fix CVE-2022-3064
This commit is contained in:
bwzhang
parent
85f23959b3
commit
c16b0896fd
129
0004-fix-CVE-2022-3064.patch
Normal file
129
0004-fix-CVE-2022-3064.patch
Normal file
@ -0,0 +1,129 @@
|
||||
From 7f111ea7f83130a91dde47cfc66df5d95771519e Mon Sep 17 00:00:00 2001
|
||||
From: bwzhang <zhangbowei@kylinos.cn>
|
||||
Date: Tue, 30 Apr 2024 09:27:20 +0800
|
||||
Subject: [PATCH] fix CVE-2022-3064
|
||||
|
||||
Add large document benchmarks, tune alias heuristic, add max depth limits
|
||||
@liggitt
|
||||
liggitt committed on Oct 3, 2019
|
||||
---
|
||||
.../vendor/gopkg.in/yaml.v2/decode.go | 38 +++++++++++++++++++
|
||||
.../vendor/gopkg.in/yaml.v2/scannerc.go | 16 ++++++++
|
||||
2 files changed, 54 insertions(+)
|
||||
|
||||
diff --git a/dnsname-18822f9a4fb35d1349eb256f4cd2bfd372474d84/vendor/gopkg.in/yaml.v2/decode.go b/dnsname-18822f9a4fb35d1349eb256f4cd2bfd372474d84/vendor/gopkg.in/yaml.v2/decode.go
|
||||
index e4e56e2..5310876 100644
|
||||
--- a/dnsname-18822f9a4fb35d1349eb256f4cd2bfd372474d84/vendor/gopkg.in/yaml.v2/decode.go
|
||||
+++ b/dnsname-18822f9a4fb35d1349eb256f4cd2bfd372474d84/vendor/gopkg.in/yaml.v2/decode.go
|
||||
@@ -229,6 +229,10 @@ type decoder struct {
|
||||
mapType reflect.Type
|
||||
terrors []string
|
||||
strict bool
|
||||
+
|
||||
+ decodeCount int
|
||||
+ aliasCount int
|
||||
+ aliasDepth int
|
||||
}
|
||||
|
||||
var (
|
||||
@@ -314,7 +318,39 @@ func (d *decoder) prepare(n *node, out reflect.Value) (newout reflect.Value, unm
|
||||
return out, false, false
|
||||
}
|
||||
|
||||
+const (
|
||||
+ // 400,000 decode operations is ~500kb of dense object declarations, or ~5kb of dense object declarations with 10000% alias expansion
|
||||
+ alias_ratio_range_low = 400000
|
||||
+ // 4,000,000 decode operations is ~5MB of dense object declarations, or ~4.5MB of dense object declarations with 10% alias expansion
|
||||
+ alias_ratio_range_high = 4000000
|
||||
+ // alias_ratio_range is the range over which we scale allowed alias ratios
|
||||
+ alias_ratio_range = float64(alias_ratio_range_high - alias_ratio_range_low)
|
||||
+)
|
||||
+
|
||||
+func allowedAliasRatio(decodeCount int) float64 {
|
||||
+ switch {
|
||||
+ case decodeCount <= alias_ratio_range_low:
|
||||
+ // allow 99% to come from alias expansion for small-to-medium documents
|
||||
+ return 0.99
|
||||
+ case decodeCount >= alias_ratio_range_high:
|
||||
+ // allow 10% to come from alias expansion for very large documents
|
||||
+ return 0.10
|
||||
+ default:
|
||||
+ // scale smoothly from 99% down to 10% over the range.
|
||||
+ // this maps to 396,000 - 400,000 allowed alias-driven decodes over the range.
|
||||
+ // 400,000 decode operations is ~100MB of allocations in worst-case scenarios (single-item maps).
|
||||
+ return 0.99 - 0.89*(float64(decodeCount-alias_ratio_range_low)/alias_ratio_range)
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
func (d *decoder) unmarshal(n *node, out reflect.Value) (good bool) {
|
||||
+ d.decodeCount++
|
||||
+ if d.aliasDepth > 0 {
|
||||
+ d.aliasCount++
|
||||
+ }
|
||||
+ if d.aliasCount > 100 && d.decodeCount > 1000 && float64(d.aliasCount)/float64(d.decodeCount) > allowedAliasRatio(d.decodeCount) {
|
||||
+ failf("document contains excessive aliasing")
|
||||
+ }
|
||||
switch n.kind {
|
||||
case documentNode:
|
||||
return d.document(n, out)
|
||||
@@ -353,7 +389,9 @@ func (d *decoder) alias(n *node, out reflect.Value) (good bool) {
|
||||
failf("anchor '%s' value contains itself", n.value)
|
||||
}
|
||||
d.aliases[n] = true
|
||||
+ d.aliasDepth++
|
||||
good = d.unmarshal(n.alias, out)
|
||||
+ d.aliasDepth--
|
||||
delete(d.aliases, n)
|
||||
return good
|
||||
}
|
||||
diff --git a/dnsname-18822f9a4fb35d1349eb256f4cd2bfd372474d84/vendor/gopkg.in/yaml.v2/scannerc.go b/dnsname-18822f9a4fb35d1349eb256f4cd2bfd372474d84/vendor/gopkg.in/yaml.v2/scannerc.go
|
||||
index 077fd1d..570b8ec 100644
|
||||
--- a/dnsname-18822f9a4fb35d1349eb256f4cd2bfd372474d84/vendor/gopkg.in/yaml.v2/scannerc.go
|
||||
+++ b/dnsname-18822f9a4fb35d1349eb256f4cd2bfd372474d84/vendor/gopkg.in/yaml.v2/scannerc.go
|
||||
@@ -906,6 +906,9 @@ func yaml_parser_remove_simple_key(parser *yaml_parser_t) bool {
|
||||
return true
|
||||
}
|
||||
|
||||
+// max_flow_level limits the flow_level
|
||||
+const max_flow_level = 10000
|
||||
+
|
||||
// Increase the flow level and resize the simple key list if needed.
