[AUTO-CHERRYPICK] Patched CVE-2024-37890, CVE-2023-42282, and CVE-2017-18214 in `reaper`. - branch main (#9807)
Co-authored-by: Pawel Winogrodzki <pawelwi@microsoft.com>
This commit is contained in:
CBL-Mariner-Bot
GitHub
Родитель
055ff1c664
Коммит
35e1eed14f
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
|
@ -0,0 +1,117 @@
|
|||
From: Pawel Winogrodzki <pawelwi@microsoft.com>
|
||||
Date: Tue, 9 Jul 2024 21:55:46 +0000
|
||||
Subject: Patching CVE-2023-42282.
|
||||
|
||||
Backported upstream patch:
|
||||
https://github.com/indutny/node-ip/commit/6a3ada9b471b09d5f0f5be264911ab564bf67894?diff=split&w=0
|
||||
---
|
||||
lib/ip.js | 77 ++++++++++++++++++++++++++++++++++++++++++++++++++++---
|
||||
1 file changed, 73 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/tmp_local/n/versions/node/14.18.0/lib/node_modules/npm/node_modules/ip/lib/ip.js b/tmp_local/n/versions/node/14.18.0/lib/node_modules/npm/node_modules/ip/lib/ip.js
|
||||
index c1799a8..a0c920f 100644
|
||||
--- a/tmp_local/n/versions/node/14.18.0/lib/node_modules/npm/node_modules/ip/lib/ip.js
|
||||
+++ b/tmp_local/n/versions/node/14.18.0/lib/node_modules/npm/node_modules/ip/lib/ip.js
|
||||
@@ -300,12 +300,26 @@ ip.isEqual = function(a, b) {
|
||||
};
|
||||
|
||||
ip.isPrivate = function(addr) {
|
||||
- return /^(::f{4}:)?10\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})$/i
|
||||
- .test(addr) ||
|
||||
+ // check loopback addresses first
|
||||
+ if (ip.isLoopback(addr)) {
|
||||
+ return true;
|
||||
+ }
|
||||
+
|
||||
+ // ensure the ipv4 address is valid
|
||||
+ if (!ip.isV6Format(addr)) {
|
||||
+ const ipl = ip.normalizeToLong(addr);
|
||||
+ if (ipl < 0) {
|
||||
+ throw new Error('invalid ipv4 address');
|
||||
+ }
|
||||
+ // normalize the address for the private range checks that follow
|
||||
+ addr = ip.fromLong(ipl);
|
||||
+ }
|
||||
+
|
||||
+ // check private ranges
|
||||
+ return /^(::f{4}:)?10\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})$/i.test(addr) ||
|
||||
/^(::f{4}:)?192\.168\.([0-9]{1,3})\.([0-9]{1,3})$/i.test(addr) ||
|
||||
/^(::f{4}:)?172\.(1[6-9]|2\d|30|31)\.([0-9]{1,3})\.([0-9]{1,3})$/i
|
||||
.test(addr) ||
|
||||
- /^(::f{4}:)?127\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})$/i.test(addr) ||
|
||||
/^(::f{4}:)?169\.254\.([0-9]{1,3})\.([0-9]{1,3})$/i.test(addr) ||
|
||||
/^f[cd][0-9a-f]{2}:/i.test(addr) ||
|
||||
/^fe80:/i.test(addr) ||
|
||||
@@ -318,9 +332,16 @@ ip.isPublic = function(addr) {
|
||||
};
|
||||
|
||||
ip.isLoopback = function(addr) {
|
||||
+ // If addr is an IPv4 address in long integer form (no dots and no colons), convert it
|
||||
+ if (!/\./.test(addr) && !/:/.test(addr)) {
|
||||
+ addr = ip.fromLong(Number(addr));
|
||||
+ }
|
||||
+
|
||||
return /^(::f{4}:)?127\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})/
|
||||
.test(addr) ||
|
||||
