Compare commits
10 Commits
0fc0b6945c
...
7febff6f52
| Author | SHA1 | Date | |
|---|---|---|---|
|
7febff6f52 | ||
|
|
48d0fda4cf | ||
|
|
9fedddcaa5 | ||
|
|
b0a3357781 | ||
|
|
8ef2d386e8 | ||
|
|
8443a9ba43 | ||
|
|
adb9365653 | ||
|
|
bb1754e1ef | ||
|
|
21cb438006 | ||
|
|
77da0c0566 |
59
0001-fix-CVE-2024-24786.patch
Normal file
59
0001-fix-CVE-2024-24786.patch
Normal file
@ -0,0 +1,59 @@
|
||||
From 171172b7a8a24104415f1d461da7a839dd9933a3 Mon Sep 17 00:00:00 2001
|
||||
From: bwzhang <zhangbowei@kylinos.cn>
|
||||
Date: Mon, 25 Mar 2024 10:47:11 +0800
|
||||
Subject: [PATCH] fix CVE-2024-24786
|
||||
|
||||
encoding/protojson, internal/encoding/json: handle missing object values
|
||||
|
||||
In internal/encoding/json, report an error when encountering a }
|
||||
when we are expecting an object field value. For example, the input
|
||||
now correctly results in an error at the closing } token.
|
||||
|
||||
In encoding/protojson, check for an unexpected EOF token in
|
||||
skipJSONValue. This is redundant with the check in internal/encoding/json,
|
||||
but adds a bit more defense against any other similar bugs that
|
||||
might exist.
|
||||
|
||||
Fixes CVE-2024-24786
|
||||
|
||||
Change-Id: I03d52512acb5091c8549e31ca74541d57e56c99d
|
||||
Reviewed-on: https://go-review.googlesource.com/c/protobuf/+/569356
|
||||
TryBot-Bypass: Damien Neil <dneil@google.com>
|
||||
Reviewed-by: Roland Shoemaker <roland@golang.org>
|
||||
Commit-Queue: Damien Neil <dneil@google.com>
|
||||
---
|
||||
.../protobuf/encoding/protojson/well_known_types.go | 4 ++++
|
||||
.../protobuf/internal/encoding/json/decode.go | 2 +-
|
||||
2 files changed, 5 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go
|
||||
index 72924a9..d3825ba 100644
|
||||
--- a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go
|
||||
+++ b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go
|
||||
@@ -328,6 +328,10 @@ func (d decoder) skipJSONValue() error {
|
||||
if err := d.skipJSONValue(); err != nil {
|
||||
return err
|
||||
}
|
||||
+ case json.EOF:
|
||||
+ // This can only happen if there's a bug in Decoder.Read.
|
||||
+ // Avoid an infinite loop if this does happen.
|
||||
+ return errors.New("unexpected EOF")
|
||||
}
|
||||
}
|
||||
|
||||
diff --git a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go
|
||||
index b13fd29..b2be4e8 100644
|
||||
--- a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go
|
||||
+++ b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go
|
||||
@@ -121,7 +121,7 @@ func (d *Decoder) Read() (Token, error) {
|
||||
|
||||
case ObjectClose:
|
||||
if len(d.openStack) == 0 ||
|
||||
- d.lastToken.kind == comma ||
|
||||
+ d.lastToken.kind&(Name|comma) != 0 ||
|
||||
d.openStack[len(d.openStack)-1] != ObjectOpen {
|
||||
return Token{}, d.newSyntaxError(tok.pos, unexpectedFmt, tok.RawString())
|
||||
}
|
||||
--
|
||||
2.20.1
|
||||
|
||||
Binary file not shown.
