8 changed files with 2 additions and 431 deletions
--- a/2
+++ b/2
@ -1 +1 @@
-18.09.0.271
+18.09.0.266
--- a/docker-engine-openeuler.spec
+++ b/docker-engine-openeuler.spec
@ -1,6 +1,6 @@
 Name: docker-engine
 Version: 18.09.0
-Release: 271
+Release: 266
 Epoch: 1
 Summary: The open-source application container engine
 Group: Tools/Docker
@ -199,36 +199,6 @@ fi
 %endif

 %changelog
-* Fri Dec 06 2024 zhongjiawei<zhongjiawei1@huawei.com> - 1:18.09.0-271
- Type:CVE
- CVE:CVE-2024-36623
- SUG:NA
- DESC:fix CVE-2024-36623
-
-* Mon Dec 02 2024 zhongjiawei<zhongjiawei1@huawei.com> - 1:18.09.0-270
- Type:CVE
- CVE:CVE-2024-36621
- SUG:NA
- DESC:fix missing lock in ensurelayer
-
-* Sat Aug 31 2024 zhongjiawei<zhongjiawei1@huawei.com> - 1:18.09.0-269
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:try to reconnect when containerd grpc return unexpected EOF
-
-* Fri Aug 02 2024 zhongjiawei<zhongjiawei1@huawei.com> - 1:18.09.0-268
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:add clone3 seccomp whitelist for arm64
-
-* Fri Jul 26 2024 zhongjiawei<zhongjiawei1@huawei.com> - 18.09.0-267
- Type:CVE
- CVE:CVE-2024-41110
- SUG:NA
- DESC:fix CVE-2024-41110
-
 * Mon Jul 15 2024 chenjiankun<chenjiankun1@huawei.com> - 18.09.0-266
 - Type:bugfix
 - CVE:NA
--- a/patch/0277-backport-fix-CVE-2024-41110.patch
+++ b/patch/0277-backport-fix-CVE-2024-41110.patch
@ -1,169 +0,0 @@
-From fc274cd2ff4cf3b48c91697fb327dd1fb95588fb Mon Sep 17 00:00:00 2001
-From: Jameson Hyde <jameson.hyde@docker.com>
-Date: Mon, 26 Nov 2018 14:15:22 -0500
-Subject: [PATCH] Authz plugin security fixes for 0-length content and path
- validation Signed-off-by: Jameson Hyde <jameson.hyde@docker.com>
-
-fix comments
-
-(cherry picked from commit 9659c3a52bac57e615b5fb49b0652baca448643e)
-Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
-Signed-off-by: Eli Uriegas <eli.uriegas@docker.com>
---
- components/engine/pkg/authorization/authz.go  | 38 ++++++++++++--
- .../pkg/authorization/authz_unix_test.go      | 49 +++++++++++++++++--
- 2 files changed, 80 insertions(+), 7 deletions(-)
-
-diff --git a/components/engine/pkg/authorization/authz.go b/components/engine/pkg/authorization/authz.go
-index a1edbcd8..f63b8851 100644
--- a/components/engine/pkg/authorization/authz.go
-+++ b/components/engine/pkg/authorization/authz.go
-@@ -7,6 +7,8 @@ import (
- 	"io"
- 	"mime"
- 	"net/http"
-+	"net/url"
-+	"regexp"
- 	"strings"
- 
- 	"github.com/docker/docker/pkg/ioutils"
-@@ -52,10 +54,23 @@ type Ctx struct {
- 	authReq *Request
- }
- 
-+func isChunked(r *http.Request) bool {
-+	//RFC 7230 specifies that content length is to be ignored if Transfer-Encoding is chunked
-+	if strings.ToLower(r.Header.Get("Transfer-Encoding")) == "chunked" {
-+		return true
-+	}
-+	for _, v := range r.TransferEncoding {
-+		if 0 == strings.Compare(strings.ToLower(v), "chunked") {
-+			return true
-+		}
-+	}
-+	return false
-+}
-+
- // AuthZRequest authorized the request to the docker daemon using authZ plugins
- func (ctx *Ctx) AuthZRequest(w http.ResponseWriter, r *http.Request) error {
- 	var body []byte
-	if sendBody(ctx.requestURI, r.Header) && r.ContentLength > 0 && r.ContentLength < maxBodySize {
