diff --git a/SPECS/docker-buildx/CVE-2026-39832.patch b/SPECS/docker-buildx/CVE-2026-39832.patch index 7e0db2eb93a..61cd31fcdcf 100644 --- a/SPECS/docker-buildx/CVE-2026-39832.patch +++ b/SPECS/docker-buildx/CVE-2026-39832.patch @@ -1,45 +1,39 @@ -From e9da9a48632aecf8d45a351274dc2f36269140c2 Mon Sep 17 00:00:00 2001 +From e3d1254f1e7e60baa086142c46174bf6d8d0fe50 Mon Sep 17 00:00:00 2001 From: Nicola -Date: Tue, 27 Jan 2026 12:15:18 +0100 -Subject: [PATCH] ssh/agent: preserve constraint extensions when adding keys +Date: Sun, 1 Feb 2026 14:55:12 +0100 +Subject: [PATCH] ssh/agent: don't accept keys with unsupported constraints -The client Add method only serialized the lifetime and confirm -constraints and silently dropped AddedKey.ConstraintExtensions before -sending the SSH_AGENTC_ADD_IDENTITY request. As a result the remote -agent always received the key with no extension constraints, regardless -of what the caller requested. +The in-memory keyring cannot enforce constraint extensions, so silently +accepting a key that carries them gave callers a false sense of +restriction. Refuse keys with constraint extensions instead: a key +whose constraints cannot be enforced must not be loaded. This behavior +is consistent with OpenSSH. -Applications that add a key believing custom constraint extensions -(such as restrict-destination-v00@openssh.com) would be enforced -instead loaded a completely unrestricted key into the agent. For -example, an administrator forwarding their agent into an untrusted jump -host and trying to limit the forwarded key with restrict-destination -never had that restriction reach the agent: any user or compromised -process on that host could make the agent sign arbitrary challenges. - -Serialize each entry in key.ConstraintExtensions as an -agentConstrainExtension constraint so the constraints reach the agent, -and add a round-trip regression test that verifies the extensions -survive client serialization and server parsing. +This is a deliberate behavior change: keyring.Add previously accepted +and ignored ConstraintExtensions and now returns an error. This issue was found during a security audit by NCC Group Cryptography Services, sponsored by Teleport. -Updates CVE-2026-39832 -Updates golang/go#79435 +Fixes CVE-2026-39832 +Fixes golang/go#79435 -Change-Id: I14c5583b106cbf0d282d2ba01e000e0f586f08c7 -Reviewed-on: https://go-review.googlesource.com/c/crypto/+/778640 +Change-Id: I6ca4f1c29f8edfabb287fe07299641f70896d5fe +Reviewed-on: https://go-review.googlesource.com/c/crypto/+/778641 +Auto-Submit: Neal Patel +LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com Reviewed-by: Neal Patel +Reviewed-by: Dmitri Shuralyov Reviewed-by: Neal Patel -Reviewed-by: Keith Randall -Reviewed-by: David Chase -LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com -Signed-off-by: Azure Linux Security Servicing Account -Upstream-reference: https://github.com/golang/crypto/commit/a1ce0fee129597fdea8dfd58d71b6b607de6bdce.patch + +This CVE needs 2 commits for the fix. +Upstream Patch reference: +1. https://github.com/golang/crypto/commit/e3d1254f1e7e60baa086142c46174bf6d8d0fe50.patch +2. https://github.com/golang/crypto/commit/a1ce0fee129597fdea8dfd58d71b6b607de6bdce.patch --- - vendor/golang.org/x/crypto/ssh/agent/client.go | 7 +++++++ - 1 file changed, 7 insertions(+) + vendor/golang.org/x/crypto/ssh/agent/client.go | 7 +++++++ + vendor/golang.org/x/crypto/ssh/agent/keyring.go | 12 +++++++++--- + 2 files changed, 16 insertions(+), 3 deletions(-) diff --git a/vendor/golang.org/x/crypto/ssh/agent/client.go b/vendor/golang.org/x/crypto/ssh/agent/client.go index 6dc73e0..d9e7f73 100644 @@ -59,6 +53,35 @@ index 6dc73e0..d9e7f73 100644 cert := key.Certificate if cert == nil { return c.insertKey(key.PrivateKey, key.Comment, constraints) +diff --git a/vendor/golang.org/x/crypto/ssh/agent/keyring.go b/vendor/golang.org/x/crypto/ssh/agent/keyring.go +index 21bfa87..64bc105 100644 +--- a/vendor/golang.org/x/crypto/ssh/agent/keyring.go ++++ b/vendor/golang.org/x/crypto/ssh/agent/keyring.go +@@ -143,15 +143,21 @@ func (r *keyring) List() ([]*Key, error) { + return ids, nil + } + +-// Insert adds a private key to the keyring. If a certificate +-// is given, that certificate is added as public key. Note that +-// any constraints given are ignored. ++// Add adds a private key to the keyring. If a certificate is given, that ++// certificate is added as public key. ++// ++// Add returns an error if key contains ConstraintExtensions. + func (r *keyring) Add(key AddedKey) error { + r.mu.Lock() + defer r.mu.Unlock() + if r.locked { + return errLocked + } ++ ++ if len(key.ConstraintExtensions) > 0 { ++ return errors.New("agent: constraint extensions are present but not supported") ++ } ++ + signer, err := ssh.NewSignerFromKey(key.PrivateKey) + + if err != nil { -- -2.45.4 +2.43.0 diff --git a/SPECS/docker-buildx/CVE-2026-39833.patch b/SPECS/docker-buildx/CVE-2026-39833.patch new file mode 100644 index 00000000000..e2e0908e910 --- /dev/null +++ b/SPECS/docker-buildx/CVE-2026-39833.patch @@ -0,0 +1,83 @@ +From 0fb843a472225645e917c84f1f9744757f0bab14 Mon Sep 17 00:00:00 2001 +From: Nicola +Date: Sun, 8 Feb 2026 15:28:56 +0100 +Subject: [PATCH] ssh/agent: reject keys with unsupported confirm constraint + +The in-memory keyring supports the "lifetime" constraint but does not +implement the "confirm" constraint. Previously, keyring.Add silently +ignored ConfirmBeforeUse: the key was stored, advertised through List, +and used for signing without any interactive confirmation, potentially +misleading callers into believing this security measure was enforced. + +Return an error when ConfirmBeforeUse is set instead of silently +downgrading the caller's security expectations. Implementing real +confirm-before-use in an in-memory library keyring is infeasible (there +is no UI or confirmation callback), so failing closed is the correct +behavior; adding actual confirm support would require an API addition +and is out of scope. + +This is a deliberate behavior change: keyring.Add previously accepted +and ignored ConfirmBeforeUse and now returns an error. This change also +updates the keyring doc comments to document the supported constraints. + +This issue was found during a security audit by NCC Group Cryptography +Services, sponsored by Teleport. + +Fixes CVE-2026-39833 +Updates golang/go#47533 +Fixes golang/go#79436 + +Change-Id: I1b3a286f0c1e4a4e08ac37109f7e491692ca90ae +Reviewed-on: https://go-review.googlesource.com/c/crypto/+/778642 +Reviewed-by: Dmitri Shuralyov +Reviewed-by: Neal Patel +Reviewed-by: Neal Patel +Auto-Submit: Neal Patel +LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com + +Upstream Patch reference: https://github.com/golang/crypto/commit/0fb843a472225645e917c84f1f9744757f0bab14.patch +--- + vendor/golang.org/x/crypto/ssh/agent/keyring.go | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/vendor/golang.org/x/crypto/ssh/agent/keyring.go b/vendor/golang.org/x/crypto/ssh/agent/keyring.go +index 64bc105..8d8cdb7 100644 +--- a/vendor/golang.org/x/crypto/ssh/agent/keyring.go ++++ b/vendor/golang.org/x/crypto/ssh/agent/keyring.go +@@ -32,8 +32,10 @@ type keyring struct { + + var errLocked = errors.New("agent: locked") + +-// NewKeyring returns an Agent that holds keys in memory. It is safe +-// for concurrent use by multiple goroutines. ++// NewKeyring returns an Agent that holds keys in memory. It is safe for ++// concurrent use by multiple goroutines. ++// ++// The returned Agent only supports the "lifetime" constraint. + func NewKeyring() Agent { + return &keyring{} + } +@@ -146,7 +148,8 @@ func (r *keyring) List() ([]*Key, error) { + // Add adds a private key to the keyring. If a certificate is given, that + // certificate is added as public key. + // +-// Add returns an error if key contains ConstraintExtensions. ++// Add returns an error if key contains ConstraintExtensions or ++// ConfirmBeforeUse. + func (r *keyring) Add(key AddedKey) error { + r.mu.Lock() + defer r.mu.Unlock() +@@ -154,6 +157,10 @@ func (r *keyring) Add(key AddedKey) error { + return errLocked + } + ++ if key.ConfirmBeforeUse { ++ return errors.New("agent: confirm before use constraint is not supported") ++ } ++ + if len(key.ConstraintExtensions) > 0 { + return errors.New("agent: constraint extensions are present but not supported") + } +-- +2.43.0 + diff --git a/SPECS/docker-buildx/docker-buildx.spec b/SPECS/docker-buildx/docker-buildx.spec index 7ebdca6f6c4..dbfae2e5684 100644 --- a/SPECS/docker-buildx/docker-buildx.spec +++ b/SPECS/docker-buildx/docker-buildx.spec @@ -4,7 +4,7 @@ Summary: A Docker CLI plugin for extended build capabilities with BuildKi Name: docker-buildx # update "commit_hash" above when upgrading version Version: 0.14.0 -Release: 14%{?dist} +Release: 15%{?dist} License: ASL 2.0 Group: Tools/Container Vendor: Microsoft Corporation @@ -36,6 +36,7 @@ Patch21: CVE-2026-39827.patch Patch22: CVE-2026-39835.patch Patch23: CVE-2026-42502.patch Patch24: CVE-2026-46598.patch +Patch25: CVE-2026-39833.patch BuildRequires: bash BuildRequires: golang < 1.25 @@ -69,6 +70,9 @@ install -m 755 buildx "%{buildroot}%{_libexecdir}/docker/cli-plugins/docker-buil %{_libexecdir}/docker/cli-plugins/docker-buildx %changelog +* Mon Jun 01 2026 Akhila Guruju - 0.14.0-15 +- Patch CVE-2026-39833 and fix patch for CVE-2026-39832 + * Mon Jun 01 2026 Azure Linux Security Servicing Account - 0.14.0-14 - Patch for CVE-2026-46598, CVE-2026-42502, CVE-2026-39835, CVE-2026-39827, CVE-2026-25681, CVE-2026-25680