Skip to content

Commit dda93b1

Browse files
CBL-Mariner-Botakhila-gurujuazurelinux-securityjslobodzian
authored
[AUTO-CHERRYPICK] [High] Patch docker-buildx for CVE-2026-39833 - branch 3.0-dev (#17641)
Co-authored-by: Akhila Guruju <v-guakhila@microsoft.com> Co-authored-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> Co-authored-by: jslobodzian <joslobo@microsoft.com>
1 parent 5ae8361 commit dda93b1

3 files changed

Lines changed: 143 additions & 33 deletions

File tree

Lines changed: 55 additions & 32 deletions
Original file line numberDiff line numberDiff line change
@@ -1,45 +1,39 @@
1-
From e9da9a48632aecf8d45a351274dc2f36269140c2 Mon Sep 17 00:00:00 2001
1+
From e3d1254f1e7e60baa086142c46174bf6d8d0fe50 Mon Sep 17 00:00:00 2001
22
From: Nicola <nicola.murino@gmail.com>
3-
Date: Tue, 27 Jan 2026 12:15:18 +0100
4-
Subject: [PATCH] ssh/agent: preserve constraint extensions when adding keys
3+
Date: Sun, 1 Feb 2026 14:55:12 +0100
4+
Subject: [PATCH] ssh/agent: don't accept keys with unsupported constraints
55

6-
The client Add method only serialized the lifetime and confirm
7-
constraints and silently dropped AddedKey.ConstraintExtensions before
8-
sending the SSH_AGENTC_ADD_IDENTITY request. As a result the remote
9-
agent always received the key with no extension constraints, regardless
10-
of what the caller requested.
6+
The in-memory keyring cannot enforce constraint extensions, so silently
7+
accepting a key that carries them gave callers a false sense of
8+
restriction. Refuse keys with constraint extensions instead: a key
9+
whose constraints cannot be enforced must not be loaded. This behavior
10+
is consistent with OpenSSH.
1111

12-
Applications that add a key believing custom constraint extensions
13-
(such as restrict-destination-v00@openssh.com) would be enforced
14-
instead loaded a completely unrestricted key into the agent. For
15-
example, an administrator forwarding their agent into an untrusted jump
16-
host and trying to limit the forwarded key with restrict-destination
17-
never had that restriction reach the agent: any user or compromised
18-
process on that host could make the agent sign arbitrary challenges.
19-
20-
Serialize each entry in key.ConstraintExtensions as an
21-
agentConstrainExtension constraint so the constraints reach the agent,
22-
and add a round-trip regression test that verifies the extensions
23-
survive client serialization and server parsing.
12+
This is a deliberate behavior change: keyring.Add previously accepted
13+
and ignored ConstraintExtensions and now returns an error.
2414

2515
This issue was found during a security audit by NCC Group Cryptography
2616
Services, sponsored by Teleport.
2717

28-
Updates CVE-2026-39832
29-
Updates golang/go#79435
18+
Fixes CVE-2026-39832
19+
Fixes golang/go#79435
3020

31-
Change-Id: I14c5583b106cbf0d282d2ba01e000e0f586f08c7
32-
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/778640
21+
Change-Id: I6ca4f1c29f8edfabb287fe07299641f70896d5fe
22+
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/778641
23+
Auto-Submit: Neal Patel <nealpatel@google.com>
24+
LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
3325
Reviewed-by: Neal Patel <neal@golang.org>
26+
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
3427
Reviewed-by: Neal Patel <nealpatel@google.com>
35-
Reviewed-by: Keith Randall <khr@google.com>
36-
Reviewed-by: David Chase <drchase@google.com>
37-
LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
38-
Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
39-
Upstream-reference: https://github.com/golang/crypto/commit/a1ce0fee129597fdea8dfd58d71b6b607de6bdce.patch
28+
29+
This CVE needs 2 commits for the fix.
30+
Upstream Patch reference:
31+
1. https://github.com/golang/crypto/commit/e3d1254f1e7e60baa086142c46174bf6d8d0fe50.patch
32+
2. https://github.com/golang/crypto/commit/a1ce0fee129597fdea8dfd58d71b6b607de6bdce.patch
4033
---
41-
vendor/golang.org/x/crypto/ssh/agent/client.go | 7 +++++++
42-
1 file changed, 7 insertions(+)
34+
vendor/golang.org/x/crypto/ssh/agent/client.go | 7 +++++++
35+
vendor/golang.org/x/crypto/ssh/agent/keyring.go | 12 +++++++++---
36+
2 files changed, 16 insertions(+), 3 deletions(-)
4337

