Compare commits
No commits in common. "7febff6f5260add1a5bfeada60ed015d9fc34a47" and "0fc0b6945c42a76cfc022f24763aa6b28e90ef92" have entirely different histories.
7febff6f52
...
0fc0b6945c
@ -1,59 +0,0 @@
|
||||
From 171172b7a8a24104415f1d461da7a839dd9933a3 Mon Sep 17 00:00:00 2001
|
||||
From: bwzhang <zhangbowei@kylinos.cn>
|
||||
Date: Mon, 25 Mar 2024 10:47:11 +0800
|
||||
Subject: [PATCH] fix CVE-2024-24786
|
||||
|
||||
encoding/protojson, internal/encoding/json: handle missing object values
|
||||
|
||||
In internal/encoding/json, report an error when encountering a }
|
||||
when we are expecting an object field value. For example, the input
|
||||
now correctly results in an error at the closing } token.
|
||||
|
||||
In encoding/protojson, check for an unexpected EOF token in
|
||||
skipJSONValue. This is redundant with the check in internal/encoding/json,
|
||||
but adds a bit more defense against any other similar bugs that
|
||||
might exist.
|
||||
|
||||
Fixes CVE-2024-24786
|
||||
|
||||
Change-Id: I03d52512acb5091c8549e31ca74541d57e56c99d
|
||||
Reviewed-on: https://go-review.googlesource.com/c/protobuf/+/569356
|
||||
TryBot-Bypass: Damien Neil <dneil@google.com>
|
||||
Reviewed-by: Roland Shoemaker <roland@golang.org>
|
||||
Commit-Queue: Damien Neil <dneil@google.com>
|
||||
---
|
||||
.../protobuf/encoding/protojson/well_known_types.go | 4 ++++
|
||||
.../protobuf/internal/encoding/json/decode.go | 2 +-
|
||||
2 files changed, 5 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go
|
||||
index 72924a9..d3825ba 100644
|
||||
--- a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go
|
||||
+++ b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go
|
||||
@@ -328,6 +328,10 @@ func (d decoder) skipJSONValue() error {
|
||||
if err := d.skipJSONValue(); err != nil {
|
||||
return err
|
||||
}
|
||||
+ case json.EOF:
|
||||
+ // This can only happen if there's a bug in Decoder.Read.
|
||||
+ // Avoid an infinite loop if this does happen.
|
||||
+ return errors.New("unexpected EOF")
|
||||
}
|
||||
}
|
||||
|
||||
diff --git a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go
|
||||
index b13fd29..b2be4e8 100644
|
||||
--- a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go
|
||||
+++ b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go
|
||||
@@ -121,7 +121,7 @@ func (d *Decoder) Read() (Token, error) {
|
||||
|
||||
case ObjectClose:
|
||||
if len(d.openStack) == 0 ||
|
||||
- d.lastToken.kind == comma ||
|
||||
+ d.lastToken.kind&(Name|comma) != 0 ||
|
||||
d.openStack[len(d.openStack)-1] != ObjectOpen {
|
||||
return Token{}, d.newSyntaxError(tok.pos, unexpectedFmt, tok.RawString())
|
||||
}
|
||||
--
|
||||
2.20.1
|
||||
|
||||
BIN
cri-tools-1.22.0.tar.gz
Normal file
BIN
cri-tools-1.22.0.tar.gz
Normal file
Binary file not shown.
@ -12,17 +12,14 @@
|
||||
%global built_tag v%{version}
|
||||
|
||||
Name: cri-tools
|
||||
Version: 1.29.0
|
||||
Release: 3
|
||||
Version: 1.22.0
|
||||
Release: 2
|
||||
Summary: CLI and validation tools for Container Runtime Interface
|
||||
License: ASL 2.0
|
||||
URL: https://%{goipath}
|
||||
Source0: https://github.com/kubernetes-sigs/cri-tools/archive/refs/tags/v%{version}.tar.gz
|
||||
Source1: https://github.com/cpuguy83/go-md2man/archive/refs/tags/v2.0.3.tar.gz
|
||||
|
||||
Patch0001: 0001-fix-CVE-2024-24786.patch
|
||||
|
||||
ExclusiveArch: %{?go_arches:%{go_arches}}%{!?go_arches:%{ix86} x86_64 aarch64 %{arm} ppc64le s390x riscv64}
|
||||
Source0: %{url}/archive/v%{version}/%{name}-%{version}.tar.gz
|
||||
Source1: https://github.com/cpuguy83/go-md2man/archive/v1.0.10.tar.gz
|
||||
ExclusiveArch: %{?go_arches:%{go_arches}}%{!?go_arches:%{ix86} x86_64 aarch64 %{arm} ppc64le s390x}
|
||||
BuildRequires: golang, glibc-static, git
|
||||
Provides: crictl = %{version}-%{release}
|
||||
|
||||
@ -30,7 +27,7 @@ Provides: crictl = %{version}-%{release}
|
||||
%{summary}
|
||||
|
||||
%prep
|
||||
%autosetup -p1 -n %{name}-%{version}
|
||||
%setup -q
|
||||
tar -xf %SOURCE1
|
||||
|
||||
%build
|
||||
@ -42,7 +39,6 @@ cp ../_build/bin/go-md2man $GO_MD2MAN_PATH/go-md2man
|
||||
export PATH=$GO_MD2MAN_PATH:$PATH
|
||||
cd -
|
||||
|
||||
export LDFLAGS='-X %{goipath}/pkg/version.Version=v%{version}'
|
||||
%gobuild -o bin/crictl %{goipath}/cmd/crictl
|
||||
go-md2man -in docs/crictl.md -out docs/crictl.1
|
||||
|
||||
@ -63,27 +59,6 @@ install -p -m 644 docs/crictl.1 %{buildroot}%{_mandir}/man1
|
||||
%{_mandir}/man1/crictl*
|
||||
|
||||
%changelog
|
||||
* Fri May 24 2024 Jingwiw <wangjingwei@iscas.ac.cn> - 1.29.0-3
|
||||
- Type:enhancement
|
||||
- CVE:NA
|
||||
- SUG:NA
|
||||
- DESC: enable riscv64
|
||||
|
||||
* Wed Apr 10 2024 zhangbowei <zhangbowei@kylinos.cn> - 1.29.0-2
|
||||
- Type:bugfix
|
||||
- CVE:NA
|
||||
- SUG:NA
|
||||
- DESC: fix CVE-2024-24786
|
||||
|
||||
* Wed Feb 28 2024 lijian <lijian2@kylinos.cn> - 1.29.0-1
|
||||
- update to 1.29.0
|
||||
|
||||
* Tue Nov 21 2023 suoxiaocong <suoxiaocong@kylinos.cn> - 1.24.2-2
|
||||
- fix bug unknown version
|
||||
|
||||
* Sat Jul 30 2022 tianlijing <tianlijing@kylinos.cn> - 1.24.2-1
|
||||
- update to 1.24.2
|
||||
|
||||
* Tue Jun 07 2022 fushanqing <fushanqing@kylinos.cn> - 1.22.0-2
|
||||
- update Source0
|
||||
|
||||
|
||||
BIN
v1.0.10.tar.gz
Normal file
BIN
v1.0.10.tar.gz
Normal file
Binary file not shown.
BIN
v1.29.0.tar.gz
BIN
v1.29.0.tar.gz
Binary file not shown.
BIN
v2.0.3.tar.gz
BIN
v2.0.3.tar.gz
Binary file not shown.
Loading…
x
Reference in New Issue
Block a user