!120 [sync] PR-118: Batch fix cves through rebuild for openEuler-24.03-LTS-SP1

From: @openeuler-sync-bot 
Reviewed-by: @jxy_git 
Signed-off-by: @jxy_git

0008-fix-CVE-2023-32082.patch

@@ -46,7 +46,7 @@ index 1fa8e4e..dee5c20 100644
 +	return nil, rev
 +}
 +
-+func (s *EtcdServer) leaseTimeToLive(ctx context.Context, r *pb.LeaseTimeToLiveRequest) (*pb.LeaseTimeToLiveResponse, error) {
++func (s *EtcdServer) LeaseTimeToLive(ctx context.Context, r *pb.LeaseTimeToLiveRequest) (*pb.LeaseTimeToLiveResponse, error) {
  	if s.Leader() == s.ID() {
  		// primary; timetolive directly from leader
  		le := s.lessor.Lookup(lease.LeaseID(r.ID))

0009-fix-CVE-2021-28235.patch

@@ -0,0 +1,131 @@
+From 3b6de877f048f3875b48f36a66d10a7156106236 Mon Sep 17 00:00:00 2001
+From: bwzhang <zhangbowei@kylinos.cn>
+Date: Wed, 24 Apr 2024 09:28:16 +0800
+Subject: [PATCH] fix CVE-2021-28235
+
+---
+ etcdserver/v3_server.go                |  7 ++++
+ tests/e2e/ctl_v3_auth_security_test.go | 57 ++++++++++++++++++++++++++
+ tests/e2e/ctl_v3_test.go               |  6 +++
+ tests/e2e/util.go                      |  9 ++++
+ 4 files changed, 79 insertions(+)
+ create mode 100644 tests/e2e/ctl_v3_auth_security_test.go
+
+diff --git a/etcdserver/v3_server.go b/etcdserver/v3_server.go
+index dee5c20..6ef9e61 100644
+--- a/etcdserver/v3_server.go
++++ b/etcdserver/v3_server.go
+@@ -431,6 +431,13 @@ func (s *EtcdServer) Authenticate(ctx context.Context, r *pb.AuthenticateRequest
+ 
+ 	lg := s.getLogger()
+ 
++	// fix https://nvd.nist.gov/vuln/detail/CVE-2021-28235
++	defer func() {
++		if r != nil {
++			r.Password = ""
++		}
++	}()
++
+ 	var resp proto.Message
+ 	for {
+ 		checkedRevision, err := s.AuthStore().CheckPassword(r.Name, r.Password)
+diff --git a/tests/e2e/ctl_v3_auth_security_test.go b/tests/e2e/ctl_v3_auth_security_test.go
+new file mode 100644
+index 0000000..754fa4b
+--- /dev/null
++++ b/tests/e2e/ctl_v3_auth_security_test.go
+@@ -0,0 +1,57 @@
++// Copyright 2023 The etcd Authors
++//
++// Licensed under the Apache License, Version 2.0 (the "License");
++// you may not use this file except in compliance with the License.
++// You may obtain a copy of the License at
++//
++//     http://www.apache.org/licenses/LICENSE-2.0
++//
++// Unless required by applicable law or agreed to in writing, software
++// distributed under the License is distributed on an "AS IS" BASIS,
++// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++// See the License for the specific language governing permissions and
++// limitations under the License.
++
++//go:build !cluster_proxy
++
++package e2e
++
++import (
++	"strings"
++	"testing"
++
++	"github.com/stretchr/testify/require"
++
++	"go.etcd.io/etcd/tests/v3/framework/e2e"
++)
++
++// TestAuth_CVE_2021_28235 verifies https://nvd.nist.gov/vuln/detail/CVE-2021-28235
++func TestAuth_CVE_2021_28235(t *testing.T) {
++	testCtl(t, authTest_CVE_2021_28235, withCfg(*e2e.NewConfigNoTLS()), withLogLevel("debug"))
++}
++
++func authTest_CVE_2021_28235(cx ctlCtx) {
++	// create root user with root role
++	rootPass := "changeme123"
++	err := ctlV3User(cx, []string{"add", "root", "--interactive=false"}, "User root created", []string{rootPass})
++	require.NoError(cx.t, err)
++	err = ctlV3User(cx, []string{"grant-role", "root", "root"}, "Role root is granted to user root", nil)
++	require.NoError(cx.t, err)
++	err = ctlV3AuthEnable(cx)
++	require.NoError(cx.t, err)
++
++	// issue a put request
++	cx.user, cx.pass = "root", rootPass
++	err = ctlV3Put(cx, "foo", "bar", "")
++	require.NoError(cx.t, err)
++
++	// GET /debug/requests
++	httpEndpoint := cx.epc.Procs[0].EndpointsHTTP()[0]
++	req := e2e.CURLReq{Endpoint: "/debug/requests?fam=grpc.Recv.etcdserverpb.Auth&b=0&exp=1", Timeout: 5}
++	respData, err := curl(httpEndpoint, "GET", req, e2e.ClientNonTLS)
++	require.NoError(cx.t, err)
++
++	if strings.Contains(respData, rootPass) {
++		cx.t.Errorf("The root password is included in the request.\n %s", respData)
++	}
++}
+diff --git a/tests/e2e/ctl_v3_test.go b/tests/e2e/ctl_v3_test.go
+index 04f5a65..74b1838 100644
+--- a/tests/e2e/ctl_v3_test.go
++++ b/tests/e2e/ctl_v3_test.go
+@@ -130,6 +130,12 @@ func withFlagByEnv() ctlOption {
+ 	return func(cx *ctlCtx) { cx.envMap = make(map[string]struct{}) }
+ }
+ 
++func withLogLevel(logLevel string) ctlOption {
++	return func(cx *ctlCtx) {
++		cx.cfg.LogLevel = logLevel
++	}
++}
++
+ func testCtl(t *testing.T, testFunc func(ctlCtx), opts ...ctlOption) {
+ 	defer testutil.AfterTest(t)
+ 
+diff --git a/tests/e2e/util.go b/tests/e2e/util.go
+index ce7289a..3b772c0 100644
+--- a/tests/e2e/util.go
++++ b/tests/e2e/util.go
+@@ -108,3 +108,12 @@ func closeWithTimeout(p *expect.ExpectProcess, d time.Duration) error {
+ func toTLS(s string) string {
+ 	return strings.Replace(s, "http://", "https://", 1)
+ }
++
++func curl(endpoint string, method string, curlReq e2e.CURLReq, connType e2e.ClientConnType) (string, error) {
++	args := e2e.CURLPrefixArgs(endpoint, e2e.ClientConfig{ConnectionType: connType}, false, method, curlReq)
++	lines, err := e2e.RunUtilCompletion(args, nil)
++	if err != nil {
++		return "", err
++	}
++	return strings.Join(lines, "\n"), nil
++}
+-- 
+2.20.1
+

