project-lakitu/app-emulation/docker/files/docker-20.10.11-vendor-github.com-moby-buildkit-v0.8.3-4-gbc07.patch - cos/overlays/board-overlays - Git at Google

 From da9c9837892596fb44a73bcfd3e061bd23d0cff1 Mon Sep 17 00:00:00 2001
 From: Sebastiaan van Stijn <github@gone.nl>
 Date: Wed, 17 Nov 2021 20:40:17 +0100
 Subject: [PATCH] [20.10] vendor: github.com/moby/buildkit v0.8.3-4-gbc07b2b8

 imageutil: make mediatype detection more stricter to mitigate CVE-2021-41190.

 diff --git a/vendor/github.com/moby/buildkit/util/imageutil/config.go b/vendor/github.com/moby/buildkit/util/imageutil/config.go
 index 0be587058a..a93c8ccd6b 100644
 --- a/vendor/github.com/moby/buildkit/util/imageutil/config.go
 +++ b/vendor/github.com/moby/buildkit/util/imageutil/config.go
 @@ -183,19 +183,39 @@ func DetectManifestMediaType(ra content.ReaderAt) (string, error) {

  func DetectManifestBlobMediaType(dt []byte) (string, error) {
  	var mfst struct {
 -		MediaType string          `json:"mediaType"`
 +		MediaType *string         `json:"mediaType"`
  		Config    json.RawMessage `json:"config"`
 +		Manifests json.RawMessage `json:"manifests"`
 +		Layers    json.RawMessage `json:"layers"`
  	}

  	if err := json.Unmarshal(dt, &mfst); err != nil {
  		return "", err
  	}

 -	if mfst.MediaType != "" {
 -		return mfst.MediaType, nil
 +	mt := images.MediaTypeDockerSchema2ManifestList
 +
 +	if mfst.Config != nil || mfst.Layers != nil {
 +		mt = images.MediaTypeDockerSchema2Manifest
 +
 +		if mfst.Manifests != nil {
 +			return "", errors.Errorf("invalid ambiguous manifest and manifest list")
 +		}
  	}
 -	if mfst.Config != nil {
 -		return images.MediaTypeDockerSchema2Manifest, nil
 +
 +	if mfst.MediaType != nil {
 +		switch *mfst.MediaType {
 +		case images.MediaTypeDockerSchema2ManifestList, specs.MediaTypeImageIndex:
 +			if mt != images.MediaTypeDockerSchema2ManifestList {
 +				return "", errors.Errorf("mediaType in manifest does not match manifest contents")
 +			}
 +			mt = *mfst.MediaType
 +		case images.MediaTypeDockerSchema2Manifest, specs.MediaTypeImageManifest:
 +			if mt != images.MediaTypeDockerSchema2Manifest {
 +				return "", errors.Errorf("mediaType in manifest does not match manifest contents")
 +			}
 +			mt = *mfst.MediaType
 +		}
  	}
 -	return images.MediaTypeDockerSchema2ManifestList, nil
 +	return mt, nil
  }
 --
 2.34.0.rc2.393.gf8c9666880-goog
	From da9c9837892596fb44a73bcfd3e061bd23d0cff1 Mon Sep 17 00:00:00 2001
	From: Sebastiaan van Stijn <github@gone.nl>
	Date: Wed, 17 Nov 2021 20:40:17 +0100
	Subject: [PATCH] [20.10] vendor: github.com/moby/buildkit v0.8.3-4-gbc07b2b8

	imageutil: make mediatype detection more stricter to mitigate CVE-2021-41190.

	diff --git a/vendor/github.com/moby/buildkit/util/imageutil/config.go b/vendor/github.com/moby/buildkit/util/imageutil/config.go
	index 0be587058a..a93c8ccd6b 100644
	--- a/vendor/github.com/moby/buildkit/util/imageutil/config.go
	+++ b/vendor/github.com/moby/buildkit/util/imageutil/config.go
	@@ -183,19 +183,39 @@ func DetectManifestMediaType(ra content.ReaderAt) (string, error) {

	func DetectManifestBlobMediaType(dt []byte) (string, error) {
	var mfst struct {
	- MediaType string `json:"mediaType"`
	+ MediaType *string `json:"mediaType"`
	Config json.RawMessage `json:"config"`
	+ Manifests json.RawMessage `json:"manifests"`
	+ Layers json.RawMessage `json:"layers"`
	}

	if err := json.Unmarshal(dt, &mfst); err != nil {
	return "", err
	}

	- if mfst.MediaType != "" {
	- return mfst.MediaType, nil
	+ mt := images.MediaTypeDockerSchema2ManifestList
	+
	+ if mfst.Config != nil \|\| mfst.Layers != nil {
	+ mt = images.MediaTypeDockerSchema2Manifest
	+
	+ if mfst.Manifests != nil {
	+ return "", errors.Errorf("invalid ambiguous manifest and manifest list")
	+ }
	}
	- if mfst.Config != nil {
	- return images.MediaTypeDockerSchema2Manifest, nil
	+
	+ if mfst.MediaType != nil {
	+ switch *mfst.MediaType {
	+ case images.MediaTypeDockerSchema2ManifestList, specs.MediaTypeImageIndex:
	+ if mt != images.MediaTypeDockerSchema2ManifestList {
	+ return "", errors.Errorf("mediaType in manifest does not match manifest contents")
	+ }
	+ mt = *mfst.MediaType
	+ case images.MediaTypeDockerSchema2Manifest, specs.MediaTypeImageManifest:
	+ if mt != images.MediaTypeDockerSchema2Manifest {
	+ return "", errors.Errorf("mediaType in manifest does not match manifest contents")
	+ }
	+ mt = *mfst.MediaType
	+ }
	}
	- return images.MediaTypeDockerSchema2ManifestList, nil
	+ return mt, nil
	}
	--
	2.34.0.rc2.393.gf8c9666880-goog