- /^fe80::1$/.test(addr) ||
|
||||
+ /^0177\./.test(addr) ||
|
||||
+ /^0x7f\./i.test(addr) ||
|
||||
+ /^fe80::1$/i.test(addr) ||
|
||||
/^::1$/.test(addr) ||
|
||||
/^::$/.test(addr);
|
||||
};
|
||||
@@ -414,3 +435,51 @@ ip.fromLong = function(ipl) {
|
||||
(ipl >> 8 & 255) + '.' +
|
||||
(ipl & 255) );
|
||||
};
|
||||
+
|
||||
+ip.normalizeToLong = function (addr) {
|
||||
+ const parts = addr.split('.').map(part => {
|
||||
+ // Handle hexadecimal format
|
||||
+ if (part.startsWith('0x') || part.startsWith('0X')) {
|
||||
+ return parseInt(part, 16);
|
||||
+ }
|
||||
+ // Handle octal format (strictly digits 0-7 after a leading zero)
|
||||
+ else if (part.startsWith('0') && part !== '0' && /^[0-7]+$/.test(part)) {
|
||||
+ return parseInt(part, 8);
|
||||
+ }
|
||||
+ // Handle decimal format, reject invalid leading zeros
|
||||
+ else if (/^[1-9]\d*$/.test(part) || part === '0') {
|
||||
+ return parseInt(part, 10);
|
||||
+ }
|
||||
+ // Return NaN for invalid formats to indicate parsing failure
|
||||
+ else {
|
||||
+ return NaN;
|
||||
+ }
|
||||
+ });
|
||||
+
|
||||
+ if (parts.some(isNaN)) return -1; // Indicate error with -1
|
||||
+
|
||||
+ let val = 0;
|
||||
+ const n = parts.length;
|
||||
+
|
||||
+ switch (n) {
|
||||
+ case 1:
|
||||
+ val = parts[0];
|
||||
+ break;
|
||||
+ case 2:
|
||||
+ if (parts[0] > 0xff || parts[1] > 0xffffff) return -1;
|
||||
+ val = (parts[0] << 24) | (parts[1] & 0xffffff);
|
||||
+ break;
|
||||
+ case 3:
|
||||
+ if (parts[0] > 0xff || parts[1] > 0xff || parts[2] > 0xffff) return -1;
|
||||
+ val = (parts[0] << 24) | (parts[1] << 16) | (parts[2] & 0xffff);
|
||||
+ break;
|
||||
+ case 4:
|
||||
+ if (parts.some(part => part > 0xff)) return -1;
|
||||
+ val = (parts[0] << 24) | (parts[1] << 16) | (parts[2] << 8) | parts[3];
|
||||
+ break;
|
||||
+ default:
|
||||
+ return -1; // Error case
|
||||
+ }
|
||||
+
|
||||
+ return val >>> 0;
|
||||
+};
|
||||
--
|
||||
2.39.4
|
||||
|
||||
|
|
@ -0,0 +1,34 @@
|
|||
From 355a396ccce875ea012a4ea8e6ab283bb575ba5b Mon Sep 17 00:00:00 2001
|
||||
From: ABC <abc>
|
||||
Date: Tue, 9 Jul 2024 16:48:16 +0000
|
||||
Subject: [PATCH] Patching CVE-2024-37890.
|
||||
|
||||
Applying the patch for the 6.x versions from:
|
||||
https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63
|
||||
---
|
||||
src/ui/node_modules/ws/lib/websocket-server.js | 4 +++-
|
||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/ui/node_modules/ws/lib/websocket-server.js b/src/ui/node_modules/ws/lib/websocket-server.js
|
||||
index db02f4d0..b74eb1cf 100644
|
||||
--- a/src/ui/node_modules/ws/lib/websocket-server.js
|
||||
+++ b/src/ui/node_modules/ws/lib/websocket-server.js
|
||||
@@ -186,12 +186,14 @@ class WebSocketServer extends EventEmitter {
|
||||
req.headers['sec-websocket-key'] !== undefined
|
||||
? req.headers['sec-websocket-key'].trim()
