p4u1/docker-cli
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
12,190 Commits 1 Branch 0 Tags
6a0099bc8a8fcfd80a40dd2cbbfb6caff23abbce
Commit Graph

5 Commits

Author SHA1 Message Date
Sebastiaan van Stijn
6a0099bc8a cmd/docker-trust: bump golang.org/x/crypto v0.45.0 
Hello gophers,

We have tagged version v0.45.0 of golang.org/x/crypto in order to address two
security issues.

This version fixes a vulnerability in the golang.org/x/crypto/ssh package and a
vulnerability in the golang.org/x/crypto/ssh/agent package which could cause
programs to consume unbounded memory or panic respectively.

SSH servers parsing GSSAPI authentication requests don't validate the number of
mechanisms specified in the request, allowing an attacker to cause unbounded
memory consumption.

Thanks to Jakub Ciolek for reporting this issue.

This is CVE-2025-58181 and Go issue https://go.dev/issue/76363.

SSH Agent servers do not validate the size of messages when processing new
identity requests, which may cause the program to panic if the message is
malformed due to an out of bounds read.

Thanks to Jakub Ciolek for reporting this issue.

This is CVE-2025-47914 and Go issue https://go.dev/issue/76364.

Cheers, Go Security team

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2025-11-27 14:38:30 +01:00
Sebastiaan van Stijn
c90166ffa6 cmd/docker-trust: update dependencies 
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2025-11-27 14:37:10 +01:00
Sebastiaan van Stijn
c1a53ae7b6 cmd/docker-trust: remove dependency on cli/internal 
Create a copy of the registry package to use, so that code used only
for trust can be removed from the cli/internal package.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2025-11-06 15:24:49 +01:00
Sebastiaan van Stijn
06914dd0ff make trust-plugin a separate module 
skip cmd/docker-trust in tests, as it's a separate module.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2025-11-06 15:24:48 +01:00
Sebastiaan van Stijn
c9bb291154 implement docker trust as plugin 
move the `trust` subcommands to a plugin, so that the subcommands can
be installed separate from the `docker trust` integration in push/pull
(for situations where trust verification happens on the daemon side).

    make binary
    go build -o /usr/libexec/docker/cli-plugins/docker-trust ./cmd/docker-trust

    docker info
    Client:
     Version:    28.2.0-dev
     Context:    default
     Debug Mode: false
     Plugins:
      buildx: Docker Buildx (Docker Inc.)
        Version:  v0.24.0
        Path:     /usr/libexec/docker/cli-plugins/docker-buildx
      trust: Manage trust on Docker images (Docker Inc.)
        Version:  unknown-version
        Path:     /usr/libexec/docker/cli-plugins/docker-trust

    docker trust --help
    Usage:  docker trust [OPTIONS] COMMAND

    Extended build capabilities with BuildKit

    Options:
      -D, --debug   Enable debug logging

    Management Commands:
      key         Manage keys for signing Docker images
      signer      Manage entities who can sign Docker images

    Commands:
      inspect     Return low-level information about keys and signatures
      revoke      Remove trust for an image
      sign        Sign an image

    Run 'docker trust COMMAND --help' for more information on a command.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
 2025-11-06 15:24:46 +01:00