0010-fix-CVE-2021-44716.patch

@@ -0,0 +1,57 @@
+From 6b06b626969f252e520b1b8f8c3cd1f515835484 Mon Sep 17 00:00:00 2001
+From: bwzhang <zhangbowei@kylinos.cn>
+Date: Tue, 7 May 2024 09:29:47 +0800
+Subject: [PATCH] fix CVE-2021-44716
+
+http2: cap the size of the server's canonical header cache
+
+The HTTP/2 server keeps a per-connection cache mapping header keys
+to their canonicalized form (e.g., foo-bar => Foo-Bar). Cap the
+maximum size of this cache to prevent a peer sending many unique
+header keys from causing unbounded memory growth.
+
+Cap chosen arbitrarily at 32 entries. Since this cache does not
+include common headers (e.g., content-type), 32 seems like more
+than enough for almost all normal uses.
+
+Fixes #50058
+Fixes CVE-2021-44716
+
+Change-Id: Ia83696dc23253c12af8f26d502557c2cc9841105
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1290827
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/net/+/369794
+Trust: Filippo Valsorda <filippo@golang.org>
+Run-TryBot: Filippo Valsorda <filippo@golang.org>
+Trust: Damien Neil <dneil@google.com>
+Reviewed-by: Russ Cox <rsc@golang.org>
+Reviewed-by: Filippo Valsorda <filippo@golang.org>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+---
+ vendor/golang.org/x/net/http2/server.go | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/vendor/golang.org/x/net/http2/server.go b/vendor/golang.org/x/net/http2/server.go
+index 5e01ce9..5253650 100644
+--- a/vendor/golang.org/x/net/http2/server.go
++++ b/vendor/golang.org/x/net/http2/server.go
+@@ -723,7 +723,15 @@ func (sc *serverConn) canonicalHeader(v string) string {
+ 		sc.canonHeader = make(map[string]string)
+ 	}
+ 	cv = http.CanonicalHeaderKey(v)
+-	sc.canonHeader[v] = cv
++	// maxCachedCanonicalHeaders is an arbitrarily-chosen limit on the number of
++	// entries in the canonHeader cache. This should be larger than the number
++	// of unique, uncommon header keys likely to be sent by the peer, while not
++	// so high as to permit unreaasonable memory usage if the peer sends an unbounded
++	// number of unique header keys.
++	const maxCachedCanonicalHeaders = 32
++	if len(sc.canonHeader) < maxCachedCanonicalHeaders {
++		sc.canonHeader[v] = cv
++	}
+ 	return cv
+ }
+ 
+-- 
+2.20.1
+