-+	if sendBody(ctx.requestURI, r.Header) && (r.ContentLength > 0 || isChunked(r)) && r.ContentLength < maxBodySize {
- 		var err error
- 		body, r.Body, err = drainBody(r.Body)
- 		if err != nil {
-@@ -108,7 +123,6 @@ func (ctx *Ctx) AuthZResponse(rm ResponseModifier, r *http.Request) error {
- 	if sendBody(ctx.requestURI, rm.Header()) {
- 		ctx.authReq.ResponseBody = rm.RawBody()
- 	}
-
- 	for _, plugin := range ctx.plugins {
- 		logrus.Debugf("AuthZ response using plugin %s", plugin.Name())
- 
-@@ -146,10 +160,26 @@ func drainBody(body io.ReadCloser) ([]byte, io.ReadCloser, error) {
- 	return nil, newBody, err
- }
- 
-+func isAuthEndpoint(urlPath string) (bool, error) {
-+	// eg www.test.com/v1.24/auth/optional?optional1=something&optional2=something (version optional)
-+	matched, err := regexp.MatchString(`^[^\/]+\/(v\d[\d\.]*\/)?auth.*`, urlPath)
-+	if err != nil {
-+		return false, err
-+	}
-+	return matched, nil
-+}
-+
- // sendBody returns true when request/response body should be sent to AuthZPlugin
-func sendBody(url string, header http.Header) bool {
-+func sendBody(inURL string, header http.Header) bool {
-+	u, err := url.Parse(inURL)
-+	// Assume no if the URL cannot be parsed - an empty request will still be forwarded to the plugin and should be rejected
-+	if err != nil {
-+		return false
-+	}
-+
- 	// Skip body for auth endpoint
-	if strings.HasSuffix(url, "/auth") {
-+	isAuth, err := isAuthEndpoint(u.Path)
-+	if isAuth || err != nil {
- 		return false
- 	}
- 
-diff --git a/components/engine/pkg/authorization/authz_unix_test.go b/components/engine/pkg/authorization/authz_unix_test.go
-index cfdb9a00..0fc51d32 100644
--- a/components/engine/pkg/authorization/authz_unix_test.go
-+++ b/components/engine/pkg/authorization/authz_unix_test.go
-@@ -174,8 +174,8 @@ func TestDrainBody(t *testing.T) {
- 
- func TestSendBody(t *testing.T) {
- 	var (
-		url       = "nothing.com"
- 		testcases = []struct {
-+			url         string
- 			contentType string
- 			expected    bool
- 		}{
-@@ -219,15 +219,58 @@ func TestSendBody(t *testing.T) {
- 				contentType: "",
- 				expected:    false,
- 			},
-+			{
-+				url:         "nothing.com/auth",
-+				contentType: "",
-+				expected:    false,
-+			},
-+			{
-+				url:         "nothing.com/auth",
-+				contentType: "application/json;charset=UTF8",
-+				expected:    false,
-+			},
-+			{
-+				url:         "nothing.com/auth?p1=test",
-+				contentType: "application/json;charset=UTF8",
-+				expected:    false,
-+			},
-+			{
-+				url:         "nothing.com/test?p1=/auth",
-+				contentType: "application/json;charset=UTF8",
-+				expected:    true,
-+			},
-+			{
-+				url:         "nothing.com/something/auth",
-+				contentType: "application/json;charset=UTF8",
-+				expected:    true,
-+			},
-+			{
-+				url:         "nothing.com/auth/test",
-+				contentType: "application/json;charset=UTF8",
-+				expected:    false,
-+			},
-+			{
-+				url:         "nothing.com/v1.24/auth/test",
-+				contentType: "application/json;charset=UTF8",
-+				expected:    false,
-+			},
-+			{
-+				url:         "nothing.com/v1/auth/test",