|
||||
: false;
|
||||
+ const upgrade = req.headers.upgrade;
|
||||
const version = +req.headers['sec-websocket-version'];
|
||||
const extensions = {};
|
||||
|
||||
if (
|
||||
req.method !== 'GET' ||
|
||||
- req.headers.upgrade.toLowerCase() !== 'websocket' ||
|
||||
+ upgrade === undefined ||
|
||||
+ upgrade.toLowerCase() !== 'websocket' ||
|
||||
!key ||
|
||||
!keyRegex.test(key) ||
|
||||
(version !== 8 && version !== 13) ||
|
||||
--
|
||||
2.39.4
|
||||
|
||||
|
|
@ -1,12 +1,10 @@
|
|||
{
|
||||
"Signatures": {
|
||||
"cassandra-reaper-3.1.1.tar.gz": "6efe52195ad4a3c3b7a6f928bafa60d3df011709d9bc918e717033bf86d724d8",
|
||||
"reaper-bower-cache-3.1.1.tar.gz": "a8532fe1d28f6d2c99a5e0d08b17b85465617931d49c7d27450ed328e59c0b08",
|
||||
"reaper-bower-components-3.1.1-1.tar.gz": "51f5b03b3f56966f5fbfe28a13e0a74003cf33372ff4ba13fd82c6fe79092033",
|
||||
"reaper-local-lib-node-modules-3.1.1.tar.gz": "8daf9a8726a85ca31b024a5bab60a357fe927f670908955cdd9b106bf9c6bd60",
|
||||
"reaper-local-n-3.1.1-1.tar.gz": "e60ecf1c982c8cd44b35da02aec6de5b1f8f0df562f290f9bb905d03f9eefa68",
|
||||
"reaper-m2-cache-3.1.1.tar.gz": "14103df496c6bfd1bf2690b45e6082e3411872f7332f03a68cf5d8e28fc6b27f",
|
||||
"reaper-npm-cache-3.1.1.tar.gz": "1fd8fd9438ef682cccceaaf49d0e65ec50eb7145c20f27253a3521c731e79585",
|
||||
"reaper-srcui-node-modules-3.1.1-1.tar.gz": "edd67243e97838657e09513f639a8e7c81fbb813353a19eba3949f79fb9e3e9e"
|
||||
}
|
||||
}
|
||||
|
|
@ -3,48 +3,45 @@
|
|||
%define local_n_release 1
|
||||
%define local_srcui_release 1
|
||||
|
||||
%define srcdir cassandra-%{name}-%{version}
|
||||
%define bower_components reaper-bower-components-%{version}-%{local_srcui_release}.tar.gz
|
||||
%define srcui_node_modules reaper-srcui-node-modules-%{version}-%{local_srcui_release}.tar.gz
|
||||
%define bower_cache reaper-bower-cache-%{version}.tar.gz
|
||||
%define maven_cache reaper-m2-cache-%{version}.tar.gz
|
||||
%define npm_cache reaper-npm-cache-%{version}.tar.gz
|
||||
%define local_lib_node_modules reaper-local-lib-node-modules-%{version}.tar.gz
|
||||
%define local_n reaper-local-n-%{version}-%{local_n_release}.tar.gz
|
||||
|
||||
Summary: Reaper for cassandra is a tool for running Apache Cassandra repairs against single or multi-site clusters.
|
||||
Name: reaper
|
||||
Version: 3.1.1
|
||||
Release: 9%{?dist}
|
||||
Release: 10%{?dist}
|
||||
License: ASL 2.0
|
||||
Vendor: Microsoft Corporation
|
||||
Distribution: Mariner
|
||||
Group: Applications/System
|
||||
URL: https://cassandra-reaper.io/
|
||||
Source0: https://github.com/thelastpickle/cassandra-reaper/archive/refs/tags/%{version}.tar.gz#/cassandra-reaper-%{version}.tar.gz
|
||||
# Building reaper from sources downloads artifacts related to maven/node/etc. These artifacts need to be downloaded as caches in order to build reaper using maven in offline mode.
