mirror of
https://github.com/docker/cli.git
synced 2026-01-26 15:41:42 +03:00
7e8457115b
This releases includes 6 security fixes following the security policy:
- archive/zip: denial of service when parsing arbitrary ZIP archives
archive/zip used a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive.
Thanks to Thanks to Jakub Ciolek for reporting this issue.
This is CVE-2025-61728 and Go issue https://go.dev/issue/77102.
- net/http: memory exhaustion in Request.ParseForm
When parsing a URL-encoded form net/http may allocate an unexpected amount of
memory when provided a large number of key-value pairs. This can result in a
denial of service due to memory exhaustion.
Thanks to jub0bs for reporting this issue.
This is CVE-2025-61726 and Go issue https://go.dev/issue/77101.
- crypto/tls: Config.Clone copies automatically generated session ticket keys, session resumption does not account for the expiration of full certificate chain
The Config.Clone methods allows cloning a Config which has already been passed
to a TLS function, allowing it to be mutated and reused.
If Config.SessionTicketKey has not been set, and Config.SetSessionTicketKeys has
not been called, crypto/tls will generate random session ticket keys and
automatically rotate them. Config.Clone would copy these automatically generated
keys into the returned Config, meaning that the two Configs would share session
ticket keys, allowing sessions created using one Config could be used to resume
sessions with the other Config. This can allow clients to resume sessions even
though the Config may be configured such that they should not be able to do so.
Config.Clone no longer copies the automatically generated session ticket keys.
Config.Clone still copies keys which are explicitly provided, either by setting
Config.SessionTicketKey or by calling Config.SetSessionTicketKeys.
This issue was discoverd by the Go Security team while investigating another
issue reported by Coia Prant (github.com/rbqvq).
Additionally, on the server side only the expiration of the leaf certificate, if
one was provided during the initial handshake, was checked when considering if a
session could be resumed. This allowed sessions to be resumed if an intermediate
or root certificate in the chain had expired.
Session resumption now takes into account of the full chain when determining if
the session can be resumed.
Thanks to Coia Prant (github.com/rbqvq) for reporting this issue.
This is CVE-2025-68121 and Go issue https://go.dev/issue/77113.
- cmd/go: bypass of flag sanitization can lead to arbitrary code execution
Usage of 'CgoPkgConfig' allowed execution of the pkg-config
binary with flags that are not explicitly safe-listed.
To prevent this behavior, compiler flags resulting from usage
of 'CgoPkgConfig' are sanitized prior to invoking pkg-config.
Thank you to RyotaK (https://ryotak.net) of GMO Flatt Security Inc.
for reporting this issue.
This is CVE-2025-61731 and go.dev/issue/77100.
- cmd/go: unexpected code execution when invoking toolchain
The Go toolchain supports multiple VCS which are used retrieving modules and
embedding build information into binaries.
On systems with Mercurial installed (hg) downloading modules (e.g. via go get or
go mod download) from non-standard sources (e.g. custom domains) can cause
unexpected code execution due to how external VCS commands are constructed.
On systems with Git installed, downloading and building modules with malicious
version strings could allow an attacker to write to arbitrary files on the
system the user has access to. This can only be triggered by explicitly
providing the malicious version strings to the toolchain, and does not affect
usage of @latest or bare module paths.
The toolchain now uses safer VCS options to prevent misinterpretation of
untrusted inputs. In addition, the toolchain now disallows module version
strings prefixed with a "-" or "/" character.
Thanks to splitline (@splitline) from DEVCORE Research Team for reporting this
issue.
This is CVE-2025-68119 and Go issue https://go.dev/issue/77099.
- crypto/tls: handshake messages may be processed at the incorrect encryption level
During the TLS 1.3 handshake if multiple messages are sent in records that span
encryption level boundaries (for instance the Client Hello and Encrypted
Extensions messages), the subsequent messages may be processed before the
encryption level changes. This can cause some minor information disclosure if a
network-local attacker can inject messages during the handshake.
Thanks to Coia Prant (github.com/rbqvq) for reporting this issue.
