packages/cri-o
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2024-28180

Browse Source
This commit is contained in:
bwzhang 2024-04-02 16:26:14 +08:00
parent abb8433f91
commit 4fca04c3ff
2 changed files with 97 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

89
0003-fix-CVE-2024-28180.patch Normal file
View File

@ -0,0 +1,89 @@
From d1aef6461e6fff7afce01fa6aa832914cb0f26a8 Mon Sep 17 00:00:00 2001
From: bwzhang <zhangbowei@kylinos.cn>
Date: Thu, 28 Mar 2024 16:30:28 +0800
Subject: [PATCH] fix CVE-2024-28180
---
.../github.com/go-jose/go-jose/v3/crypter.go | 6 ++++++
.../github.com/go-jose/go-jose/v3/encoding.go | 21 +++++++++++++++----
2 files changed, 23 insertions(+), 4 deletions(-)
diff --git a/vendor/github.com/go-jose/go-jose/v3/crypter.go b/vendor/github.com/go-jose/go-jose/v3/crypter.go
index 6901137..34d4e1f 100644
--- a/vendor/github.com/go-jose/go-jose/v3/crypter.go
+++ b/vendor/github.com/go-jose/go-jose/v3/crypter.go
@@ -406,6 +406,9 @@ func (ctx *genericEncrypter) Options() EncrypterOptions {
// Decrypt and validate the object and return the plaintext. Note that this
// function does not support multi-recipient, if you desire multi-recipient
// decryption use DecryptMulti instead.
+//
+// Automatically decompresses plaintext, but returns an error if the decompressed
+// data would be >250kB or >10x the size of the compressed data, whichever is larger.
func (obj JSONWebEncryption) Decrypt(decryptionKey interface{}) ([]byte, error) {
headers := obj.mergedHeaders(nil)
@@ -471,6 +474,9 @@ func (obj JSONWebEncryption) Decrypt(decryptionKey interface{}) ([]byte, error)
// with support for multiple recipients. It returns the index of the recipient
// for which the decryption was successful, the merged headers for that recipient,
// and the plaintext.
+//
+// Automatically decompresses plaintext, but returns an error if the decompressed
+// data would be >250kB or >3x the size of the compressed data, whichever is larger.
func (obj JSONWebEncryption) DecryptMulti(decryptionKey interface{}) (int, Header, []byte, error) {
globalHeaders := obj.mergedHeaders(nil)
diff --git a/vendor/github.com/go-jose/go-jose/v3/encoding.go b/vendor/github.com/go-jose/go-jose/v3/encoding.go
index 968a424..c378031 100644
--- a/vendor/github.com/go-jose/go-jose/v3/encoding.go
+++ b/vendor/github.com/go-jose/go-jose/v3/encoding.go
@@ -21,6 +21,7 @@ import (
"compress/flate"
"encoding/base64"
"encoding/binary"
+ "fmt"
"io"
"math/big"
"strings"
@@ -85,7 +86,7 @@ func decompress(algorithm CompressionAlgorithm, input []byte) ([]byte, error) {
}
}
-// Compress with DEFLATE
+// deflate compresses the input.
func deflate(input []byte) ([]byte, error) {
output := new(bytes.Buffer)
@@ -97,15 +98,27 @@ func deflate(input []byte) ([]byte, error) {
return output.Bytes(), err
}
-// Decompress with DEFLATE
+// inflate decompresses the input.
+//
+// Errors if the decompressed data would be >250kB or >10x the size of the
+// compressed data, whichever is larger
func inflate(input []byte) ([]byte, error) {
output := new(bytes.Buffer)
reader := flate.NewReader(bytes.NewBuffer(input))
- _, err := io.Copy(output, reader)
- if err != nil {
+ maxCompressedSize := 10 * int64(len(input))
+ if maxCompressedSize < 250000 {
+ maxCompressedSize = 250000
+ }
+
+ limit := maxCompressedSize + 1
+ n, err := io.CopyN(output, reader, limit)
+ if err != nil && err != io.EOF {
return nil, err
}
+ if n == limit {
+ return nil, fmt.Errorf("uncompressed data would be too large (>%d bytes)", maxCompressedSize)
+ }
err = reader.Close()
return output.Bytes(), err
--
2.20.1

9
cri-o.spec
View File

@ -21,7 +21,7 @@
Name: cri-o Name: cri-o
Version: 1.29.2 Version: 1.29.2
Epoch: 0 Epoch: 0
Release: 3 Release: 4
Summary: Open Container Initiative-based implementation of Kubernetes Container Runtime Interface Summary: Open Container Initiative-based implementation of Kubernetes Container Runtime Interface
License: ASL 2.0 License: ASL 2.0
URL: https://github.com/cri-o/cri-o URL: https://github.com/cri-o/cri-o
@ -30,6 +30,7 @@ Source1: https://github.com/cpuguy83/go-md2man/archive/refs/tags/v2.0.3.t
Patch0001: 0001-fix-CVE-2024-24786.patch Patch0001: 0001-fix-CVE-2024-24786.patch
Patch0002: 0002-fix-CVE-2023-48795.patch Patch0002: 0002-fix-CVE-2023-48795.patch
Patch0003: 0003-fix-CVE-2024-28180.patch
ExclusiveArch: %{?go_arches:%{go_arches}}%{!?go_arches:%{ix86} x86_64 aarch64 %{arm}} ExclusiveArch: %{?go_arches:%{go_arches}}%{!?go_arches:%{ix86} x86_64 aarch64 %{arm}}
BuildRequires: btrfs-progs-devel device-mapper-devel go-srpm-macros BuildRequires: btrfs-progs-devel device-mapper-devel go-srpm-macros
@ -160,6 +161,12 @@ install -dp %{buildroot}%{_sharedstatedir}/containers
%{_datadir}/zsh/site-functions/_%{service_name}* %{_datadir}/zsh/site-functions/_%{service_name}*
%changelog %changelog
* Tue Apr 2 2024 zhangbowei <zhangbowei@kylinos.cn> - 0:1.29.2-4
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC: CVE-2024-28180
* Mon Apr 1 2024 zhangbowei <zhangbowei@kylinos.cn> - 0:1.29.2-3 * Mon Apr 1 2024 zhangbowei <zhangbowei@kylinos.cn> - 0:1.29.2-3
- Type:bugfix - Type:bugfix
- CVE:NA - CVE:NA