@ -12,14 +12,17 @@
|
||||
%global built_tag v%{version}
|
||||
|
||||
Name: cri-tools
|
||||
Version: 1.22.0
|
||||
Release: 2
|
||||
Version: 1.29.0
|
||||
Release: 3
|
||||
Summary: CLI and validation tools for Container Runtime Interface
|
||||
License: ASL 2.0
|
||||
URL: https://%{goipath}
|
||||
Source0: %{url}/archive/v%{version}/%{name}-%{version}.tar.gz
|
||||
Source1: https://github.com/cpuguy83/go-md2man/archive/v1.0.10.tar.gz
|
||||
ExclusiveArch: %{?go_arches:%{go_arches}}%{!?go_arches:%{ix86} x86_64 aarch64 %{arm} ppc64le s390x}
|
||||
Source0: https://github.com/kubernetes-sigs/cri-tools/archive/refs/tags/v%{version}.tar.gz
|
||||
Source1: https://github.com/cpuguy83/go-md2man/archive/refs/tags/v2.0.3.tar.gz
|
||||
|
||||
Patch0001: 0001-fix-CVE-2024-24786.patch
|
||||
|
||||
ExclusiveArch: %{?go_arches:%{go_arches}}%{!?go_arches:%{ix86} x86_64 aarch64 %{arm} ppc64le s390x riscv64}
|
||||
BuildRequires: golang, glibc-static, git
|
||||
Provides: crictl = %{version}-%{release}
|
||||
|
||||
@ -27,7 +30,7 @@ Provides: crictl = %{version}-%{release}
|
||||
%{summary}
|
||||
|
||||
%prep
|
||||
%setup -q
|
||||
%autosetup -p1 -n %{name}-%{version}
|
||||
tar -xf %SOURCE1
|
||||
|
||||
%build
|
||||
@ -39,6 +42,7 @@ cp ../_build/bin/go-md2man $GO_MD2MAN_PATH/go-md2man
|
||||
export PATH=$GO_MD2MAN_PATH:$PATH
|
||||
cd -
|
||||
|
||||
export LDFLAGS='-X %{goipath}/pkg/version.Version=v%{version}'
|
||||
%gobuild -o bin/crictl %{goipath}/cmd/crictl
|
||||
go-md2man -in docs/crictl.md -out docs/crictl.1
|
||||
|
||||
@ -59,6 +63,27 @@ install -p -m 644 docs/crictl.1 %{buildroot}%{_mandir}/man1
|
||||
%{_mandir}/man1/crictl*
|
||||
|
||||
%changelog
|
||||
* Fri May 24 2024 Jingwiw <wangjingwei@iscas.ac.cn> - 1.29.0-3
|
||||
- Type:enhancement
|
||||
- CVE:NA
|
||||
- SUG:NA
|
||||
- DESC: enable riscv64
|
||||
|
||||
* Wed Apr 10 2024 zhangbowei <zhangbowei@kylinos.cn> - 1.29.0-2
|
||||
- Type:bugfix
|
||||
- CVE:NA
|
||||
- SUG:NA
|
||||
- DESC: fix CVE-2024-24786
|
||||
|
||||
* Wed Feb 28 2024 lijian <lijian2@kylinos.cn> - 1.29.0-1
|
||||
- update to 1.29.0
|
||||
|
||||
* Tue Nov 21 2023 suoxiaocong <suoxiaocong@kylinos.cn> - 1.24.2-2
|
||||
- fix bug unknown version
|
||||
|
||||
* Sat Jul 30 2022 tianlijing <tianlijing@kylinos.cn> - 1.24.2-1
|
||||
- update to 1.24.2
|
||||
|
||||
* Tue Jun 07 2022 fushanqing <fushanqing@kylinos.cn> - 1.22.0-2
|
||||
- update Source0
|
||||
|
||||
|
||||
BIN
v1.0.10.tar.gz
BIN
v1.0.10.tar.gz
Binary file not shown.
BIN
v1.29.0.tar.gz
Normal file
BIN
v1.29.0.tar.gz
Normal file
Binary file not shown.
BIN
v2.0.3.tar.gz
Normal file
BIN
v2.0.3.tar.gz
Normal file
Binary file not shown.
Loading…
x
Reference in New Issue
Block a user