packages/etcd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!51 Fix CVE-2022-41723

Browse Source 
From: @northgarden 
Reviewed-by: @jxy_git 
Signed-off-by: @jxy_git
This commit is contained in:
openeuler-ci-bot 2024-04-17 08:45:55 +00:00 committed by Gitee
commit 962657f9e0
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 168 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

159
0005-fix-CVE-2022-41723.patch Normal file
View File

@ -0,0 +1,159 @@
From 11bc24fcd1f15f54849c7aebefe1bbdc0d75437b Mon Sep 17 00:00:00 2001
From: bwzhang <zhangbowei@kylinos.cn>
Date: Sun, 7 Apr 2024 17:04:42 +0800
Subject: [PATCH] fix CVE-2022-41723
http2/hpack: avoid quadratic complexity in hpack decoding
When parsing a field literal containing two Huffman-encoded strings,
don't decode the first string until verifying all data is present.
Avoids forced quadratic complexity when repeatedly parsing a partial
field, repeating the Huffman decoding of the string on each iteration.
Thanks to Philippe Antoine (Catena cyber) for reporting this issue.
Fixes golang/go#57855
Fixes CVE-2022-41723
Change-Id: I58a743df450a4a4923dddd5cf6bb0592b0a7bdf3
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1688184
TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
Run-TryBot: Damien Neil <dneil@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-on: https://go-review.googlesource.com/c/net/+/468135
Run-TryBot: Michael Pratt <mpratt@google.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Than McIntosh <thanm@google.com>
Auto-Submit: Michael Pratt <mpratt@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
---
vendor/golang.org/x/net/http2/hpack/hpack.go | 79 ++++++++++++--------
1 file changed, 49 insertions(+), 30 deletions(-)
diff --git a/vendor/golang.org/x/net/http2/hpack/hpack.go b/vendor/golang.org/x/net/http2/hpack/hpack.go
index 85f18a2..7e7e4cf 100644
--- a/vendor/golang.org/x/net/http2/hpack/hpack.go
+++ b/vendor/golang.org/x/net/http2/hpack/hpack.go
@@ -359,6 +359,7 @@ func (d *Decoder) parseFieldLiteral(n uint8, it indexType) error {
var hf HeaderField
wantStr := d.emitEnabled || it.indexed()
+ var undecodedName undecodedString
if nameIdx > 0 {
ihf, ok := d.at(nameIdx)
if !ok {
@@ -366,15 +367,27 @@ func (d *Decoder) parseFieldLiteral(n uint8, it indexType) error {
}
hf.Name = ihf.Name
} else {
- hf.Name, buf, err = d.readString(buf, wantStr)
+ undecodedName, buf, err = d.readString(buf)
if err != nil {
return err
}
}
- hf.Value, buf, err = d.readString(buf, wantStr)
+ undecodedValue, buf, err := d.readString(buf)
if err != nil {
return err
}
+ if wantStr {
+ if nameIdx <= 0 {
+ hf.Name, err = d.decodeString(undecodedName)
+ if err != nil {
+ return err
+ }
+ }
+ hf.Value, err = d.decodeString(undecodedValue)
+ if err != nil {
+ return err
+ }
+ }
d.buf = buf
if it.indexed() {
d.dynTab.add(hf)
@@ -459,46 +472,52 @@ func readVarInt(n byte, p []byte) (i uint64, remain []byte, err error) {
return 0, origP, errNeedMore
}
-// readString decodes an hpack string from p.
+// readString reads an hpack string from p.
//
-// wantStr is whether s will be used. If false, decompression and
-// []byte->string garbage are skipped if s will be ignored
-// anyway. This does mean that huffman decoding errors for non-indexed
-// strings past the MAX_HEADER_LIST_SIZE are ignored, but the server
-// is returning an error anyway, and because they're not indexed, the error
-// won't affect the decoding state.
-func (d *Decoder) readString(p []byte, wantStr bool) (s string, remain []byte, err error) {
+// It returns a reference to the encoded string data to permit deferring decode costs
+// until after the caller verifies all data is present.
+func (d *Decoder) readString(p []byte) (u undecodedString, remain []byte, err error) {
if len(p) == 0 {
- return "", p, errNeedMore
+ return u, p, errNeedMore
}
isHuff := p[0]&128 != 0
strLen, p, err := readVarInt(7, p)
if err != nil {
- return "", p, err
+ return u, p, err
}
if d.maxStrLen != 0 && strLen > uint64(d.maxStrLen) {
- return "", nil, ErrStringLength
+ // Returning an error here means Huffman decoding errors
+ // for non-indexed strings past the maximum string length
+ // are ignored, but the server is returning an error anyway
+ // and because the string is not indexed the error will not
+ // affect the decoding state.
+ return u, nil, ErrStringLength
}
if uint64(len(p)) < strLen {
- return "", p, errNeedMore
- }
- if !isHuff {
- if wantStr {
- s = string(p[:strLen])
- }
- return s, p[strLen:], nil
+ return u, p, errNeedMore
}
+ u.isHuff = isHuff
+ u.b = p[:strLen]
+ return u, p[strLen:], nil
+}
- if wantStr {
- buf := bufPool.Get().(*bytes.Buffer)
- buf.Reset() // don't trust others
- defer bufPool.Put(buf)
- if err := huffmanDecode(buf, d.maxStrLen, p[:strLen]); err != nil {
- buf.Reset()
- return "", nil, err
- }
+type undecodedString struct {
+ isHuff bool
+ b []byte
+}
+
+func (d *Decoder) decodeString(u undecodedString) (string, error) {
+ if !u.isHuff {
+ return string(u.b), nil
+ }
+ buf := bufPool.Get().(*bytes.Buffer)
+ buf.Reset() // don't trust others
+ var s string
+ err := huffmanDecode(buf, d.maxStrLen, u.b)
+ if err == nil {
s = buf.String()
- buf.Reset() // be nice to GC
}
- return s, p[strLen:], nil
+ buf.Reset() // be nice to GC
+ bufPool.Put(buf)
+ return s, err
}
--
2.20.1