4438
diff --git a/vendor/golang.org/x/crypto/ssh/agent/client.go b/vendor/golang.org/x/crypto/ssh/agent/client.go
4539
index 6dc73e0..d9e7f73 100644
@@ -59,6 +53,35 @@ index 6dc73e0..d9e7f73 100644
5953
cert := key.Certificate
6054
if cert == nil {
6155
return c.insertKey(key.PrivateKey, key.Comment, constraints)
56+
diff --git a/vendor/golang.org/x/crypto/ssh/agent/keyring.go b/vendor/golang.org/x/crypto/ssh/agent/keyring.go
57+
index 21bfa87..64bc105 100644
58+
--- a/vendor/golang.org/x/crypto/ssh/agent/keyring.go
59+
+++ b/vendor/golang.org/x/crypto/ssh/agent/keyring.go
60+
@@ -143,15 +143,21 @@ func (r *keyring) List() ([]*Key, error) {
61+
return ids, nil
62+
}
63+
64+
-// Insert adds a private key to the keyring. If a certificate
65+
-// is given, that certificate is added as public key. Note that
66+
-// any constraints given are ignored.
67+
+// Add adds a private key to the keyring. If a certificate is given, that
68+
+// certificate is added as public key.
69+
+//
70+
+// Add returns an error if key contains ConstraintExtensions.
71+
func (r *keyring) Add(key AddedKey) error {
72+
r.mu.Lock()
73+
defer r.mu.Unlock()
74+
if r.locked {
75+
return errLocked
76+
}
77+
+
78+
+ if len(key.ConstraintExtensions) > 0 {
79+
+ return errors.New("agent: constraint extensions are present but not supported")
80+
+ }
81+
+
82+
signer, err := ssh.NewSignerFromKey(key.PrivateKey)
83+
84+
if err != nil {
6285
--
63-
2.45.4
86+
2.43.0
6487