0011-fix-CVE-2022-3064.patch

@@ -0,0 +1,141 @@
+From 429f477455b84ede9651f79eb15e78a129a660e9 Mon Sep 17 00:00:00 2001
+From: bwzhang <zhangbowei@kylinos.cn>
+Date: Thu, 9 May 2024 19:25:53 +0800
+Subject: [PATCH] fix CVE-2022-3064
+
+Improve heuristics preventing CPU/memory abuse (#515)
+This addresses the following items:
+
+==== Parse time of excessively deep nested or indented documents
+
+Parsing these documents is non-linear; limiting stack depth to 10,000 keeps parse times of pathological documents sub-second (~.25 seconds in benchmarks)
+
+==== Alias node expansion limits
+
+The current limit allows 10,000% expansion, which is too permissive for large documents.
+
+Limiting to 10% expansion for larger documents allows callers to use input size as an effective way to limit resource usage. Continuing to allow larger expansion rates (up to the current 10,000% limit) for smaller documents does not unduly affect memory use.
+
+This change bounds decode operations from alias expansion to ~400,000 operations for small documents (worst-case ~100-150MB) or 10% of the input document for large documents, whichever is greater.
+liggitt authored and niemeyer committed on Oct 3, 2019
+---
+ vendor/gopkg.in/yaml.v2/decode.go   | 38 +++++++++++++++++++++++++++++
+ vendor/gopkg.in/yaml.v2/scannerc.go | 16 ++++++++++++
+ 2 files changed, 54 insertions(+)
+
+diff --git a/vendor/gopkg.in/yaml.v2/decode.go b/vendor/gopkg.in/yaml.v2/decode.go
+index e4e56e2..5310876 100644
+--- a/vendor/gopkg.in/yaml.v2/decode.go
++++ b/vendor/gopkg.in/yaml.v2/decode.go
+@@ -229,6 +229,10 @@ type decoder struct {
+ 	mapType reflect.Type
+ 	terrors []string
+ 	strict  bool
++
++	decodeCount int
++	aliasCount  int
++	aliasDepth  int
+ }
+ 
+ var (
+@@ -314,7 +318,39 @@ func (d *decoder) prepare(n *node, out reflect.Value) (newout reflect.Value, unm
+ 	return out, false, false
+ }
+ 
++const (
++	// 400,000 decode operations is ~500kb of dense object declarations, or ~5kb of dense object declarations with 10000% alias expansion
++	alias_ratio_range_low = 400000
++	// 4,000,000 decode operations is ~5MB of dense object declarations, or ~4.5MB of dense object declarations with 10% alias expansion
++	alias_ratio_range_high = 4000000
++	// alias_ratio_range is the range over which we scale allowed alias ratios
++	alias_ratio_range = float64(alias_ratio_range_high - alias_ratio_range_low)
++)
++
++func allowedAliasRatio(decodeCount int) float64 {
++	switch {
++	case decodeCount <= alias_ratio_range_low:
++		// allow 99% to come from alias expansion for small-to-medium documents
++		return 0.99
++	case decodeCount >= alias_ratio_range_high:
++		// allow 10% to come from alias expansion for very large documents
++		return 0.10
++	default:
++		// scale smoothly from 99% down to 10% over the range.
++		// this maps to 396,000 - 400,000 allowed alias-driven decodes over the range.
++		// 400,000 decode operations is ~100MB of allocations in worst-case scenarios (single-item maps).
++		return 0.99 - 0.89*(float64(decodeCount-alias_ratio_range_low)/alias_ratio_range)
++	}
++}
++
+ func (d *decoder) unmarshal(n *node, out reflect.Value) (good bool) {
++	d.decodeCount++
++	if d.aliasDepth > 0 {
++		d.aliasCount++
++	}
++	if d.aliasCount > 100 && d.decodeCount > 1000 && float64(d.aliasCount)/float64(d.decodeCount) > allowedAliasRatio(d.decodeCount) {
++		failf("document contains excessive aliasing")
++	}
+ 	switch n.kind {
+ 	case documentNode:
+ 		return d.document(n, out)
+@@ -353,7 +389,9 @@ func (d *decoder) alias(n *node, out reflect.Value) (good bool) {
+ 		failf("anchor '%s' value contains itself", n.value)
+ 	}
+ 	d.aliases[n] = true
++	d.aliasDepth++
+ 	good = d.unmarshal(n.alias, out)
++	d.aliasDepth--
+ 	delete(d.aliases, n)
+ 	return good
+ }
+diff --git a/vendor/gopkg.in/yaml.v2/scannerc.go b/vendor/gopkg.in/yaml.v2/scannerc.go
+index 077fd1d..570b8ec 100644
+--- a/vendor/gopkg.in/yaml.v2/scannerc.go
++++ b/vendor/gopkg.in/yaml.v2/scannerc.go
+@@ -906,6 +906,9 @@ func yaml_parser_remove_simple_key(parser *yaml_parser_t) bool {
+ 	return true
+ }
+ 
++// max_flow_level limits the flow_level
++const max_flow_level = 10000
++
+ // Increase the flow level and resize the simple key list if needed.
+ func yaml_parser_increase_flow_level(parser *yaml_parser_t) bool {
+ 	// Reset the simple key on the next level.
+@@ -913,6 +916,11 @@ func yaml_parser_increase_flow_level(parser *yaml_parser_t) bool {
+ 
+ 	// Increase the flow level.
+ 	parser.flow_level++
++	if parser.flow_level > max_flow_level {
++		return yaml_parser_set_scanner_error(parser,
++			"while increasing flow level", parser.simple_keys[len(parser.simple_keys)-1].mark,
++			fmt.Sprintf("exceeded max depth of %d", max_flow_level))
++	}
+ 	return true
+ }
+ 
+@@ -925,6 +933,9 @@ func yaml_parser_decrease_flow_level(parser *yaml_parser_t) bool {
+ 	return true
+ }
+ 
++// max_indents limits the indents stack size
++const max_indents = 10000
++
+ // Push the current indentation level to the stack and set the new level
+ // the current column is greater than the indentation level.  In this case,
+ // append or insert the specified token into the token queue.
+@@ -939,6 +950,11 @@ func yaml_parser_roll_indent(parser *yaml_parser_t, column, number int, typ yaml
+ 		// indentation level.
+ 		parser.indents = append(parser.indents, parser.indent)
+ 		parser.indent = column
++		if len(parser.indents) > max_indents {
++			return yaml_parser_set_scanner_error(parser,
++				"while increasing indent level", parser.simple_keys[len(parser.simple_keys)-1].mark,
++				fmt.Sprintf("exceeded max depth of %d", max_indents))
++		}
+ 
+ 		// Create a token and insert it into the queue.
+ 		token := yaml_token_t{
+-- 
+2.20.1
+

