skopeo - Upgrade to v1.14.4, address CVE-2022-2879 (#9531)

Co-authored-by: CBL-Mariner Servicing Account <cblmargh@microsoft.com>
2024-06-27 15:35:06 -04:00 · 2024-06-27 15:35:06 -04:00 · 22d661ee15
--- a/SPECS/skopeo/CVE-2022-2879.patch
+++ b/SPECS/skopeo/CVE-2022-2879.patch
@ -0,0 +1,65 @@
+diff -ru skopeo-1.14.4-orig/vendor/github.com/vbatts/tar-split/archive/tar/format.go skopeo-1.14.4/vendor/github.com/vbatts/tar-split/archive/tar/format.go
+--- skopeo-1.14.4-orig/vendor/github.com/vbatts/tar-split/archive/tar/format.go	2024-06-27 14:36:58.955879940 +0000
+++ skopeo-1.14.4/vendor/github.com/vbatts/tar-split/archive/tar/format.go	2024-06-27 14:37:27.387930441 +0000
+@@ -143,6 +143,10 @@
+ 	blockSize  = 512 // Size of each block in a tar stream
+ 	nameSize   = 100 // Max length of the name field in USTAR format
+ 	prefixSize = 155 // Max length of the prefix field in USTAR format
+
+	// Max length of a special file (PAX header, GNU long name or link).
+	// This matches the limit used by libarchive.
+	maxSpecialFileSize = 1 << 20
+ )
+ 
+ // blockPadding computes the number of bytes needed to pad offset up to the
+diff -ru skopeo-1.14.4-orig/vendor/github.com/vbatts/tar-split/archive/tar/reader.go skopeo-1.14.4/vendor/github.com/vbatts/tar-split/archive/tar/reader.go
+--- skopeo-1.14.4-orig/vendor/github.com/vbatts/tar-split/archive/tar/reader.go	2024-06-27 14:36:58.955879940 +0000
+++ skopeo-1.14.4/vendor/github.com/vbatts/tar-split/archive/tar/reader.go	2024-06-27 14:44:13.452888975 +0000
+@@ -139,7 +139,7 @@
+ 			continue // This is a meta header affecting the next header
+ 		case TypeGNULongName, TypeGNULongLink:
+ 			format.mayOnlyBe(FormatGNU)
+-			realname, err := io.ReadAll(tr)
+			realname, err := readSpecialFile(tr)
+ 			if err != nil {
+ 				return nil, err
+ 			}
+@@ -333,7 +333,7 @@
+ // parsePAX parses PAX headers.
+ // If an extended header (type 'x') is invalid, ErrHeader is returned
+ func parsePAX(r io.Reader) (map[string]string, error) {
+-	buf, err := io.ReadAll(r)
+	buf, err := readSpecialFile(r)
+ 	if err != nil {
+ 		return nil, err
+ 	}
+@@ -844,6 +844,16 @@
+ 	}
+ }
+ 
+// readSpecialFile is like io.ReadAll except it returns
+// ErrFieldTooLong if more than maxSpecialFileSize is read.
+func readSpecialFile(r io.Reader) ([]byte, error) {
+	buf, err := io.ReadAll(io.LimitReader(r, maxSpecialFileSize+1))
+	if len(buf) > maxSpecialFileSize {
+		return nil, ErrFieldTooLong
+	}
+	return buf, err
+}
+
+ func (sr sparseFileReader) LogicalRemaining() int64 {
+ 	return sr.sp[len(sr.sp)-1].endOffset() - sr.pos
+ }
+diff -ru skopeo-1.14.4-orig/vendor/github.com/vbatts/tar-split/archive/tar/writer.go skopeo-1.14.4/vendor/github.com/vbatts/tar-split/archive/tar/writer.go
+--- skopeo-1.14.4-orig/vendor/github.com/vbatts/tar-split/archive/tar/writer.go	2024-06-27 14:36:58.955879940 +0000
+++ skopeo-1.14.4/vendor/github.com/vbatts/tar-split/archive/tar/writer.go	2024-06-27 14:45:26.077061393 +0000
+@@ -199,6 +199,9 @@
+ 			flag = TypeXHeader
+ 		}
+ 		data := buf.String()
+		if len(data) > maxSpecialFileSize {
+			return ErrFieldTooLong
+		}
+ 		if err := tw.writeRawFile(name, data, flag, FormatPAX); err != nil || isGlobal {
+ 			return err // Global headers return here
+ 		}
--- a/SPECS/skopeo/skopeo.signatures.json
+++ b/SPECS/skopeo/skopeo.signatures.json
@ -1,5 +1,5 @@
 {
 "Signatures": {
-  "skopeo-1.14.1.tar.gz": "b174ada87751ecd7f8e0e292d163c9b0c4a2172a6ba32e1725ae272c24f7f841"
+  "skopeo-1.14.4.tar.gz": "5523a9b91516a400cbdf6a2df86a06d5cb2313ea8b3102afd7751427e3d8b0b0"
 }
 }
--- a/SPECS/skopeo/skopeo.spec
+++ b/SPECS/skopeo/skopeo.spec
@ -1,6 +1,6 @@
 Summary:        Inspect container images and repositories on registries
 Name:           skopeo
-Version:        1.14.1
+Version:        1.14.4
 Release:        1%{?dist}
 License:        Apache-2.0
 Vendor:         Microsoft Corporation
@ -8,6 +8,8 @@ Distribution:   Azure Linux
 Group:          Applications/Tools
 URL:            https://github.com/containers/skopeo
 Source0:        https://github.com/containers/skopeo/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
+Patch0:         CVE-2022-2879.patch
+
 %global debug_package %{nil}
 %define our_gopath %{_topdir}/.gopath
 BuildRequires:  btrfs-progs-devel
@ -24,7 +26,7 @@ Command line utility to inspect images and repositories directly on Docker
 registries without the need to pull them.

 %prep
-%setup -q
+%autosetup -p1

 %build
 tar --no-same-owner -xf %{SOURCE0}
@ -46,6 +48,9 @@ make test-unit-local
 %{_mandir}/man1/%%{name}*

 %changelog
+* Thu Jun 27 2024 Nicolas Guibourge <nicolasg@microsoft.com> - 1.14.4-1
+- Upgrade to v1.14.4, address CVE-2022-2879
+
 * Tue Jan 30 2024 Henry Li <lihl@microsoft.com> - 1.14.1-1
 - Upgrade to v1.14.1

--- a/cgmanifest.json
+++ b/cgmanifest.json
@ -27566,8 +27566,8 @@
        "type": "other",
        "other": {
          "name": "skopeo",
-          "version": "1.14.1",
-          "downloadUrl": "https://github.com/containers/skopeo/archive/refs/tags/v1.14.1.tar.gz"
+          "version": "1.14.4",
+          "downloadUrl": "https://github.com/containers/skopeo/archive/refs/tags/v1.14.4.tar.gz"
        }
      }
    },