packages/buildah
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2024-28180

Browse Source
This commit is contained in:
bwzhang 2024-04-23 18:35:31 +08:00
parent 782faf4516
commit adf2101f53
2 changed files with 125 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

117
0003-fix-CVE-2024-28180.patch Normal file
View File

@ -0,0 +1,117 @@
From e311b724eaeeda39b5c23cc23953cbee16103a18 Mon Sep 17 00:00:00 2001
From: bwzhang <zhangbowei@kylinos.cn>
Date: Tue, 23 Apr 2024 18:34:28 +0800
Subject: [PATCH] fix CVE-2024-28180
---
.../github.com/go-jose/go-jose/v3/encoding.go | 21 +++++++++++++++----
.../gopkg.in/go-jose/go-jose.v2/encoding.go | 21 +++++++++++++++----
2 files changed, 34 insertions(+), 8 deletions(-)
diff --git a/vendor/github.com/go-jose/go-jose/v3/encoding.go b/vendor/github.com/go-jose/go-jose/v3/encoding.go
index 968a424..d083db8 100644
--- a/vendor/github.com/go-jose/go-jose/v3/encoding.go
+++ b/vendor/github.com/go-jose/go-jose/v3/encoding.go
@@ -25,6 +25,7 @@ import (
"math/big"
"strings"
"unicode"
+ "fmt"
"github.com/go-jose/go-jose/v3/json"
)
@@ -85,7 +86,7 @@ func decompress(algorithm CompressionAlgorithm, input []byte) ([]byte, error) {
}
}
-// Compress with DEFLATE
+// deflate compresses the input.
func deflate(input []byte) ([]byte, error) {
output := new(bytes.Buffer)
@@ -97,15 +98,27 @@ func deflate(input []byte) ([]byte, error) {
return output.Bytes(), err
}
-// Decompress with DEFLATE
+// inflate decompresses the input.
+//
+// Errors if the decompressed data would be >250kB or >10x the size of the
+// compressed data, whichever is larger.
func inflate(input []byte) ([]byte, error) {
output := new(bytes.Buffer)
reader := flate.NewReader(bytes.NewBuffer(input))
- _, err := io.Copy(output, reader)
- if err != nil {
+ maxCompressedSize := 10 * int64(len(input))
+ if maxCompressedSize < 250000 {
+ maxCompressedSize = 250000
+ }
+
+ limit := maxCompressedSize + 1
+ n, err := io.CopyN(output, reader, limit)
+ if err != nil && err != io.EOF {
return nil, err
}
+ if n == limit {
+ return nil, fmt.Errorf("uncompressed data would be too large (>%d bytes)", maxCompressedSize)
+ }
err = reader.Close()
return output.Bytes(), err
diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/encoding.go b/vendor/gopkg.in/go-jose/go-jose.v2/encoding.go
index 40b688b..9111733 100644
--- a/vendor/gopkg.in/go-jose/go-jose.v2/encoding.go
+++ b/vendor/gopkg.in/go-jose/go-jose.v2/encoding.go
@@ -25,6 +25,7 @@ import (
"math/big"
"strings"
"unicode"
+ "fmt"
"gopkg.in/go-jose/go-jose.v2/json"
)
@@ -85,7 +86,7 @@ func decompress(algorithm CompressionAlgorithm, input []byte) ([]byte, error) {
}
}
-// Compress with DEFLATE
+// deflate compresses the input.
func deflate(input []byte) ([]byte, error) {
output := new(bytes.Buffer)
@@ -97,15 +98,27 @@ func deflate(input []byte) ([]byte, error) {
return output.Bytes(), err
}
-// Decompress with DEFLATE
+// inflate decompresses the input.
+//
+// Errors if the decompressed data would be >250kB or >10x the size of the
+// compressed data, whichever is larger.
func inflate(input []byte) ([]byte, error) {
output := new(bytes.Buffer)
reader := flate.NewReader(bytes.NewBuffer(input))
- _, err := io.Copy(output, reader)
- if err != nil {
+ maxCompressedSize := 10 * int64(len(input))
+ if maxCompressedSize < 250000 {
+ maxCompressedSize = 250000
+ }
+
+ limit := maxCompressedSize + 1
+ n, err := io.CopyN(output, reader, limit)
+ if err != nil && err != io.EOF {
return nil, err
}
+ if n == limit {
+ return nil, fmt.Errorf("uncompressed data would be too large (>%d bytes)", maxCompressedSize)
+ }
err = reader.Close()
return output.Bytes(), err
--
2.20.1

9
buildah.spec
View File

@ -22,7 +22,7 @@
Name: buildah Name: buildah
Version: 1.34.1 Version: 1.34.1
Release: 3 Release: 4
Summary: A command line tool used for creating OCI Images Summary: A command line tool used for creating OCI Images
License: Apache-2.0 and BSD-2-Clause and BSD-3-Clause and ISC and MIT and MPL-2.0 License: Apache-2.0 and BSD-2-Clause and BSD-3-Clause and ISC and MIT and MPL-2.0
URL: https://%{name}.io URL: https://%{name}.io
@ -31,6 +31,7 @@ Source1: https://github.com/cpuguy83/go-md2man/archive/refs/tags/v2.0.2.t
Patch0001: 0001-fix-CVE-2024-24786.patch Patch0001: 0001-fix-CVE-2024-24786.patch
Patch0002: 0002-fix-CVE-2024-1753.patch Patch0002: 0002-fix-CVE-2024-1753.patch
Patch0003: 0003-fix-CVE-2024-28180.patch
BuildRequires: device-mapper-devel BuildRequires: device-mapper-devel
BuildRequires: git-core BuildRequires: git-core
@ -146,6 +147,12 @@ rm %{buildroot}%{_datadir}/%{name}/test/system/tools/build/*
%{_datadir}/%{name}/test %{_datadir}/%{name}/test
%changelog %changelog
* Tue Apr 23 2024 zhangbowei <zhangbowei@kylinos.cn> - 1.34.1-4
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC: fix CVE-2024-28180
* Thu Apr 11 2024 zhangbowei <zhangbowei@kylinos.cn> - 1.34.1-3 * Thu Apr 11 2024 zhangbowei <zhangbowei@kylinos.cn> - 1.34.1-3
- Type:bugfix - Type:bugfix
- CVE:NA - CVE:NA