From 6b25e6b69d0d170be390d643217ef835c63e1d5b Mon Sep 17 00:00:00 2001 From: bwzhang Date: Fri, 28 Mar 2025 14:13:38 +0800 Subject: [PATCH] backport CVE-2025-22869 (cherry picked from commit c175e1d5ad53a060d8a1c0e9fb2a3a1643b9a743) --- backport-fix-CVE-2025-22869.patch | 136 ++++++++++++++++++++++++++++++ buildah.spec | 9 +- 2 files changed, 144 insertions(+), 1 deletion(-) create mode 100644 backport-fix-CVE-2025-22869.patch diff --git a/backport-fix-CVE-2025-22869.patch b/backport-fix-CVE-2025-22869.patch new file mode 100644 index 0000000..41b69a2 --- /dev/null +++ b/backport-fix-CVE-2025-22869.patch @@ -0,0 +1,136 @@ +From 4242328c70dd806639e213ea51390f0646690a74 Mon Sep 17 00:00:00 2001 +From: Gopher Robot +Date: Fri, 28 Mar 2025 10:36:19 +0800 +Subject: [PATCH] ssh: limit the size of the internal packet queue while + waiting for KEX + +In the SSH protocol, clients and servers execute the key exchange to +generate one-time session keys used for encryption and authentication. +The key exchange is performed initially after the connection is +established and then periodically after a configurable amount of data. +While a key exchange is in progress, we add the received packets to an +internal queue until we receive SSH_MSG_KEXINIT from the other side. +This can result in high memory usage if the other party is slow to +respond to the SSH_MSG_KEXINIT packet, or memory exhaustion if a +malicious client never responds to an SSH_MSG_KEXINIT packet during a +large file transfer. +We now limit the internal queue to 64 packets: this means 2MB with the +typical 32KB packet size. +When the internal queue is full we block further writes until the +pending key exchange is completed or there is a read or write error. + +Thanks to Yuichi Watanabe for reporting this issue. + +Change-Id: I1ce2214cc16e08b838d4bc346c74c72addafaeec +Reviewed-on: https://go-review.googlesource.com/c/crypto/+/652135 +Reviewed-by: Neal Patel +Auto-Submit: Gopher Robot +Reviewed-by: Roland Shoemaker +LUCI-TryBot-Result: Go LUCI +--- + vendor/golang.org/x/crypto/ssh/handshake.go | 47 ++++++++++++++++----- + 1 file changed, 37 insertions(+), 10 deletions(-) + +diff --git a/vendor/golang.org/x/crypto/ssh/handshake.go b/vendor/golang.org/x/crypto/ssh/handshake.go +index 56cdc7c..a68d20f 100644 +--- a/vendor/golang.org/x/crypto/ssh/handshake.go ++++ b/vendor/golang.org/x/crypto/ssh/handshake.go +@@ -25,6 +25,11 @@ const debugHandshake = false + // quickly. + const chanSize = 16 + ++// maxPendingPackets sets the maximum number of packets to queue while waiting ++// for KEX to complete. This limits the total pending data to maxPendingPackets ++// * maxPacket bytes, which is ~16.8MB. ++const maxPendingPackets = 64 ++ + // keyingTransport is a packet based transport that supports key + // changes. It need not be thread-safe. It should pass through + // msgNewKeys in both directions. +@@ -73,11 +78,19 @@ type handshakeTransport struct { + incoming chan []byte + readError error + +- mu sync.Mutex +- writeError error +- sentInitPacket []byte +- sentInitMsg *kexInitMsg +- pendingPackets [][]byte // Used when a key exchange is in progress. ++ mu sync.Mutex ++ // Condition for the above mutex. It is used to notify a completed key ++ // exchange or a write failure. Writes can wait for this condition while a ++ // key exchange is in progress. ++ writeCond *sync.Cond ++ writeError error ++ sentInitPacket []byte ++ sentInitMsg *kexInitMsg ++ // Used to queue writes when a key exchange is in progress. The length is ++ // limited by pendingPacketsSize. Once full, writes will block until the key ++ // exchange is completed or an error occurs. If not empty, it is emptied ++ // all at once when the key exchange is completed in kexLoop. ++ pendingPackets [][]byte + writePacketsLeft uint32 + writeBytesLeft int64 + +@@ -133,6 +146,7 @@ func newHandshakeTransport(conn keyingTransport, config *Config, clientVersion, + + config: config, + } ++ t.writeCond = sync.NewCond(&t.mu) + t.resetReadThresholds() + t.resetWriteThresholds() + +@@ -259,6 +273,7 @@ func (t *handshakeTransport) recordWriteError(err error) { + defer t.mu.Unlock() + if t.writeError == nil && err != nil { + t.writeError = err ++ t.writeCond.Broadcast() + } + } + +@@ -362,6 +377,8 @@ write: + } + } + t.pendingPackets = t.pendingPackets[:0] ++ // Unblock writePacket if waiting for KEX. ++ t.writeCond.Broadcast() + t.mu.Unlock() + } + +@@ -567,11 +584,20 @@ func (t *handshakeTransport) writePacket(p []byte) error { + } + + if t.sentInitMsg != nil { +- // Copy the packet so the writer can reuse the buffer. +- cp := make([]byte, len(p)) +- copy(cp, p) +- t.pendingPackets = append(t.pendingPackets, cp) +- return nil ++ if len(t.pendingPackets) < maxPendingPackets { ++ // Copy the packet so the writer can reuse the buffer. ++ cp := make([]byte, len(p)) ++ copy(cp, p) ++ t.pendingPackets = append(t.pendingPackets, cp) ++ return nil ++ } ++ for t.sentInitMsg != nil { ++ // Block and wait for KEX to complete or an error. ++ t.writeCond.Wait() ++ if t.writeError != nil { ++ return t.writeError ++ } ++ } + } + + if t.writeBytesLeft > 0 { +@@ -588,6 +614,7 @@ func (t *handshakeTransport) writePacket(p []byte) error { + + if err := t.pushPacket(p); err != nil { + t.writeError = err ++ t.writeCond.Broadcast() + } + + return nil +-- +2.25.1 + diff --git a/buildah.spec b/buildah.spec index 6e5aa2a..87a9dd9 100644 --- a/buildah.spec +++ b/buildah.spec @@ -22,7 +22,7 @@ Name: buildah Version: 1.34.1 -Release: 5 +Release: 6 Summary: A command line tool used for creating OCI Images License: Apache-2.0 and BSD-2-Clause and BSD-3-Clause and ISC and MIT and MPL-2.0 URL: https://%{name}.io @@ -33,6 +33,7 @@ Patch0001: 0001-fix-CVE-2024-24786.patch Patch0002: 0002-fix-CVE-2024-1753.patch Patch0003: 0003-fix-CVE-2024-28180.patch Patch0004: 0004-fix-CVE-2024-3727.patch +Patch0005: backport-fix-CVE-2025-22869.patch BuildRequires: device-mapper-devel BuildRequires: git-core @@ -148,6 +149,12 @@ rm %{buildroot}%{_datadir}/%{name}/test/system/tools/build/* %{_datadir}/%{name}/test %changelog +* Fri Mar 28 2025 zhangbowei - 1.34.1-6 +-Type:cve +-CVE:CVE-2025-22869 +-SUG:NA +-DESC:backport CVE-2025-22869 + * Thu Dec 26 2024 jianmin - 1.34.1-5 - Type:cve - CVE:CVE-2024-3727 CVE-2024-24791