#1140189 docker.io: CVE-2026-33747 CVE-2026-33748

Package:
src:docker.io
Source:
src:docker.io
Submitter:
Salvatore Bonaccorso
Date:
2026-06-24 14:39:03 UTC
Severity:
normal
Tags:
#1140189#5
Date:
2026-06-17 05:38:01 UTC
From:
To:
Hi,

The following vulnerabilities were published for docker.io.

CVE-2026-33747[0]:
| BuildKit is a toolkit for converting source code to build artifacts
| in an efficient, expressive and repeatable manner. Prior to version
| 0.28.1, when using a custom BuildKit frontend, the frontend can
| craft an API message that causes files to be written outside of the
| BuildKit state directory for the execution context. The issue has
| been fixed in v0.28.1. The vulnerability requires using an untrusted
| BuildKit frontend set with `#syntax` or `--build-arg
| BUILDKIT_SYNTAX`. Using these options with a well-known frontend
| image like `docker/dockerfile` is not affected.


CVE-2026-33748[1]:
| BuildKit is a toolkit for converting source code to build artifacts
| in an efficient, expressive and repeatable manner. Prior to version
| 0.28.1, insufficient validation of Git URL fragment subdir
| components may allow access to files outside the checked-out Git
| repository root. Possible access is limited to files on the same
| mounted filesystem. The issue has been fixed in version v0.28.1 The
| issue affects only builds that use Git URLs with a subpath
| component. As a workaround, avoid building Dockerfiles from
| untrusted sources or using the subdir component from an untrusted
| Git repository where the subdir component could point to a symlink.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-33747
https://www.cve.org/CVERecord?id=CVE-2026-33747
[1] https://security-tracker.debian.org/tracker/CVE-2026-33748
https://www.cve.org/CVERecord?id=CVE-2026-33748

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore
#1140189#8
Date:
2026-06-24 10:05:39 UTC
From:
To:
Hello,

Bug #1140189 in docker.io reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/go-team/packages/docker/-/commit/5fe288a6eaa76a7ec46ddc12e9723e404738885e

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/1140189
#1140189#15
Date:
2026-06-24 14:37:05 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
docker.io, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1140189@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Reinhard Tartler <siretart@tauware.de> (supplier of updated docker.io package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Tue, 23 Jun 2026 11:08:56 -0400
Source: docker.io
Architecture: source
Version: 28.5.2+dfsg4-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <team+pkg-go@tracker.debian.org>
Changed-By: Reinhard Tartler <siretart@tauware.de>
Closes: 1139965 1139966 1139967 1140189
Changes:
 docker.io (28.5.2+dfsg4-3) unstable; urgency=medium
 .
   [ Reinhard Tartler ]
   * Backport patch for CVE-2026-41567 (Closes: #1139965)
   * Backport patch for CVE-2026-42306 and CVE-2026-41568,
     (Closes: #1139967, #1139966)
   * Backport patches for CVE-2026-33747 and CVE-2026-33748,
     (Closes: #1140189)
   * Refresh patches
 .
   [ Luca Boccassi ]
   * Install and use sysusers.d config file
   * Drop workaround for versions older than 10 years ago
Checksums-Sha1:
 a4492fc66ef48af7202317158c3d7aa62c9c8b6b 9325 docker.io_28.5.2+dfsg4-3.dsc
 b7f1463911782ab287331df55222eae226f02e17 69684 docker.io_28.5.2+dfsg4-3.debian.tar.xz
Checksums-Sha256:
 3baeba24908ebeb0acbab1fd1fe438dadb5a66b58a8502dda1abfe01fde1d1de 9325 docker.io_28.5.2+dfsg4-3.dsc
 3d68e0e9998983bd290a97fed6943d572e6509bb998ecc97e8d7e9f6891fa591 69684 docker.io_28.5.2+dfsg4-3.debian.tar.xz
Files:
 7e38b307f6d643a2ef526a388b712e71 9325 admin optional docker.io_28.5.2+dfsg4-3.dsc
 4877f12212f525f69b4fc7c70fd932b1 69684 admin optional docker.io_28.5.2+dfsg4-3.debian.tar.xz
-----BEGIN PGP SIGNATURE-----

iQJIBAEBCgAyFiEEMN59F2OrlFLH4IJQSadpd5QoJssFAmo74nMUHHNpcmV0YXJ0
QHRhdXdhcmUuZGUACgkQSadpd5QoJsuYWxAAhRgEGy7a6Rz5ROLf4JSFZVIsbedS
9vGMJnUmAwrs5gvNsa7ow4jvgmOjdoMFASNV7qMFig+ZwqCHw32eRomkGnlHXdab
tHTPNxSgck47snF6YH/DsxuDO64tyEcHwlN25vWRRKHqD2SoL58CH8n/YPZLcj2y
VPv9biQUnyJHzRD1V4gvPnE/t7F28B0e01pAEGFrjtDvLbFsXY6P82dN5HD+0QLJ
oBHGlCtPNN3yN27oXfB+ZRA2ulVMj69JYpVxKhAWz7BPXS57I2yTXzP7pnDbckD9
5d5sd09Au9548bEse1obWPo6BQDtXZadHNPW6Wl7Z+ruE0YyXQRWwxhTF8ExQ0ML
2bLJR5suHIJg1HZi3RZBWoAEz8u5fGgqK0sGZSTpz6/n5r/uF1UHJqrACdCYkLNk
RY08WBmHvzncuNPM5s/XxPdSuktyTsBq2ALaM/fGuKD8WD3Nn1CLIniRQisJ73iN
gDLpkgJW6abhmu1lMlqCxh3wwwec+BDi0+47iHknes8leN4hy5i2bzdOar5NMAhY
XD7W09qoG+9V8yeKrGU3WMD2P4kN8p/l2FVCCa5XbDdj2PMGIq567kKao3WJD3lH
QJS1JpZe5nCCIDRcayPraVbdpDWYYTv5I0EiZ/0KPf2E1xm0USsHK+FwjM0Q7Poa
umEtR1SLRHYGODA=
=NMPh
-----END PGP SIGNATURE-----