[MEDIUM] Patch moby-buildx for CVE-2025-0495 (#13782)

Author: aninda-al

SPECS/moby-buildx/CVE-2025-0495.patch

@@ -0,0 +1,106 @@
+From 4745215cea5eb7927e2ff37a57124c91355f1bd7 Mon Sep 17 00:00:00 2001
+From: Aninda <[email protected]>
+Date: Tue, 13 May 2025 08:36:18 -0400
+Subject: [PATCH] Address CVE-2025-0495
+Upstream Patch Reference: https://github.com/docker/buildx/commit/0982070af84d476b232d2d75ab551c3222592db1
+
+---
+ commands/bake.go      | 12 +++++++++++-
+ commands/build.go     |  7 ++++++-
+ util/tracing/trace.go |  7 +++----
+ 3 files changed, 20 insertions(+), 6 deletions(-)
+
+diff --git a/commands/bake.go b/commands/bake.go
+index 129b635..a3fa1ac 100644
+--- a/commands/bake.go
++++ b/commands/bake.go
+@@ -5,6 +5,7 @@ import (
+ 	"encoding/json"
+ 	"fmt"
+ 	"os"
++	"strings"
+ 
+ 	"github.com/containerd/containerd/platforms"
+ 	"github.com/docker/buildx/bake"
+@@ -17,6 +18,7 @@ import (
+ 	"github.com/moby/buildkit/util/appcontext"
+ 	"github.com/pkg/errors"
+ 	"github.com/spf13/cobra"
++	"go.opentelemetry.io/otel/attribute"
+ )
+ 
+ type bakeOptions struct {
+@@ -29,7 +31,15 @@ type bakeOptions struct {
+ func runBake(dockerCli command.Cli, targets []string, in bakeOptions) (err error) {
+ 	ctx := appcontext.Context()
+ 
+-	ctx, end, err := tracing.TraceCurrentCommand(ctx, "bake")
++	// Convert slices to strings
++	targetsStr := strings.Join(targets, ",")
++	filesStr := strings.Join(in.files, ",")
++
++	ctx, end, err := tracing.TraceCurrentCommand(ctx, append([]string{"bake"}, targets...),
++		attribute.String("builder", in.commonOptions.builder),
++		attribute.String("targets", targetsStr),
++		attribute.String("files", filesStr),	
++	)
+ 	if err != nil {
+ 		return err
+ 	}
+diff --git a/commands/build.go b/commands/build.go
+index bfefd70..be6a41e 100644
+--- a/commands/build.go
++++ b/commands/build.go
+@@ -26,6 +26,7 @@ import (
+ 	"github.com/sirupsen/logrus"
+ 	"github.com/spf13/cobra"
+ 	"github.com/spf13/pflag"
++	"go.opentelemetry.io/otel/attribute"
+ )
+ 
+ const defaultTargetName = "default"
+@@ -72,7 +73,11 @@ type commonOptions struct {
+ func runBuild(dockerCli command.Cli, in buildOptions) (err error) {
+ 	ctx := appcontext.Context()
+ 
+-	ctx, end, err := tracing.TraceCurrentCommand(ctx, "build")
++	ctx, end, err := tracing.TraceCurrentCommand(ctx, []string{"build", in.contextPath},
++		attribute.String("builder", in.builder),
++		attribute.String("context", in.contextPath),
++		attribute.String("dockerfile", in.dockerfileName),
++	)
+ 	if err != nil {
+ 		return err
+ 	}
+diff --git a/util/tracing/trace.go b/util/tracing/trace.go
+index c95ad5a..13ce349 100644
+--- a/util/tracing/trace.go
++++ b/util/tracing/trace.go
+@@ -2,7 +2,6 @@ package tracing
+ 
+ import (
+ 	"context"
+-	"os"
+ 	"strings"
+ 
+ 	"github.com/moby/buildkit/util/tracing/detect"
+@@ -10,13 +9,13 @@ import (
+ 	"go.opentelemetry.io/otel/trace"
+ )
+ 
+-func TraceCurrentCommand(ctx context.Context, name string) (context.Context, func(error), error) {
++func TraceCurrentCommand(ctx context.Context, args []string, attrs ...attribute.KeyValue) (context.Context, func(error), error) {
+ 	tp, err := detect.TracerProvider()
+ 	if err != nil {
+ 		return context.Background(), nil, err
+ 	}
+-	ctx, span := tp.Tracer("").Start(ctx, name, trace.WithAttributes(
+-		attribute.String("command", strings.Join(os.Args, " ")),
++	ctx, span := tp.Tracer("").Start(ctx, strings.Join(args, " "), trace.WithAttributes(
++		attrs...,
+ 	))
+ 
+ 	return ctx, func(err error) {
+-- 
+2.34.1
+

SPECS/moby-buildx/moby-buildx.spec

@@ -5,7 +5,7 @@ Summary:        A Docker CLI plugin for extended build capabilities with BuildKi
 Name:           moby-%{upstream_name}
 # update "commit_hash" above when upgrading version
 Version:        0.7.1
-Release:        24%{?dist}
+Release:        25%{?dist}
 License:        ASL 2.0
 Group:          Tools/Container
 Vendor:         Microsoft Corporation
@@ -24,6 +24,7 @@ Patch7:         CVE-2022-41717.patch
 Patch8:         CVE-2023-45288.patch
 Patch9:         CVE-2023-48795.patch
 Patch10:        CVE-2024-24786.patch
+Patch11:        CVE-2025-0495.patch
 
 BuildRequires: bash
 BuildRequires: golang
@@ -54,6 +55,9 @@ cp -aT buildx "%{buildroot}/%{_libexecdir}/docker/cli-plugins/docker-buildx"
 %{_libexecdir}/docker/cli-plugins/docker-buildx
 
 %changelog
+* Tue May 13 2025 Aninda Pradhan <[email protected]> - 0.7.1-25
+- Fixes CVE-2025-0495, referred upstream patch from debian
+
 * Thu Dec 05 2024 sthelkar <[email protected]> - 0.7.1-24
 - Patch CVE-2024-24786