Lines changed: 83 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,83 @@
1+
From 0fb843a472225645e917c84f1f9744757f0bab14 Mon Sep 17 00:00:00 2001
2+
From: Nicola <nicola.murino@gmail.com>
3+
Date: Sun, 8 Feb 2026 15:28:56 +0100
4+
Subject: [PATCH] ssh/agent: reject keys with unsupported confirm constraint
5+
6+
The in-memory keyring supports the "lifetime" constraint but does not
7+
implement the "confirm" constraint. Previously, keyring.Add silently
8+
ignored ConfirmBeforeUse: the key was stored, advertised through List,
9+
and used for signing without any interactive confirmation, potentially
10+
misleading callers into believing this security measure was enforced.
11+
12+
Return an error when ConfirmBeforeUse is set instead of silently
13+
downgrading the caller's security expectations. Implementing real
14+
confirm-before-use in an in-memory library keyring is infeasible (there
15+
is no UI or confirmation callback), so failing closed is the correct
16+
behavior; adding actual confirm support would require an API addition
17+
and is out of scope.
18+
19+
This is a deliberate behavior change: keyring.Add previously accepted
20+
and ignored ConfirmBeforeUse and now returns an error. This change also
21+
updates the keyring doc comments to document the supported constraints.
22+
23+
This issue was found during a security audit by NCC Group Cryptography
24+
Services, sponsored by Teleport.
25+
26+
Fixes CVE-2026-39833
27+
Updates golang/go#47533
28+
Fixes golang/go#79436
29+
30+
Change-Id: I1b3a286f0c1e4a4e08ac37109f7e491692ca90ae
31+
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/778642
32+
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
33+
Reviewed-by: Neal Patel <nealpatel@google.com>
34+
Reviewed-by: Neal Patel <neal@golang.org>
35+
Auto-Submit: Neal Patel <nealpatel@google.com>
36+
LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
37+
38+
Upstream Patch reference: https://github.com/golang/crypto/commit/0fb843a472225645e917c84f1f9744757f0bab14.patch
39+
---
40+
vendor/golang.org/x/crypto/ssh/agent/keyring.go | 13 ++++++++++---
41+
1 file changed, 10 insertions(+), 3 deletions(-)
42+
43+
diff --git a/vendor/golang.org/x/crypto/ssh/agent/keyring.go b/vendor/golang.org/x/crypto/ssh/agent/keyring.go
44+
index 64bc105..8d8cdb7 100644
45+
--- a/vendor/golang.org/x/crypto/ssh/agent/keyring.go
46+
+++ b/vendor/golang.org/x/crypto/ssh/agent/keyring.go
47+
@@ -32,8 +32,10 @@ type keyring struct {
48+
49+
var errLocked = errors.New("agent: locked")
50+
51+
-// NewKeyring returns an Agent that holds keys in memory. It is safe
52+
-// for concurrent use by multiple goroutines.
53+
+// NewKeyring returns an Agent that holds keys in memory. It is safe for
54+
+// concurrent use by multiple goroutines.
55+
+//
56+
+// The returned Agent only supports the "lifetime" constraint.
57+
func NewKeyring() Agent {
58+
return &keyring{}
59+
}
60+
@@ -146,7 +148,8 @@ func (r *keyring) List() ([]*Key, error) {
61+
// Add adds a private key to the keyring. If a certificate is given, that
62+
// certificate is added as public key.
63+
//
64+
-// Add returns an error if key contains ConstraintExtensions.
65+
+// Add returns an error if key contains ConstraintExtensions or
66+
+// ConfirmBeforeUse.
67+
func (r *keyring) Add(key AddedKey) error {
68+
r.mu.Lock()
69+
defer r.mu.Unlock()
70+
@@ -154,6 +157,10 @@ func (r *keyring) Add(key AddedKey) error {
71+
return errLocked
72+
}
73+
74+
+ if key.ConfirmBeforeUse {
75+
+ return errors.New("agent: confirm before use constraint is not supported")
76+
+ }
77+
+
78+
if len(key.ConstraintExtensions) > 0 {
79+
return errors.New("agent: constraint extensions are present but not supported")
80+
}
81+
--
82+
2.43.0
83+

SPECS/docker-buildx/docker-buildx.spec

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ Summary: A Docker CLI plugin for extended build capabilities with BuildKi
44
Name: docker-buildx
55
# update "commit_hash" above when upgrading version
66
Version: 0.14.0
7-
Release: 14%{?dist}
7+
Release: 15%{?dist}
88
License: ASL 2.0
99
Group: Tools/Container
1010
Vendor: Microsoft Corporation
@@ -36,6 +36,7 @@ Patch21: CVE-2026-39827.patch
3636
Patch22: CVE-2026-39835.patch
3737
Patch23: CVE-2026-42502.patch
3838
Patch24: CVE-2026-46598.patch
39+
Patch25: CVE-2026-39833.patch
3940

4041
BuildRequires: bash
4142
BuildRequires: golang < 1.25
@@ -69,6 +70,9 @@ install -m 755 buildx "%{buildroot}%{_libexecdir}/docker/cli-plugins/docker-buil
6970
%{_libexecdir}/docker/cli-plugins/docker-buildx
7071

7172
%changelog
73+
* Mon Jun 01 2026 Akhila Guruju <v-guakhila@microsoft.com> - 0.14.0-15
74+
- Patch CVE-2026-39833 and fix patch for CVE-2026-39832
75+
7276
* Mon Jun 01 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 0.14.0-14
7377
- Patch for CVE-2026-46598, CVE-2026-42502, CVE-2026-39835, CVE-2026-39827, CVE-2026-25681, CVE-2026-25680
7478

0 commit comments

Comments
 (0)