsc#1252672
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Oct 27 23:55:45 UTC 2025 - Aleksa Sarai <asarai@suse.com>
|
||||
|
||||
@@ -109,8 +109,6 @@ Patch200: 0004-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
|
||||
Patch201: 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
|
||||
# UPSTREAM: Revert of upstream patches to make apparmor work on SLE 12.
|
||||
Patch202: 0006-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
|
||||
# Fix CVE-2025-58181
|
||||
Patch300: 0007-CVE-2025-58181-fix-vendor-crypto-ssh.patch
|
||||
BuildRequires: audit
|
||||
BuildRequires: bash-completion
|
||||
BuildRequires: ca-certificates
|
||||
@@ -134,6 +132,7 @@ BuildRequires: pkgconfig(libsystemd)
|
||||
%if 0%{?suse_version} >= 1500
|
||||
# This conditional only works on rpm>=4.13, which SLE 12 doesn't have. But we
|
||||
# don't need to support Docker+selinux for SLE 12 anyway.
|
||||
Requires: (container-selinux if selinux-policy)
|
||||
Requires: (apparmor-parser or container-selinux)
|
||||
# This recommends is added to make sure that even if you have container-selinux
|
||||
# installed you will still be prompted to install apparmor-parser which Docker
|
||||
@@ -372,8 +371,6 @@ cp %{SOURCE130} .
|
||||
%patch -P201 -p1
|
||||
# Solves apparmor issues on SLE-12, but okay for newer SLE versions too.
|
||||
%patch -P202 -p1
|
||||
# bsc#1253904 CVE-2025-58181 only for docker < v29.1.0
|
||||
%patch -P300 -p1
|
||||
|
||||
%build
|
||||
%sysusers_generate_pre %{SOURCE160} %{name} docker.conf
|
||||
|
||||
Reference in New Issue
Block a user