This is CVE-2025-61730 and Go issue https://go.dev/issue/76443
View the release notes for more information:
https://go.dev/doc/devel/release#go1.25.6
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
152 lines
5.6 KiB
Docker
152 lines
5.6 KiB
Docker
# syntax=docker/dockerfile:1
|
|
|
|
ARG BASE_VARIANT=alpine
|
|
|
|
# ALPINE_VERSION sets the version of the alpine base image to use, including for the golang image.
|
|
# It must be a supported tag in the docker.io/library/alpine image repository
|
|
# that's also available as alpine image variant for the Golang version used.
|
|
ARG ALPINE_VERSION=3.22
|
|
ARG BASE_DEBIAN_DISTRO=bookworm
|
|
|
|
ARG GO_VERSION=1.25.6
|
|
|
|
# XX_VERSION specifies the version of the xx utility to use.
|
|
# It must be a valid tag in the docker.io/tonistiigi/xx image repository.
|
|
ARG XX_VERSION=1.7.0
|
|
|
|
# GOVERSIONINFO_VERSION is the version of GoVersionInfo to install.
|
|
# It must be a valid tag from https://github.com/josephspurrier/goversioninfo
|
|
ARG GOVERSIONINFO_VERSION=v1.5.0
|
|
|
|
# GOTESTSUM_VERSION sets the version of gotestsum to install in the dev container.
|
|
# It must be a valid tag in the https://github.com/gotestyourself/gotestsum repository.
|
|
ARG GOTESTSUM_VERSION=v1.13.0
|
|
|
|
# BUILDX_VERSION sets the version of buildx to use for the e2e tests.
|
|
# It must be a tag in the docker.io/docker/buildx-bin image repository
|
|
# on Docker Hub.
|
|
ARG BUILDX_VERSION=0.29.1
|
|
|
|
# COMPOSE_VERSION is the version of compose to install in the dev container.
|
|
# It must be a tag in the docker.io/docker/compose-bin image repository
|
|
# on Docker Hub.
|
|
ARG COMPOSE_VERSION=v2.40.0
|
|
|
|
FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx
|
|
|
|
FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-alpine${ALPINE_VERSION} AS build-base-alpine
|
|
ENV GOTOOLCHAIN=local
|
|
COPY --link --from=xx / /
|
|
RUN apk add --no-cache bash clang lld llvm file git git-daemon
|
|
WORKDIR /go/src/github.com/docker/cli
|
|
|
|
FROM build-base-alpine AS build-alpine
|
|
ARG TARGETPLATFORM
|
|
# gcc is installed for libgcc only
|
|
RUN xx-apk add --no-cache musl-dev gcc
|
|
|
|
FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-${BASE_DEBIAN_DISTRO} AS build-base-debian
|
|
ENV GOTOOLCHAIN=local
|
|
COPY --link --from=xx / /
|
|
RUN apt-get update && apt-get install --no-install-recommends -y bash clang lld llvm file
|
|
WORKDIR /go/src/github.com/docker/cli
|
|
|
|
FROM build-base-debian AS build-debian
|
|
ARG TARGETPLATFORM
|
|
RUN xx-apt-get install --no-install-recommends -y libc6-dev libgcc-12-dev pkgconf
|
|
|
|
FROM build-base-${BASE_VARIANT} AS goversioninfo
|
|
ARG GOVERSIONINFO_VERSION
|
|
RUN --mount=type=cache,target=/root/.cache/go-build \
|
|
--mount=type=cache,target=/go/pkg/mod \
|
|
GOBIN=/out GO111MODULE=on CGO_ENABLED=0 go install "github.com/josephspurrier/goversioninfo/cmd/goversioninfo@${GOVERSIONINFO_VERSION}"
|
|
|
|
FROM build-base-${BASE_VARIANT} AS gotestsum
|
|
ARG GOTESTSUM_VERSION
|
|
RUN --mount=type=cache,target=/root/.cache/go-build \
|
|
--mount=type=cache,target=/go/pkg/mod \
|
|
GOBIN=/out GO111MODULE=on CGO_ENABLED=0 go install "gotest.tools/gotestsum@${GOTESTSUM_VERSION}" \
