Patch docker-buildx for CVE-2025-0495 [Medium] (#13768)

sandeepkarambelkar · web-flow · commit 91ef9b2e7b3f · 2025-05-20T20:26:31.000+05:30
diff --git a/SPECS/docker-buildx/CVE-2025-0495.patch b/SPECS/docker-buildx/CVE-2025-0495.patch
@@ -0,0 +1,98 @@
+From 57f85577943734ab47924d1f2595de12a8613fbf Mon Sep 17 00:00:00 2001
+From: Tonis Tiigi <tonistiigi@gmail.com>
+Date: Mon, 3 Feb 2025 22:14:55 -0800
+Subject: [PATCH] otel: avoid tracing raw os arguments
+
+User might pass a value that they don't expect to
+be kept in trace storage. For example some cache backends
+allow passing authentication tokens with a flag.
+
+Instead use known primary config values as attributes
+of the root span.
+
+Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
+Modified patch to apply to AzureLinux
+Modified-by: Sandeep Karambelkar <skarambelkar@microsoft.com>
+Upstream Patch: https://github.com/docker/buildx/commit/18ccba072076ddbfb0aeedd6746d7719b0729b58
+Upstream PR: https://github.com/docker/buildx/pull/3068
+Only first commit is applicable from https://github.com/docker/buildx/pull/3068/commits
+---
+ commands/bake.go      | 7 ++++++-
+ commands/build.go     | 6 +++++-
+ util/tracing/trace.go | 7 +++----
+ 3 files changed, 14 insertions(+), 6 deletions(-)
+
+diff --git a/commands/bake.go b/commands/bake.go
+index cb23066..3fc0b74 100644
+--- a/commands/bake.go
++++ b/commands/bake.go
+@@ -26,6 +26,7 @@ import (
+ 	"github.com/moby/buildkit/util/progress/progressui"
+ 	"github.com/pkg/errors"
+ 	"github.com/spf13/cobra"
++	"go.opentelemetry.io/otel/attribute"
+ )
+ 
+ type bakeOptions struct {
+@@ -42,7 +43,11 @@ type bakeOptions struct {
+ }
+ 
+ func runBake(ctx context.Context, dockerCli command.Cli, targets []string, in bakeOptions, cFlags commonFlags) (err error) {
+-	ctx, end, err := tracing.TraceCurrentCommand(ctx, "bake")
++	ctx, end, err := tracing.TraceCurrentCommand(ctx, append([]string{"bake"}, targets...),
++		attribute.String("builder", in.builder),
++		attribute.StringSlice("targets", targets),
++		attribute.StringSlice("files", in.files),
++	)
+ 	if err != nil {
+ 		return err
+ 	}
+diff --git a/commands/build.go b/commands/build.go
+index 6f151d4..e4d88c4 100644
+--- a/commands/build.go
++++ b/commands/build.go
+@@ -271,7 +271,11 @@ func runBuild(ctx context.Context, dockerCli command.Cli, options buildOptions)
+ 	mp := dockerCli.MeterProvider(ctx)
+ 	defer metricutil.Shutdown(ctx, mp)
+ 
+-	ctx, end, err := tracing.TraceCurrentCommand(ctx, "build")
++	ctx, end, err := tracing.TraceCurrentCommand(ctx, []string{"build", options.contextPath},
++		attribute.String("builder", options.builder),
++		attribute.String("context", options.contextPath),
++		attribute.String("dockerfile", options.dockerfileName),
++	)
+ 	if err != nil {
+ 		return err
+ 	}
+diff --git a/util/tracing/trace.go b/util/tracing/trace.go
+index c95ad5a..13ce349 100644
+--- a/util/tracing/trace.go
++++ b/util/tracing/trace.go
+@@ -2,7 +2,6 @@ package tracing
+ 
+ import (
+ 	"context"
+-	"os"
+ 	"strings"
+ 
+ 	"github.com/moby/buildkit/util/tracing/detect"
+@@ -10,13 +9,13 @@ import (
+ 	"go.opentelemetry.io/otel/trace"
+ )
+ 
+-func TraceCurrentCommand(ctx context.Context, name string) (context.Context, func(error), error) {
++func TraceCurrentCommand(ctx context.Context, args []string, attrs ...attribute.KeyValue) (context.Context, func(error), error) {
+ 	tp, err := detect.TracerProvider()
+ 	if err != nil {
+ 		return context.Background(), nil, err
+ 	}
+-	ctx, span := tp.Tracer("").Start(ctx, name, trace.WithAttributes(
+-		attribute.String("command", strings.Join(os.Args, " ")),
++	ctx, span := tp.Tracer("").Start(ctx, strings.Join(args, " "), trace.WithAttributes(
++		attrs...,
+ 	))
+ 
+ 	return ctx, func(err error) {
+-- 
+2.45.3
+
diff --git a/SPECS/docker-buildx/docker-buildx.spec b/SPECS/docker-buildx/docker-buildx.spec
@@ -4,7 +4,7 @@ Summary:        A Docker CLI plugin for extended build capabilities with BuildKi
 Name:           docker-buildx
 # update "commit_hash" above when upgrading version
 Version:        0.14.0
-Release:        4%{?dist}
+Release:        5%{?dist}
 License:        ASL 2.0
 Group:          Tools/Container
 Vendor:         Microsoft Corporation
@@ -14,6 +14,7 @@ Source0:        https://github.com/docker/buildx/archive/refs/tags/v%{version}.t
 Patch0:         CVE-2024-45337.patch
 Patch1:         CVE-2024-45338.patch
 Patch2:         CVE-2025-22869.patch
+Patch3:         CVE-2025-0495.patch
 
 BuildRequires: bash
 BuildRequires: golang
@@ -47,6 +48,9 @@ install -m 755 buildx "%{buildroot}%{_libexecdir}/docker/cli-plugins/docker-buil
 %{_libexecdir}/docker/cli-plugins/docker-buildx
 
 %changelog
+* Tue May 13 2025 Sandeep Karambelkar <skarambelkar@microsoft.com> - 0.14.0-5
+- Fix CVE-2025-0495 with upstream patch modified to apply for azurelinux package
+
 * Mon Mar 03 2025 Kanishk Bansal <kanbansal@microsoft.com> - 0.14.0-4
 - Fix CVE-2025-22869 with an upstream patch
 
