!28 [sync] PR-26: fix CVE-2025-22869

From: @openeuler-sync-bot 
Reviewed-by: @jianli-97 
Signed-off-by: @jianli-97

0001-fix-CVE-2024-24786.patch

@@ -0,0 +1,59 @@
+From 171172b7a8a24104415f1d461da7a839dd9933a3 Mon Sep 17 00:00:00 2001
+From: bwzhang <zhangbowei@kylinos.cn>
+Date: Mon, 25 Mar 2024 10:47:11 +0800
+Subject: [PATCH] fix CVE-2024-24786
+
+encoding/protojson, internal/encoding/json: handle missing object values
+
+In internal/encoding/json, report an error when encountering a }
+when we are expecting an object field value. For example, the input
+ now correctly results in an error at the closing } token.
+
+In encoding/protojson, check for an unexpected EOF token in
+skipJSONValue. This is redundant with the check in internal/encoding/json,
+but adds a bit more defense against any other similar bugs that
+might exist.
+
+Fixes CVE-2024-24786
+
+Change-Id: I03d52512acb5091c8549e31ca74541d57e56c99d
+Reviewed-on: https://go-review.googlesource.com/c/protobuf/+/569356
+TryBot-Bypass: Damien Neil <dneil@google.com>
+Reviewed-by: Roland Shoemaker <roland@golang.org>
+Commit-Queue: Damien Neil <dneil@google.com>
+---
+ .../protobuf/encoding/protojson/well_known_types.go           | 4 ++++
+ .../protobuf/internal/encoding/json/decode.go                 | 2 +-
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go
+index 72924a9..d3825ba 100644
+--- a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go
++++ b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go
+@@ -328,6 +328,10 @@ func (d decoder) skipJSONValue() error {
+ 				if err := d.skipJSONValue(); err != nil {
+ 					return err
+ 				}
++			case json.EOF:
++				// This can only happen if there's a bug in Decoder.Read.
++				// Avoid an infinite loop if this does happen.
++				return errors.New("unexpected EOF")
+ 			}
+ 		}
+ 
+diff --git a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go
+index b13fd29..b2be4e8 100644
+--- a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go
++++ b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go
+@@ -121,7 +121,7 @@ func (d *Decoder) Read() (Token, error) {
+ 
+ 	case ObjectClose:
+ 		if len(d.openStack) == 0 ||
+-			d.lastToken.kind == comma ||
++			d.lastToken.kind&(Name|comma) != 0 ||
+ 			d.openStack[len(d.openStack)-1] != ObjectOpen {
+ 			return Token{}, d.newSyntaxError(tok.pos, unexpectedFmt, tok.RawString())
+ 		}
+-- 
+2.20.1
+

0002-fix-CVE-2024-1753.patch

@@ -0,0 +1,37 @@
+From 6417891690fc0bc85ca4335d7c6ecf8d19ead121 Mon Sep 17 00:00:00 2001
+From: bwzhang <zhangbowei@kylinos.cn>
+Date: Thu, 11 Apr 2024 13:53:33 +0800
+Subject: [PATCH] fix CVE-2024-1753
+
+---
+ internal/volumes/volumes.go | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/internal/volumes/volumes.go b/internal/volumes/volumes.go
+index f7ac14a..c07c67e 100644
+--- a/internal/volumes/volumes.go
++++ b/internal/volumes/volumes.go
+@@ -11,6 +11,7 @@ import (
+ 
+ 	"errors"
+ 
++	"github.com/containers/buildah/copier"
+ 	"github.com/containers/buildah/define"
+ 	"github.com/containers/buildah/internal"
+ 	internalParse "github.com/containers/buildah/internal/parse"
+@@ -189,7 +190,11 @@ func GetBindMount(ctx *types.SystemContext, args []string, contextDir string, st
+ 	// buildkit parity: support absolute path for sources from current build context
+ 	if contextDir != "" {
+ 		// path should be /contextDir/specified path
+-		newMount.Source = filepath.Join(contextDir, filepath.Clean(string(filepath.Separator)+newMount.Source))
++		evaluated, err := copier.Eval(contextDir, newMount.Source, copier.EvalOptions{})
++		if err != nil {
++			return newMount, "", err
++		}
++		newMount.Source = evaluated
+ 	} else {
+ 		// looks like its coming from `build run --mount=type=bind` allow using absolute path
+ 		// error out if no source is set
+-- 
+2.20.1
+