-+				contentType: "application/json;charset=UTF8",
-+				expected:    false,
-+			},
- 		}
- 	)
- 
- 	for _, testcase := range testcases {
- 		header := http.Header{}
- 		header.Set("Content-Type", testcase.contentType)
-+		if testcase.url == "" {
-+			testcase.url = "nothing.com"
-+		}
- 
-		if b := sendBody(url, header); b != testcase.expected {
-			t.Fatalf("Unexpected Content-Type; Expected: %t, Actual: %t", testcase.expected, b)
-+		if b := sendBody(testcase.url, header); b != testcase.expected {
-+			t.Fatalf("sendBody failed: url: %s, content-type: %s; Expected: %t, Actual: %t", testcase.url, testcase.contentType, testcase.expected, b)
- 		}
- 	}
- }
-- 
-2.33.0
-
--- a/patch/0278-docker-add-clone3-seccomp-whitelist-for-arm64.patch
+++ b/patch/0278-docker-add-clone3-seccomp-whitelist-for-arm64.patch
@ -1,41 +0,0 @@
-From c2bc614038532cfbd1db9bfe8ff3949b1867a5c5 Mon Sep 17 00:00:00 2001
-From: zhongjiawei <zhongjiawei1@huawei.com>
-Date: Fri, 2 Aug 2024 16:26:00 +0800
-Subject: [PATCH] docker:add clone3 seccomp whitelist for arm64
-
---
- components/engine/profiles/seccomp/seccomp_default.go | 11 ++++++++++-
- 1 file changed, 10 insertions(+), 1 deletion(-)
-
-diff --git a/components/engine/profiles/seccomp/seccomp_default.go b/components/engine/profiles/seccomp/seccomp_default.go
-index 2c670623..a90e441c 100644
--- a/components/engine/profiles/seccomp/seccomp_default.go
-+++ b/components/engine/profiles/seccomp/seccomp_default.go
-@@ -482,7 +482,6 @@ func DefaultProfile() *types.Seccomp {
- 		{
- 			Names: []string{
- 				"modify_ldt",
-				"clone3",
- 			},
- 			Action: types.ActAllow,
- 			Args:   []*types.Arg{},
-@@ -490,6 +489,16 @@ func DefaultProfile() *types.Seccomp {
- 				Arches: []string{"amd64", "x32", "x86"},
- 			},
- 		},
-+		{
-+                        Names: []string{
-+				"clone3",
-+                        },
-+                        Action: types.ActAllow,
-+                        Args:   []*types.Arg{},
-+                        Includes: types.Filter{
-+                                Arches: []string{"arm64", "amd64", "x32", "x86"},
-+                        },
-+                },
- 		{
- 			Names: []string{
- 				"s390_pci_mmio_read",
-- 
-2.33.0
-
--- a/patch/0279-docker-try-to-reconnect-when-containerd-grpc-return-.patch
+++ b/patch/0279-docker-try-to-reconnect-when-containerd-grpc-return-.patch
@ -1,57 +0,0 @@
-From 68ea83ecea0e38d084c0d15c9e99c0b4494b1f32 Mon Sep 17 00:00:00 2001
-From: zhongjiawei <zhongjiawei1@huawei.com>
-Date: Thu, 22 Aug 2024 20:22:43 +0800
-Subject: [PATCH] docker: try to reconnect when containerd grpc return
- unexpected EOF
-
---
- .../engine/libcontainerd/client_daemon.go     | 26 ++++++++++++++-----
- 1 file changed, 20 insertions(+), 6 deletions(-)
-
-diff --git a/components/engine/libcontainerd/client_daemon.go b/components/engine/libcontainerd/client_daemon.go
-index 09ce6e1f5..14f420ed8 100755
--- a/components/engine/libcontainerd/client_daemon.go
-+++ b/components/engine/libcontainerd/client_daemon.go
-@@ -38,9 +38,12 @@ import (
- 	"google.golang.org/grpc/status"
- )
- 
-// InitProcessName is the name given to the first process of a
-// container
