From 1962b7c97153f1b66010ed172a583c18f3c44637 Mon Sep 17 00:00:00 2001 From: Muhammad Falak R Wani Date: Fri, 6 Sep 2024 12:45:43 +0530 Subject: [PATCH] cni: address CVE-2022-32149 Signed-off-by: Muhammad Falak R Wani --- SPECS/cni/CVE-2022-32149.patch | 65 ++++++++++++++++++++++++++++++++++ SPECS/cni/cni.spec | 6 +++- 2 files changed, 70 insertions(+), 1 deletion(-) create mode 100644 SPECS/cni/CVE-2022-32149.patch diff --git a/SPECS/cni/CVE-2022-32149.patch b/SPECS/cni/CVE-2022-32149.patch new file mode 100644 index 0000000000..7938e0831b --- /dev/null +++ b/SPECS/cni/CVE-2022-32149.patch @@ -0,0 +1,65 @@ +From a47ab91255e04dda4ca0d734afef58216c7479a2 Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker +Date: Fri, 2 Sep 2022 09:35:37 -0700 +Subject: [PATCH] language: reject excessively large Accept-Language strings + +Backported to apply on vendor direcotry by @mfrw + +The BCP 47 tag parser has quadratic time complexity due to inherent +aspects of its design. Since the parser is, by design, exposed to +untrusted user input, this can be leveraged to force a program to +consume significant time parsing Accept-Language headers. + +The parser cannot be easily rewritten to fix this behavior for +various reasons. Instead the solution implemented in this CL is to +limit the total complexity of tags passed into ParseAcceptLanguage +by limiting the number of dashes in the string to 1000. This should +be more than enough for the majority of real world use cases, where +the number of tags being sent is likely to be in the single digits. + +Thanks to the OSS-Fuzz project for discovering this issue and to Adam +Korczynski (ADA Logics) for writing the fuzz case and for reporting the +issue. + +Fixes CVE-2022-32149 +Fixes golang/go#56152 + +Change-Id: I7bda1d84cee2b945039c203f26869d58ee9374ae +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1565112 +Reviewed-by: Damien Neil +Reviewed-by: Tatiana Bradley +Reviewed-on: https://go-review.googlesource.com/c/text/+/442235 +TryBot-Result: Gopher Robot +Auto-Submit: Roland Shoemaker +Run-TryBot: Roland Shoemaker +Signed-off-by: Muhammad Falak R Wani +--- + vendor/golang.org/x/text/language/parse.go | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/vendor/golang.org/x/text/language/parse.go b/vendor/golang.org/x/text/language/parse.go +index 59b0410..b982d9e 100644 +--- a/vendor/golang.org/x/text/language/parse.go ++++ b/vendor/golang.org/x/text/language/parse.go +@@ -147,6 +147,7 @@ func update(b *language.Builder, part ...interface{}) (err error) { + } + + var errInvalidWeight = errors.New("ParseAcceptLanguage: invalid weight") ++var errTagListTooLarge = errors.New("tag list exceeds max length") + + // ParseAcceptLanguage parses the contents of an Accept-Language header as + // defined in http://www.ietf.org/rfc/rfc2616.txt and returns a list of Tags and +@@ -164,6 +165,10 @@ func ParseAcceptLanguage(s string) (tag []Tag, q []float32, err error) { + } + }() + ++ if strings.Count(s, "-") > 1000 { ++ return nil, nil, errTagListTooLarge ++ } ++ + var entry string + for s != "" { + if entry, s = split(s, ','); entry == "" { +-- +2.40.1 + diff --git a/SPECS/cni/cni.spec b/SPECS/cni/cni.spec index d633f0cb3a..9b217f2b44 100644 --- a/SPECS/cni/cni.spec +++ b/SPECS/cni/cni.spec @@ -24,7 +24,7 @@ Summary: Container Network Interface - networking for Linux containers Name: cni Version: 1.1.2 -Release: 2%{?dist} +Release: 3%{?dist} License: Apache-2.0 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -49,6 +49,7 @@ Source2: build.sh # Source3: %{name}-%{version}-vendor.tar.gz Patch0: CVE-2021-38561.patch +Patch1: CVE-2022-32149.patch BuildRequires: golang BuildRequires: systemd-rpm-macros BuildRequires: xz @@ -114,6 +115,9 @@ install -m 755 -d "%{buildroot}%{cni_doc_dir}" %{_sbindir}/cnitool %changelog +* Fri Sep 06 2024 Muhammad Falak R Wani - 1.1.2-3 +- Patch CVE-2022-32149 + * Tue Jul 02 2024 Osama Esmail - 1.1.2-2 - Patching CVE-2021-38561