0003-fix-CVE-2024-28180.patch

@@ -0,0 +1,117 @@
+From e311b724eaeeda39b5c23cc23953cbee16103a18 Mon Sep 17 00:00:00 2001
+From: bwzhang <zhangbowei@kylinos.cn>
+Date: Tue, 23 Apr 2024 18:34:28 +0800
+Subject: [PATCH] fix CVE-2024-28180
+
+---
+ .../github.com/go-jose/go-jose/v3/encoding.go | 21 +++++++++++++++----
+ .../gopkg.in/go-jose/go-jose.v2/encoding.go   | 21 +++++++++++++++----
+ 2 files changed, 34 insertions(+), 8 deletions(-)
+
+diff --git a/vendor/github.com/go-jose/go-jose/v3/encoding.go b/vendor/github.com/go-jose/go-jose/v3/encoding.go
+index 968a424..d083db8 100644
+--- a/vendor/github.com/go-jose/go-jose/v3/encoding.go
++++ b/vendor/github.com/go-jose/go-jose/v3/encoding.go
+@@ -25,6 +25,7 @@ import (
+ 	"math/big"
+ 	"strings"
+ 	"unicode"
++	"fmt"
+ 
+ 	"github.com/go-jose/go-jose/v3/json"
+ )
+@@ -85,7 +86,7 @@ func decompress(algorithm CompressionAlgorithm, input []byte) ([]byte, error) {
+ 	}
+ }
+ 
+-// Compress with DEFLATE
++// deflate compresses the input.
+ func deflate(input []byte) ([]byte, error) {
+ 	output := new(bytes.Buffer)
+ 
+@@ -97,15 +98,27 @@ func deflate(input []byte) ([]byte, error) {
+ 	return output.Bytes(), err
+ }
+ 
+-// Decompress with DEFLATE
++// inflate decompresses the input.
++//
++// Errors if the decompressed data would be >250kB or >10x the size of the
++// compressed data, whichever is larger.
+ func inflate(input []byte) ([]byte, error) {
+ 	output := new(bytes.Buffer)
+ 	reader := flate.NewReader(bytes.NewBuffer(input))
+ 
+-	_, err := io.Copy(output, reader)
+-	if err != nil {
++	maxCompressedSize := 10 * int64(len(input))
++	if maxCompressedSize < 250000 {
++		maxCompressedSize = 250000
++	}
++
++	limit := maxCompressedSize + 1
++	n, err := io.CopyN(output, reader, limit)
++	if err != nil && err != io.EOF {
+ 		return nil, err
+ 	}
++	if n == limit {
++		return nil, fmt.Errorf("uncompressed data would be too large (>%d bytes)", maxCompressedSize)
++	}
+ 
+ 	err = reader.Close()
+ 	return output.Bytes(), err
+diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/encoding.go b/vendor/gopkg.in/go-jose/go-jose.v2/encoding.go
+index 40b688b..9111733 100644
+--- a/vendor/gopkg.in/go-jose/go-jose.v2/encoding.go
++++ b/vendor/gopkg.in/go-jose/go-jose.v2/encoding.go
+@@ -25,6 +25,7 @@ import (
+ 	"math/big"
+ 	"strings"
+ 	"unicode"
++	"fmt"
+ 
+ 	"gopkg.in/go-jose/go-jose.v2/json"
+ )
+@@ -85,7 +86,7 @@ func decompress(algorithm CompressionAlgorithm, input []byte) ([]byte, error) {
+ 	}
+ }
+ 
+-// Compress with DEFLATE
++// deflate compresses the input.
+ func deflate(input []byte) ([]byte, error) {
+ 	output := new(bytes.Buffer)
+ 
+@@ -97,15 +98,27 @@ func deflate(input []byte) ([]byte, error) {
+ 	return output.Bytes(), err
+ }
+ 
+-// Decompress with DEFLATE
++// inflate decompresses the input.
++//
++// Errors if the decompressed data would be >250kB or >10x the size of the
++// compressed data, whichever is larger.
+ func inflate(input []byte) ([]byte, error) {
+ 	output := new(bytes.Buffer)
+ 	reader := flate.NewReader(bytes.NewBuffer(input))
+ 
+-	_, err := io.Copy(output, reader)
+-	if err != nil {
++	maxCompressedSize := 10 * int64(len(input))
++	if maxCompressedSize < 250000 {
++		maxCompressedSize = 250000
++	}
++
++	limit := maxCompressedSize + 1
++	n, err := io.CopyN(output, reader, limit)
++	if err != nil && err != io.EOF {
+ 		return nil, err
+ 	}
++	if n == limit {
++		return nil, fmt.Errorf("uncompressed data would be too large (>%d bytes)", maxCompressedSize)
++	}
+ 
+ 	err = reader.Close()
+ 	return output.Bytes(), err
+-- 
+2.20.1
+

