fix CVE-2022-41723
This commit is contained in:
bwzhang
parent
ecd59e3330
commit
d35b1fd9a5
159
0005-fix-CVE-2022-41723.patch
Normal file
159
0005-fix-CVE-2022-41723.patch
Normal file
@ -0,0 +1,159 @@
|
||||
From 11bc24fcd1f15f54849c7aebefe1bbdc0d75437b Mon Sep 17 00:00:00 2001
|
||||
From: bwzhang <zhangbowei@kylinos.cn>
|
||||
Date: Sun, 7 Apr 2024 17:04:42 +0800
|
||||
Subject: [PATCH] fix CVE-2022-41723
|
||||
|
||||
http2/hpack: avoid quadratic complexity in hpack decoding
|
||||
|
||||
When parsing a field literal containing two Huffman-encoded strings,
|
||||
don't decode the first string until verifying all data is present.
|
||||
Avoids forced quadratic complexity when repeatedly parsing a partial
|
||||
field, repeating the Huffman decoding of the string on each iteration.
|
||||
|
||||
Thanks to Philippe Antoine (Catena cyber) for reporting this issue.
|
||||
|
||||
Fixes golang/go#57855
|
||||
Fixes CVE-2022-41723
|
||||
|
||||
Change-Id: I58a743df450a4a4923dddd5cf6bb0592b0a7bdf3
|
||||
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1688184
|
||||
TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
|
||||
Reviewed-by: Julie Qiu <julieqiu@google.com>
|
||||
Run-TryBot: Damien Neil <dneil@google.com>
|
||||
Reviewed-by: Roland Shoemaker <bracewell@google.com>
|
||||
Reviewed-on: https://go-review.googlesource.com/c/net/+/468135
|
||||
Run-TryBot: Michael Pratt <mpratt@google.com>
|
||||
Reviewed-by: Roland Shoemaker <roland@golang.org>
|
||||
Reviewed-by: Than McIntosh <thanm@google.com>
|
||||
Auto-Submit: Michael Pratt <mpratt@google.com>
|
||||
TryBot-Result: Gopher Robot <gobot@golang.org>
|
||||
---
|
||||
vendor/golang.org/x/net/http2/hpack/hpack.go | 79 ++++++++++++--------
|
||||
1 file changed, 49 insertions(+), 30 deletions(-)
|
||||
|
||||
diff --git a/vendor/golang.org/x/net/http2/hpack/hpack.go b/vendor/golang.org/x/net/http2/hpack/hpack.go
|
||||
index 85f18a2..7e7e4cf 100644
|
||||
--- a/vendor/golang.org/x/net/http2/hpack/hpack.go
|
||||
+++ b/vendor/golang.org/x/net/http2/hpack/hpack.go
|
||||
@@ -359,6 +359,7 @@ func (d *Decoder) parseFieldLiteral(n uint8, it indexType) error {
|
||||
|
||||
var hf HeaderField
|
||||
wantStr := d.emitEnabled || it.indexed()
|
||||
+ var undecodedName undecodedString
|
||||
if nameIdx > 0 {
|
||||
ihf, ok := d.at(nameIdx)
|
||||
if !ok {
|
||||
@@ -366,15 +367,27 @@ func (d *Decoder) parseFieldLiteral(n uint8, it indexType) error {
|
||||
}
|
||||
hf.Name = ihf.Name
|
||||
} else {
|
||||
- hf.Name, buf, err = d.readString(buf, wantStr)
|
||||
+ undecodedName, buf, err = d.readString(buf)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
- hf.Value, buf, err = d.readString(buf, wantStr)
|
||||
+ undecodedValue, buf, err := d.readString(buf)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
+ if wantStr {
|
||||
+ if nameIdx <= 0 {
|
||||
+ hf.Name, err = d.decodeString(undecodedName)
|
||||
+ if err != nil {
|
||||
+ return err
|
||||
+ }
|
||||
+ }
|
||||
+ hf.Value, err = d.decodeString(undecodedValue)
|
||||
+ if err != nil {
|
||||
+ return err
|
||||
+ }
|
||||
+ }
|
||||
d.buf = buf
|
||||
if it.indexed() {
|
||||
d.dynTab.add(hf)
|
||||
@@ -459,46 +472,52 @@ func readVarInt(n byte, p []byte) (i uint64, remain []byte, err error) {
|
||||
return 0, origP, errNeedMore
|
||||
}
|
||||
|
||||
-// readString decodes an hpack string from p.
|
||||
+// readString reads an hpack string from p.
|
||||
//
|
||||
-// wantStr is whether s will be used. If false, decompression and
|
||||
-// []byte->string garbage are skipped if s will be ignored
|
||||
-// anyway. This does mean that huffman decoding errors for non-indexed
|
||||
-// strings past the MAX_HEADER_LIST_SIZE are ignored, but the server
|
||||
-// is returning an error anyway, and because they're not indexed, the error
|
||||
-// won't affect the decoding state.