10
etcd.spec
View File

@ -31,7 +31,7 @@ system.}
%global gosupfiles integration/fixtures/* etcdserver/api/v2http/testdata/* %global gosupfiles integration/fixtures/* etcdserver/api/v2http/testdata/*
Name: etcd Name: etcd
Release: 6 Release: 7
Summary: Distributed reliable key-value store for the most critical data of a distributed system Summary: Distributed reliable key-value store for the most critical data of a distributed system
# Upstream license specification: Apache-2.0 # Upstream license specification: Apache-2.0
@ -48,6 +48,7 @@ Patch1: 0001-Convert-int-to-string-using-strconv.Itoa.patch
Patch2: 0002-Etcd-on-unsupported-platform-without-ETCD_UNSUPPORTED_ARCH=arm64-set.patch Patch2: 0002-Etcd-on-unsupported-platform-without-ETCD_UNSUPPORTED_ARCH=arm64-set.patch
Patch3: 0003-etcd-Add-sw64-architecture.patch Patch3: 0003-etcd-Add-sw64-architecture.patch
Patch4: 0004-fix-CVE-2023-45288.patch Patch4: 0004-fix-CVE-2023-45288.patch
Patch5: 0005-fix-CVE-2022-41723.patch
BuildRequires: golang BuildRequires: golang
BuildRequires: python3-devel BuildRequires: python3-devel
@ -66,6 +67,7 @@ Requires(pre): shadow-utils
%patch1 -p1 %patch1 -p1
%patch2 -p1 %patch2 -p1
%patch4 -p1 %patch4 -p1
%patch5 -p1
%ifarch sw_64 %ifarch sw_64
%patch3 -p1 %patch3 -p1
%endif %endif
@ -154,6 +156,12 @@ getent passwd %{name} >/dev/null || useradd -r -g %{name} -d %{_sharedstatedir}/
%endif %endif
%changelog %changelog
* Wed Apr 17 2024 zhangbowei <zhangbowei@kylinos.cn> -3.4.14-7
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC: fix CVE-2022-41723
* Wed Apr 17 2024 zhangbowei <zhangbowei@kylinos.cn> -3.4.14-6 * Wed Apr 17 2024 zhangbowei <zhangbowei@kylinos.cn> -3.4.14-6
- Type:bugfix - Type:bugfix
- CVE:NA - CVE:NA