etcd.spec

@@ -31,7 +31,7 @@ system.}
 %global gosupfiles      integration/fixtures/* etcdserver/api/v2http/testdata/*
 
 Name:           etcd
-Release:        11
+Release:        16
 Summary:        Distributed reliable key-value store for the most critical data of a distributed system
 
 # Upstream license specification: Apache-2.0
@@ -52,6 +52,9 @@ Patch5:         0005-fix-CVE-2022-41723.patch
 Patch6:         0006-fix-CVE-2023-39325.patch
 Patch7:         0007-fix-CVE-2022-34038.patch
 Patch8:         0008-fix-CVE-2023-32082.patch
+Patch9:         0009-fix-CVE-2021-28235.patch
+Patch10:        0010-fix-CVE-2021-44716.patch
+Patch11:        0011-fix-CVE-2022-3064.patch
 
 BuildRequires:  golang
 BuildRequires:  python3-devel
@@ -73,6 +76,10 @@ Requires(pre):  shadow-utils
 %patch5 -p1
 %patch6 -p1
 %patch7 -p1
+%patch8 -p1
+%patch9 -p1
+%patch10 -p1
+%patch11 -p1
 %ifarch sw_64
 %patch3 -p1
 %endif
@@ -161,6 +168,37 @@ getent passwd %{name} >/dev/null || useradd -r -g %{name} -d %{_sharedstatedir}/
 %endif
 
 %changelog
+* Thu Feb 20 2025 lvxiangcong <lvxiangcong@kylinos.cn> - 3.4.14-16
+- Type:CVES
+- ID:CVE-2024-24791 CVE-2023-45288 CVE-2024-24783 CVE-2024-24785 CVE-2023-45290
+     CVE-2023-39326
+- SUG:NA
+- DESC:Batch fix cves through rebuild 
+
+* Tue Feb 11 2025 lvxiangcong<lvxiangcong@kylinos.cn> - 3.4.14-15
+- Type: CVE
+- ID:CVE-2024-9355 
+- SUG:NA
+- DESC: fix cve CVE-2024-9355 through rebuild 
+
+* Thu May 09 2024 zhangbowei <zhangbowei@kylinos.cn> - 3.4.14-14
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC: fix CVE-2022-3064
+
+* Tue May 07 2024 zhangbowei <zhangbowei@kylinos.cn> - 3.4.14-13
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC: fix CVE-2021-44716
+
+* Wed Apr 24 2024 zhangbowei <zhangbowei@kylinos.cn> - 3.4.14-12
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC: fix CVE-2021-28235
+
 * Tue Apr 23 2024 laokz <zhangkai@iscas.ac.cn> - 3.4.14-11
 - Type:bugfix
 - CVE:NA