!67 Fix CVE-2024-24786
From: @northgarden Reviewed-by: @jianli-97 Signed-off-by: @jianli-97
This commit is contained in:
openeuler-ci-bot
Gitee
commit
4d191886da
59
0001-fix-CVE-2024-24786.patch
Normal file
59
0001-fix-CVE-2024-24786.patch
Normal file
@ -0,0 +1,59 @@
|
|||||||
|
From 171172b7a8a24104415f1d461da7a839dd9933a3 Mon Sep 17 00:00:00 2001
|
||||||
|
From: bwzhang <zhangbowei@kylinos.cn>
|
||||||
|
Date: Mon, 25 Mar 2024 10:47:11 +0800
|
||||||
|
Subject: [PATCH] fix CVE-2024-24786
|
||||||
|
|
||||||
|
encoding/protojson, internal/encoding/json: handle missing object values
|
||||||
|
|
||||||
|
In internal/encoding/json, report an error when encountering a }
|
||||||
|
when we are expecting an object field value. For example, the input
|
||||||
|
now correctly results in an error at the closing } token.
|
||||||
|
|
||||||
|
In encoding/protojson, check for an unexpected EOF token in
|
||||||
|
skipJSONValue. This is redundant with the check in internal/encoding/json,
|
||||||
|
but adds a bit more defense against any other similar bugs that
|
||||||
|
might exist.
|
||||||
|
|
||||||
|
Fixes CVE-2024-24786
|
||||||
|
|
||||||
|
Change-Id: I03d52512acb5091c8549e31ca74541d57e56c99d
|
||||||
|
Reviewed-on: https://go-review.googlesource.com/c/protobuf/+/569356
|
||||||
|
TryBot-Bypass: Damien Neil <dneil@google.com>
|
||||||
|
Reviewed-by: Roland Shoemaker <roland@golang.org>
|
||||||
|
Commit-Queue: Damien Neil <dneil@google.com>
|
||||||
|
---
|
||||||
|
.../protobuf/encoding/protojson/well_known_types.go | 4 ++++
|
||||||
|
.../protobuf/internal/encoding/json/decode.go | 2 +-
|
||||||
|
2 files changed, 5 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go
|
||||||
|
index 72924a9..d3825ba 100644
|
||||||
|
--- a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go
|
||||||
|
+++ b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go
|
||||||
|
@@ -328,6 +328,10 @@ func (d decoder) skipJSONValue() error {
|
||||||
|
if err := d.skipJSONValue(); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
+ case json.EOF:
|
||||||
|
+ // This can only happen if there's a bug in Decoder.Read.
|
||||||
|
+ // Avoid an infinite loop if this does happen.
|
||||||
|
+ return errors.New("unexpected EOF")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
diff --git a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go
|
||||||
|
index b13fd29..b2be4e8 100644
|
||||||
|
--- a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go
|
||||||
|
+++ b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go
|
||||||
|
@@ -121,7 +121,7 @@ func (d *Decoder) Read() (Token, error) {
|
||||||
|
|
||||||
|
case ObjectClose:
|
||||||
|
if len(d.openStack) == 0 ||
|
||||||
|
- d.lastToken.kind == comma ||
|
||||||
|
+ d.lastToken.kind&(Name|comma) != 0 ||
|
||||||
|
d.openStack[len(d.openStack)-1] != ObjectOpen {
|
||||||
|
return Token{}, d.newSyntaxError(tok.pos, unexpectedFmt, tok.RawString())
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
||||||
12
skopeo.spec
12
skopeo.spec
@ -12,13 +12,15 @@ ExcludeArch: ppc64
|
|||||||
Name: skopeo
|
Name: skopeo
|
||||||
Epoch: 1
|
Epoch: 1
|
||||||
Version: 1.14.2
|
Version: 1.14.2
|
||||||
Release: 1
|
Release: 2
|
||||||
Summary: Work with remote images registries - retrieving information, images, signing content
|
Summary: Work with remote images registries - retrieving information, images, signing content
|
||||||
License: Apache-2.0
|
License: Apache-2.0
|
||||||
URL: https://github.com/containers/skopeo
|
URL: https://github.com/containers/skopeo
|
||||||
Source0: https://github.com/containers/skopeo/archive/refs/tags/v1.14.2.tar.gz
|
Source0: https://github.com/containers/skopeo/archive/refs/tags/v1.14.2.tar.gz
|
||||||
Source1: https://github.com/cpuguy83/go-md2man/archive/refs/tags/v2.0.3.tar.gz
|
Source1: https://github.com/cpuguy83/go-md2man/archive/refs/tags/v2.0.3.tar.gz
|
||||||
|
|
||||||
|
Patch0001: 0001-fix-CVE-2024-24786.patch
|
||||||
|
|
||||||
BuildRequires: go-srpm-macros git-core pkgconfig(devmapper) make
|
BuildRequires: go-srpm-macros git-core pkgconfig(devmapper) make
|
||||||
BuildRequires: golang >= 1.19
|
BuildRequires: golang >= 1.19
|
||||||
BuildRequires: gpgme-devel libassuan-devel btrfs-progs-devel ostree-devel glib2-devel
|
BuildRequires: gpgme-devel libassuan-devel btrfs-progs-devel ostree-devel glib2-devel
|
||||||
@ -48,7 +50,7 @@ Requires: squashfs-tools
|
|||||||
This package contains system tests for %{name}
|
This package contains system tests for %{name}
|
||||||
|
|
||||||
%prep
|
%prep
|
||||||
%autosetup -Sgit -n %{name}-%{version}
|
%autosetup -Sgit -n %{name}-%{version} -p1
|
||||||
# The %%install stage should not rebuild anything but only install what's
|
# The %%install stage should not rebuild anything but only install what's
|
||||||
# built in the %%build stage. So, remove any dependency on build targets.
|
# built in the %%build stage. So, remove any dependency on build targets.
|
||||||
sed -i 's/^install-binary: bin\/%{name}.*/install-binary:/' Makefile
|
sed -i 's/^install-binary: bin\/%{name}.*/install-binary:/' Makefile
|
||||||
@ -113,6 +115,12 @@ cp -pav systemtest/* %{buildroot}/%{_datadir}/%{name}/test/system/
|
|||||||
%{_datadir}/%{name}/test
|
%{_datadir}/%{name}/test
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Apr 12 2024 zhangbowei <zhangbowei@kylinos.cn> - 1:1.14.2-2
|
||||||
|
- Type:bugfix
|
||||||
|
- CVE:NA
|
||||||
|
- SUG:NA
|
||||||
|
- DESC: fix CVE-2024-24786
|
||||||
|
|
||||||
* Fri Feb 23 2024 lijian <lijian2@kylinos.cn> - 1:1.14.2-1
|
* Fri Feb 23 2024 lijian <lijian2@kylinos.cn> - 1:1.14.2-1
|
||||||
- Upgrade to 1.14.2
|
- Upgrade to 1.14.2
|
||||||
|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user