!70 Fix CVE-2024-28180
From: @northgarden Reviewed-by: @jianli-97 Signed-off-by: @jianli-97
This commit is contained in:
openeuler-ci-bot
Gitee
commit
c582fe9102
89
0002-fix-CVE-2024-28180.patch
Normal file
89
0002-fix-CVE-2024-28180.patch
Normal file
@ -0,0 +1,89 @@
|
||||
From d1aef6461e6fff7afce01fa6aa832914cb0f26a8 Mon Sep 17 00:00:00 2001
|
||||
From: bwzhang <zhangbowei@kylinos.cn>
|
||||
Date: Thu, 28 Mar 2024 16:30:28 +0800
|
||||
Subject: [PATCH] fix CVE-2024-28180
|
||||
|
||||
---
|
||||
.../github.com/go-jose/go-jose/v3/crypter.go | 6 ++++++
|
||||
.../github.com/go-jose/go-jose/v3/encoding.go | 21 +++++++++++++++----
|
||||
2 files changed, 23 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/vendor/github.com/go-jose/go-jose/v3/crypter.go b/vendor/github.com/go-jose/go-jose/v3/crypter.go
|
||||
index 6901137..34d4e1f 100644
|
||||
--- a/vendor/github.com/go-jose/go-jose/v3/crypter.go
|
||||
+++ b/vendor/github.com/go-jose/go-jose/v3/crypter.go
|
||||
@@ -406,6 +406,9 @@ func (ctx *genericEncrypter) Options() EncrypterOptions {
|
||||
// Decrypt and validate the object and return the plaintext. Note that this
|
||||
// function does not support multi-recipient, if you desire multi-recipient
|
||||
// decryption use DecryptMulti instead.
|
||||
+//
|
||||
+// Automatically decompresses plaintext, but returns an error if the decompressed
|
||||
+// data would be >250kB or >10x the size of the compressed data, whichever is larger.
|
||||
func (obj JSONWebEncryption) Decrypt(decryptionKey interface{}) ([]byte, error) {
|
||||
headers := obj.mergedHeaders(nil)
|
||||
|
||||
@@ -471,6 +474,9 @@ func (obj JSONWebEncryption) Decrypt(decryptionKey interface{}) ([]byte, error)
|
||||
// with support for multiple recipients. It returns the index of the recipient
|
||||
// for which the decryption was successful, the merged headers for that recipient,
|
||||
// and the plaintext.
|
||||
+//
|
||||
+// Automatically decompresses plaintext, but returns an error if the decompressed
|
||||
+// data would be >250kB or >3x the size of the compressed data, whichever is larger.
|
||||
func (obj JSONWebEncryption) DecryptMulti(decryptionKey interface{}) (int, Header, []byte, error) {
|
||||
globalHeaders := obj.mergedHeaders(nil)
|
||||
|
||||
diff --git a/vendor/github.com/go-jose/go-jose/v3/encoding.go b/vendor/github.com/go-jose/go-jose/v3/encoding.go
|
||||
index 968a424..c378031 100644
|
||||
--- a/vendor/github.com/go-jose/go-jose/v3/encoding.go
|
||||
+++ b/vendor/github.com/go-jose/go-jose/v3/encoding.go
|
||||
@@ -21,6 +21,7 @@ import (
|
||||
"compress/flate"
|
||||
"encoding/base64"
|
||||
"encoding/binary"
|
||||
+ "fmt"
|
||||
"io"
|
||||
"math/big"
|
||||
"strings"
|
||||
@@ -85,7 +86,7 @@ func decompress(algorithm CompressionAlgorithm, input []byte) ([]byte, error) {
|
||||
}
|
||||
}
|
||||
|
||||
-// Compress with DEFLATE
|
||||
+// deflate compresses the input.
|
||||
func deflate(input []byte) ([]byte, error) {
|
||||
output := new(bytes.Buffer)
|
||||
|
||||
@@ -97,15 +98,27 @@ func deflate(input []byte) ([]byte, error) {
|
||||
return output.Bytes(), err
|
||||
}
|
||||
|
||||
-// Decompress with DEFLATE
|
||||
+// inflate decompresses the input.
|
||||
+//
|
||||
+// Errors if the decompressed data would be >250kB or >10x the size of the
|
||||
+// compressed data, whichever is larger
|
||||
func inflate(input []byte) ([]byte, error) {
|
||||
output := new(bytes.Buffer)
|
||||
reader := flate.NewReader(bytes.NewBuffer(input))
|
||||
|
||||
- _, err := io.Copy(output, reader)
|
||||
- if err != nil {
|
||||
+ maxCompressedSize := 10 * int64(len(input))
|
||||
+ if maxCompressedSize < 250000 {
|
||||
+ maxCompressedSize = 250000
|
||||
+ }
|
||||
+
|
||||
+ limit := maxCompressedSize + 1
|
||||
+ n, err := io.CopyN(output, reader, limit)
|
||||
+ if err != nil && err != io.EOF {
|
||||
return nil, err
|
||||
}
|
||||
+ if n == limit {
|
||||
+ return nil, fmt.Errorf("uncompressed data would be too large (>%d bytes)", maxCompressedSize)
|
||||
+ }
|
||||
|
||||
err = reader.Close()
|
||||
return output.Bytes(), err
|
||||
--
|
||||
2.20.1
|
||||
|
||||
@ -12,7 +12,7 @@ ExcludeArch: ppc64
|
||||
Name: skopeo
|
||||
Epoch: 1
|
||||
Version: 1.14.2
|
||||
Release: 2
|
||||
Release: 3
|
||||
Summary: Work with remote images registries - retrieving information, images, signing content
|
||||
License: Apache-2.0
|
||||
URL: https://github.com/containers/skopeo
|
||||
@ -20,6 +20,7 @@ Source0: https://github.com/containers/skopeo/archive/refs/tags/v1.14.2.tar.gz
|
||||
Source1: https://github.com/cpuguy83/go-md2man/archive/refs/tags/v2.0.3.tar.gz
|
||||
|
||||
Patch0001: 0001-fix-CVE-2024-24786.patch
|
||||
Patch0002: 0002-fix-CVE-2024-28180.patch
|
||||
|
||||
BuildRequires: go-srpm-macros git-core pkgconfig(devmapper) make
|
||||
BuildRequires: golang >= 1.19
|
||||
@ -115,6 +116,12 @@ cp -pav systemtest/* %{buildroot}/%{_datadir}/%{name}/test/system/
|
||||
%{_datadir}/%{name}/test
|
||||
|
||||
%changelog
|
||||
* Fri Apr 12 2024 zhangbowei <zhangbowei@kylinos.cn> - 1:1.14.2-3
|
||||
- Type:bugfix
|
||||
- CVE:NA
|
||||
- SUG:NA
|
||||
- DESC: fix CVE-2024-28180
|
||||
|
||||
* Fri Apr 12 2024 zhangbowei <zhangbowei@kylinos.cn> - 1:1.14.2-2
|
||||
- Type:bugfix
|
||||
- CVE:NA
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user