backport-fix-CVE-2025-22869.patch

@@ -0,0 +1,136 @@
+From 4242328c70dd806639e213ea51390f0646690a74 Mon Sep 17 00:00:00 2001
+From:  Gopher Robot <gobot@golang.org>
+Date: Fri, 28 Mar 2025 10:36:19 +0800
+Subject: [PATCH] ssh: limit the size of the internal packet queue while
+ waiting for KEX
+
+In the SSH protocol, clients and servers execute the key exchange to
+generate one-time session keys used for encryption and authentication.
+The key exchange is performed initially after the connection is
+established and then periodically after a configurable amount of data.
+While a key exchange is in progress, we add the received packets to an
+internal queue until we receive SSH_MSG_KEXINIT from the other side.
+This can result in high memory usage if the other party is slow to
+respond to the SSH_MSG_KEXINIT packet, or memory exhaustion if a
+malicious client never responds to an SSH_MSG_KEXINIT packet during a
+large file transfer.
+We now limit the internal queue to 64 packets: this means 2MB with the
+typical 32KB packet size.
+When the internal queue is full we block further writes until the
+pending key exchange is completed or there is a read or write error.
+
+Thanks to Yuichi Watanabe for reporting this issue.
+
+Change-Id: I1ce2214cc16e08b838d4bc346c74c72addafaeec
+Reviewed-on: https://go-review.googlesource.com/c/crypto/+/652135
+Reviewed-by: Neal Patel <nealpatel@google.com>
+Auto-Submit: Gopher Robot <gobot@golang.org>
+Reviewed-by: Roland Shoemaker <roland@golang.org>
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+---
+ vendor/golang.org/x/crypto/ssh/handshake.go | 47 ++++++++++++++++-----
+ 1 file changed, 37 insertions(+), 10 deletions(-)
+
+diff --git a/vendor/golang.org/x/crypto/ssh/handshake.go b/vendor/golang.org/x/crypto/ssh/handshake.go
+index 56cdc7c..a68d20f 100644
+--- a/vendor/golang.org/x/crypto/ssh/handshake.go
++++ b/vendor/golang.org/x/crypto/ssh/handshake.go
+@@ -25,6 +25,11 @@ const debugHandshake = false
+ // quickly.
+ const chanSize = 16
+ 
++// maxPendingPackets sets the maximum number of packets to queue while waiting
++// for KEX to complete. This limits the total pending data to maxPendingPackets
++// * maxPacket bytes, which is ~16.8MB.
++const maxPendingPackets = 64
++
+ // keyingTransport is a packet based transport that supports key
+ // changes. It need not be thread-safe. It should pass through
+ // msgNewKeys in both directions.
+@@ -73,11 +78,19 @@ type handshakeTransport struct {
+ 	incoming  chan []byte
+ 	readError error
+ 
+-	mu               sync.Mutex
+-	writeError       error
+-	sentInitPacket   []byte
+-	sentInitMsg      *kexInitMsg
+-	pendingPackets   [][]byte // Used when a key exchange is in progress.
++	mu sync.Mutex
++	// Condition for the above mutex. It is used to notify a completed key
++	// exchange or a write failure. Writes can wait for this condition while a
++	// key exchange is in progress.
++	writeCond      *sync.Cond
++	writeError     error
++	sentInitPacket []byte
++	sentInitMsg    *kexInitMsg
++	// Used to queue writes when a key exchange is in progress. The length is
++	// limited by pendingPacketsSize. Once full, writes will block until the key
++	// exchange is completed or an error occurs. If not empty, it is emptied
++	// all at once when the key exchange is completed in kexLoop.
++	pendingPackets   [][]byte
+ 	writePacketsLeft uint32
+ 	writeBytesLeft   int64
+ 
+@@ -133,6 +146,7 @@ func newHandshakeTransport(conn keyingTransport, config *Config, clientVersion,
+ 
+ 		config: config,
+ 	}
++	t.writeCond = sync.NewCond(&t.mu)
+ 	t.resetReadThresholds()
+ 	t.resetWriteThresholds()
+ 
+@@ -259,6 +273,7 @@ func (t *handshakeTransport) recordWriteError(err error) {
+ 	defer t.mu.Unlock()
+ 	if t.writeError == nil && err != nil {
+ 		t.writeError = err
++		t.writeCond.Broadcast()
+ 	}
+ }
+ 
+@@ -362,6 +377,8 @@ write:
+ 			}
+ 		}
+ 		t.pendingPackets = t.pendingPackets[:0]
++		// Unblock writePacket if waiting for KEX.
++		t.writeCond.Broadcast()
+ 		t.mu.Unlock()
+ 	}
+ 
+@@ -567,11 +584,20 @@ func (t *handshakeTransport) writePacket(p []byte) error {
+ 	}
+ 
+ 	if t.sentInitMsg != nil {
+-		// Copy the packet so the writer can reuse the buffer.
+-		cp := make([]byte, len(p))
+-		copy(cp, p)
+-		t.pendingPackets = append(t.pendingPackets, cp)
+-		return nil
++		if len(t.pendingPackets) < maxPendingPackets {
++			// Copy the packet so the writer can reuse the buffer.
++			cp := make([]byte, len(p))
++			copy(cp, p)
++			t.pendingPackets = append(t.pendingPackets, cp)
++			return nil
++		}
++		for t.sentInitMsg != nil {
++			// Block and wait for KEX to complete or an error.
++			t.writeCond.Wait()
++			if t.writeError != nil {
++				return t.writeError
++			}
++		}
+ 	}
+ 
+ 	if t.writeBytesLeft > 0 {
+@@ -588,6 +614,7 @@ func (t *handshakeTransport) writePacket(p []byte) error {
+ 
+ 	if err := t.pushPacket(p); err != nil {
+ 		t.writeError = err
++		t.writeCond.Broadcast()
+ 	}
+ 
+ 	return nil
+-- 
+2.25.1
+