|
|
&& /out/gotestsum --version
|
|
|
|
FROM build-${BASE_VARIANT} AS build
|
|
# GO_LINKMODE defines if static or dynamic binary should be produced
|
|
ARG GO_LINKMODE=static
|
|
# GO_BUILDTAGS defines additional build tags
|
|
ARG GO_BUILDTAGS
|
|
# GO_STRIP strips debugging symbols if set
|
|
ARG GO_STRIP
|
|
# CGO_ENABLED manually sets if cgo is used
|
|
ARG CGO_ENABLED
|
|
# VERSION sets the version for the produced binary
|
|
ARG VERSION
|
|
# PACKAGER_NAME sets the company that produced the windows binary
|
|
ARG PACKAGER_NAME
|
|
COPY --link --from=goversioninfo /out/goversioninfo /usr/bin/goversioninfo
|
|
RUN --mount=type=bind,target=.,ro \
|
|
--mount=type=cache,target=/root/.cache \
|
|
--mount=type=tmpfs,target=cmd/docker/winresources \
|
|
# override the default behavior of go with xx-go
|
|
xx-go --wrap && \
|
|
# export GOCACHE=$(go env GOCACHE)/$(xx-info)$([ -f /etc/alpine-release ] && echo "alpine") && \
|
|
TARGET=/out ./scripts/build/binary && \
|
|
xx-verify $([ "$GO_LINKMODE" = "static" ] && echo "--static") /out/docker
|
|
|
|
FROM build-${BASE_VARIANT} AS test
|
|
COPY --link --from=gotestsum /out/gotestsum /usr/bin/gotestsum
|
|
ENV GO111MODULE=auto
|
|
RUN --mount=type=bind,target=.,rw \
|
|
--mount=type=cache,target=/root/.cache \
|
|
--mount=type=cache,target=/go/pkg/mod \
|
|
gotestsum -- -coverprofile=/tmp/coverage.txt $(go list ./... | grep -vE '/vendor/|/e2e/|/cmd/docker-trust')
|
|
|
|
FROM scratch AS test-coverage
|
|
COPY --from=test /tmp/coverage.txt /coverage.txt
|
|
|
|
FROM build-${BASE_VARIANT} AS build-plugins
|
|
ARG GO_LINKMODE=static
|
|
ARG GO_BUILDTAGS
|
|
ARG GO_STRIP
|
|
ARG CGO_ENABLED
|
|
ARG VERSION
|
|
RUN --mount=ro --mount=type=cache,target=/root/.cache \
|
|
xx-go --wrap && \
|
|
TARGET=/out ./scripts/build/plugins e2e/cli-plugins/plugins/*
|
|
|
|
FROM build-base-alpine AS e2e-base-alpine
|
|
RUN apk add --no-cache build-base curl openssl openssh-client
|
|
|
|
FROM build-base-debian AS e2e-base-debian
|
|
RUN apt-get update && apt-get install -y build-essential curl openssl openssh-client
|
|
|
|
FROM docker/buildx-bin:${BUILDX_VERSION} AS buildx
|
|
FROM docker/compose-bin:${COMPOSE_VERSION} AS compose
|
|
|
|
FROM e2e-base-${BASE_VARIANT} AS e2e
|
|
COPY --link --from=gotestsum /out/gotestsum /usr/bin/gotestsum
|
|
COPY --link --from=build /out ./build/
|
|
COPY --link --from=build-plugins /out ./build/
|
|
COPY --link --from=buildx /buildx /usr/libexec/docker/cli-plugins/docker-buildx
|
|
COPY --link --from=compose /docker-compose /usr/libexec/docker/cli-plugins/docker-compose
|
|
COPY --link . .
|
|
ENV DOCKER_BUILDKIT=1
|
|
ENV PATH=/go/src/github.com/docker/cli/build:$PATH
|
|
CMD ["./scripts/test/e2e/entry"]
|
|
|
|
FROM build-base-${BASE_VARIANT} AS dev
|
|
COPY --link . .
|
|
|
|
FROM scratch AS plugins
|
|
COPY --from=build-plugins /out .
|
|
|
|
FROM scratch AS bin-image-linux
|
|
COPY --from=build /out/docker /docker
|
|
FROM scratch AS bin-image-darwin
|
|
COPY --from=build /out/docker /docker
|
|
FROM scratch AS bin-image-windows
|
|
COPY --from=build /out/docker /docker.exe
|
|
|
|
FROM bin-image-${TARGETOS} AS bin-image
|
|
|
|
FROM scratch AS binary
|
|
COPY --from=build /out .
|