|
||||
func yaml_parser_increase_flow_level(parser *yaml_parser_t) bool {
|
||||
// Reset the simple key on the next level.
|
||||
@@ -913,6 +916,11 @@ func yaml_parser_increase_flow_level(parser *yaml_parser_t) bool {
|
||||
|
||||
// Increase the flow level.
|
||||
parser.flow_level++
|
||||
+ if parser.flow_level > max_flow_level {
|
||||
+ return yaml_parser_set_scanner_error(parser,
|
||||
+ "while increasing flow level", parser.simple_keys[len(parser.simple_keys)-1].mark,
|
||||
+ fmt.Sprintf("exceeded max depth of %d", max_flow_level))
|
||||
+ }
|
||||
return true
|
||||
}
|
||||
|
||||
@@ -925,6 +933,9 @@ func yaml_parser_decrease_flow_level(parser *yaml_parser_t) bool {
|
||||
return true
|
||||
}
|
||||
|
||||
+// max_indents limits the indents stack size
|
||||
+const max_indents = 10000
|
||||
+
|
||||
// Push the current indentation level to the stack and set the new level
|
||||
// the current column is greater than the indentation level. In this case,
|
||||
// append or insert the specified token into the token queue.
|
||||
@@ -939,6 +950,11 @@ func yaml_parser_roll_indent(parser *yaml_parser_t, column, number int, typ yaml
|
||||
// indentation level.
|
||||
parser.indents = append(parser.indents, parser.indent)
|
||||
parser.indent = column
|
||||
+ if len(parser.indents) > max_indents {
|
||||
+ return yaml_parser_set_scanner_error(parser,
|
||||
+ "while increasing indent level", parser.simple_keys[len(parser.simple_keys)-1].mark,
|
||||
+ fmt.Sprintf("exceeded max depth of %d", max_indents))
|
||||
+ }
|
||||
|
||||
// Create a token and insert it into the queue.
|
||||
token := yaml_token_t{
|
||||
--
|
||||
2.20.1
|
||||
|
||||
10
podman.spec
10
podman.spec
@ -2,7 +2,7 @@
|
||||
|
||||
Name: podman
|
||||
Version: 4.9.4
|
||||
Release: 7
|
||||
Release: 8
|
||||
Summary: A tool for managing OCI containers and pods.
|
||||
Epoch: 1
|
||||
License: Apache-2.0 and MIT
|
||||
@ -16,6 +16,7 @@ Patch0: 0001-podman-4.9.4-add-support-for-loongarch64.patch
|
||||
Patch0001: 0001-fix-CVE-2024-28180.patch
|
||||
Patch0002: 0002-fix-CVE-2023-3978.patch
|
||||
Patch0003: 0003-fix-CVE-2023-48795.patch
|
||||
Patch0004: 0004-fix-CVE-2022-3064.patch
|
||||
|
||||
BuildRequires: gcc golang btrfs-progs-devel glib2-devel glibc-devel glibc-static
|
||||
BuildRequires: gpgme-devel libassuan-devel libgpg-error-devel libseccomp-devel libselinux-devel
|
||||
@ -119,6 +120,7 @@ sed -i 's;@@PODMAN@@\;$(BINDIR);@@PODMAN@@\;%{_bindir};' Makefile
|
||||
# untar dnsname
|
||||
tar zxf %{SOURCE1}
|
||||
%patch0002 -p1
|
||||
%patch0004 -p1
|
||||
# untar %%{name}-gvproxy
|
||||
tar zxf %{SOURCE2}
|
||||
%patch0003 -p1
|
||||
@ -297,6 +299,12 @@ cp -pav test/system %{buildroot}/%{_datadir}/%{name}/test/
|
||||
%{_bindir}/%{name}sh
|
||||
|
||||
%changelog
|
||||
* Tue Apr 30 2024 zhangbowei <zhangbowei@kylinos.cn> - 1:4.9.4-8
|
||||
- Type:bugfix
|
||||
- CVE:NA
|
||||
- SUG:NA
|
||||
- DESC: fix CVE-2022-3064
|
||||
|
||||
* Mon Apr 29 2024 zhangbowei <zhangbowei@kylinos.cn> - 1:4.9.4-7
|
||||
- Type:bugfix
|
||||
- CVE:NA
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user