|
||||
-func (d *Decoder) readString(p []byte, wantStr bool) (s string, remain []byte, err error) {
|
||||
+// It returns a reference to the encoded string data to permit deferring decode costs
|
||||
+// until after the caller verifies all data is present.
|
||||
+func (d *Decoder) readString(p []byte) (u undecodedString, remain []byte, err error) {
|
||||
if len(p) == 0 {
|
||||
- return "", p, errNeedMore
|
||||
+ return u, p, errNeedMore
|
||||
}
|
||||
isHuff := p[0]&128 != 0
|
||||
strLen, p, err := readVarInt(7, p)
|
||||
if err != nil {
|
||||
- return "", p, err
|
||||
+ return u, p, err
|
||||
}
|
||||
if d.maxStrLen != 0 && strLen > uint64(d.maxStrLen) {
|
||||
- return "", nil, ErrStringLength
|
||||
+ // Returning an error here means Huffman decoding errors
|
||||
+ // for non-indexed strings past the maximum string length
|
||||
+ // are ignored, but the server is returning an error anyway
|
||||
+ // and because the string is not indexed the error will not
|
||||
+ // affect the decoding state.
|
||||
+ return u, nil, ErrStringLength
|
||||
}
|
||||
if uint64(len(p)) < strLen {
|
||||
- return "", p, errNeedMore
|
||||
- }
|
||||
- if !isHuff {
|
||||
- if wantStr {
|
||||
- s = string(p[:strLen])
|
||||
- }
|
||||
- return s, p[strLen:], nil
|
||||
+ return u, p, errNeedMore
|
||||
}
|
||||
+ u.isHuff = isHuff
|
||||
+ u.b = p[:strLen]
|
||||
+ return u, p[strLen:], nil
|
||||
+}
|
||||
|
||||
- if wantStr {
|
||||
- buf := bufPool.Get().(*bytes.Buffer)
|
||||
- buf.Reset() // don't trust others
|
||||
- defer bufPool.Put(buf)
|
||||
- if err := huffmanDecode(buf, d.maxStrLen, p[:strLen]); err != nil {
|
||||
- buf.Reset()
|
||||
- return "", nil, err
|
||||
- }
|
||||
+type undecodedString struct {
|
||||
+ isHuff bool
|
||||
+ b []byte
|
||||
+}
|
||||
+
|
||||
+func (d *Decoder) decodeString(u undecodedString) (string, error) {
|
||||
+ if !u.isHuff {
|
||||
+ return string(u.b), nil
|
||||
+ }
|
||||
+ buf := bufPool.Get().(*bytes.Buffer)
|
||||
+ buf.Reset() // don't trust others
|
||||
+ var s string
|
||||
+ err := huffmanDecode(buf, d.maxStrLen, u.b)
|
||||
+ if err == nil {
|
||||
s = buf.String()
|
||||
- buf.Reset() // be nice to GC
|
||||
}
|
||||
- return s, p[strLen:], nil
|
||||
+ buf.Reset() // be nice to GC
|
||||
+ bufPool.Put(buf)
|
||||
+ return s, err
|
||||
}
|
||||
--
|
||||
2.20.1
|
||||
|
||||
10
etcd.spec
10
etcd.spec
@ -31,7 +31,7 @@ system.}
|
||||
%global gosupfiles integration/fixtures/* etcdserver/api/v2http/testdata/*
|
||||
|
||||
Name: etcd
|
||||
Release: 6
|
||||
Release: 7
|
||||
Summary: Distributed reliable key-value store for the most critical data of a distributed system
|
||||
|
||||
# Upstream license specification: Apache-2.0
|
||||
@ -48,6 +48,7 @@ Patch1: 0001-Convert-int-to-string-using-strconv.Itoa.patch
|
||||
Patch2: 0002-Etcd-on-unsupported-platform-without-ETCD_UNSUPPORTED_ARCH=arm64-set.patch
|
||||
Patch3: 0003-etcd-Add-sw64-architecture.patch
|
||||
Patch4: 0004-fix-CVE-2023-45288.patch
|
||||
Patch5: 0005-fix-CVE-2022-41723.patch
|
||||
|
||||
BuildRequires: golang
|
||||
BuildRequires: python3-devel
|
||||
@ -66,6 +67,7 @@ Requires(pre): shadow-utils
|
||||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
%patch4 -p1
|
||||
%patch5 -p1
|
||||
%ifarch sw_64
|
||||
%patch3 -p1
|
||||
%endif
|
||||
@ -154,6 +156,12 @@ getent passwd %{name} >/dev/null || useradd -r -g %{name} -d %{_sharedstatedir}/
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Apr 17 2024 zhangbowei <zhangbowei@kylinos.cn> -3.4.14-7
|
||||
- Type:bugfix
|
||||
- CVE:NA
|
||||
- SUG:NA
|
||||
- DESC: fix CVE-2022-41723
|
||||
|
||||
* Wed Apr 17 2024 zhangbowei <zhangbowei@kylinos.cn> -3.4.14-6
|
||||
- Type:bugfix
|
||||
- CVE:NA
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user