-const InitProcessName = "init"
-+const (
-+	// InitProcessName is the name given to the first process of a container
-+	InitProcessName = "init"
-+	// RetryMax is the max num to connect containerd grpc
-+	RetryMax = 10
-+)
- 
- type container struct {
- 	mu sync.Mutex
-@@ -167,9 +170,20 @@ func (c *client) Restore(ctx context.Context, id string, attachStdio StdioCallba
- 		err = wrapError(err)
- 	}()
- 
-	ctr, err := c.client.LoadContainer(ctx, id)
-	if err != nil {
-		return false, -1, errors.WithStack(wrapError(err))
-+	var ctr containerd.Container
-+	var err1 error
-+	for retry := 1; retry <= RetryMax; retry++ {
-+		ctr, err1 = c.client.LoadContainer(ctx, id)
-+		if err1 == nil {
-+			break
-+		} else if strings.Contains(err1.Error(), "unexpected EOF") {
-+			time.Sleep(time.Millisecond * 100)
-+			continue
-+		}
-+		return false, -1, errors.WithStack(wrapError(err1))
-+	}
-+	if err1 != nil {
-+		return false, -1, errors.Wrap(wrapError(err1), "reconnect load contianer failed")
- 	}
- 
- 	attachIO := func(fifos *cio.FIFOSet) (cio.IO, error) {
-- 
-2.33.0
-
--- a/patch/0281-backport-fix-CVE-2024-36621.patch
+++ b/patch/0281-backport-fix-CVE-2024-36621.patch
@ -1,79 +0,0 @@
-From 5aa1ff9afad56ef0cf4acd983ff441c8048c0ba3 Mon Sep 17 00:00:00 2001
-From: Tonis Tiigi <tonistiigi@gmail.com>
-Date: Wed, 6 Mar 2024 23:11:32 -0800
-Subject: [PATCH] builder-next: fix missing lock in ensurelayer
-
-When this was called concurrently from the moby image
-exporter there could be a data race where a layer was
-written to the refs map when it was already there.
-
-In that case the reference count got mixed up and on
-release only one of these layers was actually released.
-
-Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
---
- .../builder-next/adapters/snapshot/layer.go   |  3 +++
- .../adapters/snapshot/snapshot.go             | 19 +++++++++++--------
- 2 files changed, 14 insertions(+), 8 deletions(-)
-
-diff --git a/components/engine/builder/builder-next/adapters/snapshot/layer.go b/components/engine/builder/builder-next/adapters/snapshot/layer.go
-index ffde5eec..13847d5a 100644
--- a/components/engine/builder/builder-next/adapters/snapshot/layer.go
-+++ b/components/engine/builder/builder-next/adapters/snapshot/layer.go
-@@ -13,6 +13,9 @@ import (
- )
- 
- func (s *snapshotter) EnsureLayer(ctx context.Context, key string) ([]layer.DiffID, error) {
-+	s.layerCreateLocker.Lock(key)
-+	defer s.layerCreateLocker.Unlock(key)
-+
- 	if l, err := s.getLayer(key, true); err != nil {
- 		return nil, err
- 	} else if l != nil {
-diff --git a/components/engine/builder/builder-next/adapters/snapshot/snapshot.go b/components/engine/builder/builder-next/adapters/snapshot/snapshot.go
-index c1388da7..2b1d33d7 100644
--- a/components/engine/builder/builder-next/adapters/snapshot/snapshot.go
-+++ b/components/engine/builder/builder-next/adapters/snapshot/snapshot.go
-@@ -11,6 +11,7 @@ import (
- 	"github.com/containerd/containerd/snapshots"
- 	"github.com/docker/docker/daemon/graphdriver"
- 	"github.com/docker/docker/layer"
-+	"github.com/docker/docker/pkg/locker"
- 	"github.com/moby/buildkit/identity"
- 	"github.com/moby/buildkit/snapshot"
