fix CVE-2022-34038

2024-04-19 11:22:54 +08:00 · 2024-04-19 11:22:54 +08:00 · fe04da5523
commit fe04da5523
parent 63f55ec939
2 changed files with 55 additions and 4 deletions
--- a/0007-fix-CVE-2022-34038.patch
+++ b/0007-fix-CVE-2022-34038.patch
@ -0,0 +1,43 @@
+From 10fdd367a2095806b025c1c54d30886369b3d586 Mon Sep 17 00:00:00 2001
+From: bwzhang <zhangbowei@kylinos.cn>
+Date: Fri, 19 Apr 2024 11:11:10 +0800
+Subject: [PATCH] fix CVE-2022-34038
+
+---
+ pkg/ioutil/pagewriter.go | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/pkg/ioutil/pagewriter.go b/pkg/ioutil/pagewriter.go
+index cf9a8dc..4daaa9d 100644
+--- a/pkg/ioutil/pagewriter.go
+++ b/pkg/ioutil/pagewriter.go
+@@ -16,6 +16,7 @@ package ioutil
+ 
+ import (
+ 	"io"
+	"fmt"
+ )
+ 
+ var defaultBufferBytes = 128 * 1024
+@@ -38,9 +39,18 @@ type PageWriter struct {
+ 	bufWatermarkBytes int
+ }
+ 
+// Assert will panic with a given formatted message if the given condition is false.
+func Assert(condition bool, msg string, v int) {
+	if !condition {
+		panic(fmt.Sprintf("assertion failed: "+msg, v))
+	}
+}
+
+ // NewPageWriter creates a new PageWriter. pageBytes is the number of bytes
+ // to write per page. pageOffset is the starting offset of io.Writer.
+ func NewPageWriter(w io.Writer, pageBytes, pageOffset int) *PageWriter {
+	// If pageBytes is 0 or less, it will trigger a panic directly
+	Assert(pageBytes > 0, "pageBytes %d is an invalid value, it must be greater than 0", pageBytes)
+ 	return &PageWriter{
+ 		w:                 w,
+ 		pageOffset:        pageOffset,
+-- 
+2.20.1
+
--- a/etcd.spec
+++ b/etcd.spec
@ -31,7 +31,7 @@ system.}
 %global gosupfiles      integration/fixtures/* etcdserver/api/v2http/testdata/*

 Name:           etcd
-Release:        8
+Release:        9
 Summary:        Distributed reliable key-value store for the most critical data of a distributed system

 # Upstream license specification: Apache-2.0
@ -50,6 +50,7 @@ Patch3:         0003-etcd-Add-sw64-architecture.patch
 Patch4:         0004-fix-CVE-2023-45288.patch
 Patch5:         0005-fix-CVE-2022-41723.patch
 Patch6:         0006-fix-CVE-2023-39325.patch
+Patch7:         0007-fix-CVE-2022-34038.patch

 BuildRequires:  golang
 BuildRequires:  python3-devel
@ -70,6 +71,7 @@ Requires(pre):  shadow-utils
 %patch4 -p1
 %patch5 -p1
 %patch6 -p1
+%patch7 -p1
 %ifarch sw_64
 %patch3 -p1
 %endif
@ -158,19 +160,25 @@ getent passwd %{name} >/dev/null || useradd -r -g %{name} -d %{_sharedstatedir}/
 %endif

 %changelog
-* Wed Apr 17 2024 zhangbowei <zhangbowei@kylinos.cn> -3.4.14-8
+* Fri Apr 19 2024 zhangbowei <zhangbowei@kylinos.cn> - 3.4.14-9
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC: fix CVE-2022-34038
+
+* Wed Apr 17 2024 zhangbowei <zhangbowei@kylinos.cn> - 3.4.14-8
 - Type:bugfix
 - CVE:NA
 - SUG:NA
 - DESC: fix CVE-2023-39325

-* Wed Apr 17 2024 zhangbowei <zhangbowei@kylinos.cn> -3.4.14-7
+* Wed Apr 17 2024 zhangbowei <zhangbowei@kylinos.cn> - 3.4.14-7
 - Type:bugfix
 - CVE:NA
 - SUG:NA
 - DESC: fix CVE-2022-41723

-* Wed Apr 17 2024 zhangbowei <zhangbowei@kylinos.cn> -3.4.14-6
+* Wed Apr 17 2024 zhangbowei <zhangbowei@kylinos.cn> - 3.4.14-6
 - Type:bugfix
 - CVE:NA
 - SUG:NA