packages/grpc
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!110 [sync] PR-108: fix CVE-2024-11407

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @jiangheng12 
Signed-off-by: @jiangheng12
This commit is contained in:
openeuler-ci-bot 2024-12-06 07:40:55 +00:00 committed by Gitee
commit d3c15b9c24
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 36 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
backport-CVE-2024-11407.patch Normal file
View File

@ -0,0 +1,28 @@
From e9046b2bbebc0cb7f5dc42008f807f6c7e98e791 Mon Sep 17 00:00:00 2001
From: Vignesh Babu <vigneshbabu@google.com>
Date: Thu, 12 Sep 2024 11:13:45 -0700
Subject: [PATCH] [EventEngine] Fix bug in Tx0cp code path in posix endpoint.
This fix ensures that the iov_base pointers point to the right address.
PiperOrigin-RevId: 673923651
Conflict: NA
Reference: https://github.com/grpc/grpc/commit/e9046b2bbebc0cb7f5dc42008f807f6c7e98e791
---
src/core/lib/event_engine/posix_engine/posix_endpoint.cc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/core/lib/event_engine/posix_engine/posix_endpoint.cc b/src/core/lib/event_engine/posix_engine/posix_endpoint.cc
index 7634bb1334b81..c5708db02c57a 100644
--- a/src/core/lib/event_engine/posix_engine/posix_endpoint.cc
+++ b/src/core/lib/event_engine/posix_engine/posix_endpoint.cc
@@ -236,7 +236,7 @@ msg_iovlen_type TcpZerocopySendRecord::PopulateIovs(size_t* unwind_slice_idx,
iov_size++) {
MutableSlice& slice = internal::SliceCast<MutableSlice>(
buf_.MutableSliceAt(out_offset_.slice_idx));
- iov[iov_size].iov_base = slice.begin();
+ iov[iov_size].iov_base = slice.begin() + out_offset_.byte_idx;
iov[iov_size].iov_len = slice.length() - out_offset_.byte_idx;
*sending_length += iov[iov_size].iov_len;
++(out_offset_.slice_idx);

9
grpc.spec
View File

@ -4,7 +4,7 @@
Name: grpc Name: grpc
Version: 1.60.0 Version: 1.60.0
Release: 4 Release: 5
Summary: A modern, open source high performance RPC framework that can run in any environment Summary: A modern, open source high performance RPC framework that can run in any environment
License: ASL 2.0 License: ASL 2.0
URL: https://www.grpc.io URL: https://www.grpc.io
@ -16,6 +16,7 @@ Patch0009: remove-cert-expired-on-20230930.patch
Patch0010: backport-Specify-noexcept-for-cdef-functions.patch Patch0010: backport-Specify-noexcept-for-cdef-functions.patch
Patch0011: remove-cert-expired-at-20250512.patch Patch0011: remove-cert-expired-at-20250512.patch
Patch0012: backport-CVE-2024-7246-chttp2-Fix-a-bug-in-hpack-error-handling.patch Patch0012: backport-CVE-2024-7246-chttp2-Fix-a-bug-in-hpack-error-handling.patch
Patch0013: backport-CVE-2024-11407.patch
BuildRequires: gcc-c++ pkgconfig protobuf-devel protobuf-compiler protobuf-lite-devel BuildRequires: gcc-c++ pkgconfig protobuf-devel protobuf-compiler protobuf-lite-devel
BuildRequires: openssl-devel c-ares-devel gtest-devel zlib-devel gperftools-devel BuildRequires: openssl-devel c-ares-devel gtest-devel zlib-devel gperftools-devel
@ -158,6 +159,12 @@ cd ../..
%{python3_sitearch}/grpcio-%{version}-py* %{python3_sitearch}/grpcio-%{version}-py*
%changelog %changelog
* Tue Dec 03 2024 xinghe <xinghe2@h-partners.com> - 1.60.0-5
- Type:CVE
- CVE:CVE-2024-11407
- SUG:NA
- DESC:fix CVE-2024-11407
* Wed Aug 14 2024 zhouyihang <zhouyihang3@h-partners.com> - 1.60.0-4 * Wed Aug 14 2024 zhouyihang <zhouyihang3@h-partners.com> - 1.60.0-4
- Type:CVE - Type:CVE
- CVE:CVE-2024-7246 - CVE:CVE-2024-7246