- 	digest "github.com/opencontainers/go-digest"
-@@ -43,10 +44,11 @@ type checksumCalculator interface {
- type snapshotter struct {
- 	opt Opt
- 
-	refs map[string]layer.Layer
-	db   *bolt.DB
-	mu   sync.Mutex
-	reg  graphIDRegistrar
-+	refs              map[string]layer.Layer
-+	db                *bolt.DB
-+	mu                sync.Mutex
-+	reg               graphIDRegistrar
-+	layerCreateLocker *locker.Locker
- }
- 
- var _ snapshot.SnapshotterBase = &snapshotter{}
-@@ -65,10 +67,11 @@ func NewSnapshotter(opt Opt) (snapshot.SnapshotterBase, error) {
- 	}
- 
- 	s := &snapshotter{
-		opt:  opt,
-		db:   db,
-		refs: map[string]layer.Layer{},
-		reg:  reg,
-+		opt:               opt,
-+		db:                db,
-+		refs:              map[string]layer.Layer{},
-+		reg:               reg,
-+		layerCreateLocker: locker.New(),
- 	}
- 	return s, nil
- }
-- 
-2.33.0
-
--- a/patch/0282-backport-fix-CVE-2024-36623.patch
+++ b/patch/0282-backport-fix-CVE-2024-36623.patch
@ -1,48 +0,0 @@
-From 5e02d7625ef0472e0be29acb30e47255546ced58 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Pawe=C5=82=20Gronowski?= <pawel.gronowski@docker.com>
-Date: Thu, 22 Feb 2024 18:01:40 +0100
-Subject: [PATCH] pkg/streamformatter: Make `progressOutput` concurrency safe
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Sync access to the underlying `io.Writer` with a mutex.
-
-Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
---
- components/engine/pkg/streamformatter/streamformatter.go | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/components/engine/pkg/streamformatter/streamformatter.go b/components/engine/pkg/streamformatter/streamformatter.go
-index 04917d49ab..eaa82e1010 100644
--- a/components/engine/pkg/streamformatter/streamformatter.go
-+++ b/components/engine/pkg/streamformatter/streamformatter.go
-@@ -5,6 +5,7 @@ import (
- 	"encoding/json"
- 	"fmt"
- 	"io"
-+	"sync"
- 
- 	"github.com/docker/docker/pkg/jsonmessage"
- 	"github.com/docker/docker/pkg/progress"
-@@ -109,6 +110,7 @@ type progressOutput struct {
- 	sf       formatProgress
- 	out      io.Writer
- 	newLines bool
-+	mu       sync.Mutex
- }
- 
- // WriteProgress formats progress information from a ProgressReader.
-@@ -120,6 +122,9 @@ func (out *progressOutput) WriteProgress(prog progress.Progress) error {
- 		jsonProgress := jsonmessage.JSONProgress{Current: prog.Current, Total: prog.Total, HideCounts: prog.HideCounts, Units: prog.Units}
- 		formatted = out.sf.formatProgress(prog.ID, prog.Action, &jsonProgress, prog.Aux)
- 	}
-+
-+	out.mu.Lock()
-+	defer out.mu.Unlock()
- 	_, err := out.out.Write(formatted)
- 	if err != nil {
- 		return err
-- 
-2.33.0
-
--- a/series.conf
+++ b/series.conf
@ -265,9 +265,4 @@ patch/0273-backport-fix-CVE-2024-24557.patch
 patch/0274-backport-fix-CVE-2024-29018.patch
 patch/0275-backport-fix-CVE-2024-32473.patch
 patch/0276-docker-Ignore-SIGURG-on-Linux.patch
-patch/0277-backport-fix-CVE-2024-41110.patch
-patch/0278-docker-add-clone3-seccomp-whitelist-for-arm64.patch
-patch/0279-docker-try-to-reconnect-when-containerd-grpc-return-.patch
-patch/0281-backport-fix-CVE-2024-36621.patch
-patch/0282-backport-fix-CVE-2024-36623.patch
 #end