buildah.spec

@@ -22,12 +22,19 @@
 
 Name:           buildah
 Version:        1.34.1
-Release:        1
+Release:        6
 Summary:        A command line tool used for creating OCI Images
 License:        Apache-2.0 and BSD-2-Clause and BSD-3-Clause and ISC and MIT and MPL-2.0
 URL:            https://%{name}.io
 Source:         %{git0}/archive/refs/tags/v%{version}.tar.gz
 Source1:        https://github.com/cpuguy83/go-md2man/archive/refs/tags/v2.0.2.tar.gz
+
+Patch0001:      0001-fix-CVE-2024-24786.patch
+Patch0002:      0002-fix-CVE-2024-1753.patch
+Patch0003:      0003-fix-CVE-2024-28180.patch
+Patch0004:      0004-fix-CVE-2024-3727.patch
+Patch0005:      backport-fix-CVE-2025-22869.patch
+
 BuildRequires:  device-mapper-devel
 BuildRequires:  git-core
 BuildRequires:  golang >= 1.16.6
@@ -74,7 +81,7 @@ Requires: git-daemon
 This package contains system tests for %{name}
 
 %prep
-%autosetup -Sgit -n %{name}-%{version}
+%autosetup -Sgit -n %{name}-%{version} -p1
 tar -xf %SOURCE1
 
 %build
@@ -142,6 +149,35 @@ rm %{buildroot}%{_datadir}/%{name}/test/system/tools/build/*
 %{_datadir}/%{name}/test
 
 %changelog
+* Fri Mar 28 2025 zhangbowei <zhangbowei@kylinos.cn> - 1.34.1-6
+-Type:cve
+-CVE:CVE-2025-22869
+-SUG:NA
+-DESC:backport CVE-2025-22869
+
+* Thu Dec 26 2024 jianmin <jianmin@iscas.ac.cn> - 1.34.1-5
+- Type:cve
+- CVE:CVE-2024-3727 CVE-2024-24791
+- SUG:NA
+- DESC: fix CVE-2024-3727 and Rebuild to fix CVE-2024-24791
+* Tue Apr 23 2024 zhangbowei <zhangbowei@kylinos.cn> - 1.34.1-4
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC: fix CVE-2024-28180
+
+* Thu Apr 11 2024 zhangbowei <zhangbowei@kylinos.cn> - 1.34.1-3
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC: fix CVE-2024-1753
+
+* Wed Apr 10 2024 zhangbowei <zhangbowei@kylinos.cn> - 1.34.1-2
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC: fix CVE-2024-24786
+
 * Wed Feb 28 2024 chendexi <chendexi@kylinos.cn> - 1.34.1-1
 - Upgrade to 1.34.1