|
||||
# Building reaper from sources downloads artifacts related to maven/node/etc.
|
||||
# These artifacts need to be downloaded as caches in order to build reaper using maven in offline mode.
|
||||
# Below is the list of cached sources.
|
||||
# bower-components downloaded under src/ui
|
||||
# NOTE: USE "reaper_build_caches.sh" TO RE-GENERATE BUILD CACHES.
|
||||
Source1: %{bower_components}
|
||||
Source1: reaper-bower-components-%{version}-%{local_srcui_release}.tar.gz
|
||||
# node_modules downloaded under src/ui
|
||||
Source2: %{srcui_node_modules}
|
||||
# bower cache
|
||||
Source3: %{bower_cache}
|
||||
Source2: reaper-srcui-node-modules-%{version}-%{local_srcui_release}.tar.gz
|
||||
# m2 cache
|
||||
Source4: %{maven_cache}
|
||||
# npm cache
|
||||
Source5: %{npm_cache}
|
||||
Source4: reaper-m2-cache-%{version}.tar.gz
|
||||
# node_modules downloaded to /usr/local/lib
|
||||
Source6: %{local_lib_node_modules}
|
||||
Source6: reaper-local-lib-node-modules-%{version}.tar.gz
|
||||
# v14.18.0 node binary under /usr/local
|
||||
Source7: %{local_n}
|
||||
Source7: reaper-local-n-%{version}-%{local_n_release}.tar.gz
|
||||
# Patches the src/ui/node_modules/ws/lib/websocket-server.js file, which comes
|
||||
# from the "reaper-srcui-node-modules*" tarball.
|
||||
# The src/ui/node_modules/ws/package.json file suggest we're on the
|
||||
# 6.x version of "ws". Patch for this version taken from here:
|
||||
# https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63
|
||||
Patch0: CVE-2024-37890.patch
|
||||
Patch1: CVE-2023-42282.patch
|
||||
Patch2: CVE-2017-18214.patch
|
||||
BuildRequires: git
|
||||
BuildRequires: javapackages-tools
|
||||
BuildRequires: maven
|
||||
BuildRequires: msopenjdk-11
|
||||
BuildRequires: nodejs
|
||||
BuildRequires: python3
|
||||
BuildRequires: rsync
|
||||
BuildRequires: systemd-rpm-macros
|
||||
BuildRequires: openssl-devel
|
||||
Requires: msopenjdk-11
|
||||
|
|
@ -58,22 +55,15 @@ ExclusiveArch: x86_64
|
|||
Cassandra reaper is an open source tool that aims to schedule and orchestrate repairs of Apache Cassandra clusters.
|
||||
|
||||
%prep
|
||||
%setup -q -n %{srcdir}
|
||||
%autosetup -N -n cassandra-%{name}-%{version}
|
||||
|
||||
%build
|
||||
export JAVA_HOME="%{_libdir}/jvm/msopenjdk-11"
|
||||
export LD_LIBRARY_PATH="%{_libdir}/jvm/msopenjdk-11/lib/jli"
|
||||
echo "Installing bower_components and npm_modules caches."
|
||||
for source in "%{SOURCE1}" "%{SOURCE2}"; do
|
||||
tar -C src/ui -xf "$source"
|
||||
done
|
||||
|
||||
pushd "$HOME"
|
||||
echo "Installing bower cache."
|
||||
tar xf %{SOURCE3}
|
||||
|
||||
echo "Installing m2 cache."
|
||||
tar xf %{SOURCE4}
|
||||
|
||||
echo "Installing npm cache"
|
||||
tar xf %{SOURCE5}
|
||||
popd
|
||||
echo "Installing the m2 cache."
|
||||
tar -C "$HOME" -xf "%{SOURCE4}"
|
||||
|
||||
# Reaper build fails when trying to install node-sass@4.9.0/node-gyp@3.8.0 and build node native addons using mariner default node@16.14.2/npm@8.5.0.
|
||||
# ERROR:
|
||||
|
|
@ -82,33 +72,35 @@ popd
|
|||
# There is no way to remove node-sass dependency from builds, hence we need to install local node/npm and caches to be able to build reaper.
|
||||
# NOTE: This issue was also faced on Fedora Fc37 when trying to build reaper.
|
||||
# NOTE: node-sass seems to be deprecated, the spec and build process will be modified once reaper removes its dependencies as well.
|
||||
pushd %{_prefix}/local
|
||||
|
||||
# Extracting to intermediate folder to apply patch.
|
||||
tmp_local_dir=tmp_local
|
||||
mkdir -p $tmp_local_dir/{bin,lib}
|
||||
pushd $tmp_local_dir
|
||||
echo "Installing node_modules"
|
||||
tar xf %{SOURCE6} -C ./lib/
|
||||
tar -C ./lib/ -xf %{SOURCE6}
|
||||
|
||||
echo "Installing n version 14.18.0"
|
||||
tar xf %{SOURCE7}
|
||||
tar -xf %{SOURCE7}
|
||||
|
||||
echo "Creating symlinks under local/bin"
|
||||
cd ./bin
|
||||
ln -sf ../lib/node_modules/bower/bin/bower bower
|
||||
ln -sf ../lib/node_modules/npm/bin/npm-cli.js npm
|
||||
ln -sf ../lib/node_modules/npm/bin/npx-cli.js npx
|
||||
ln -sf ../lib/node_modules/bower/bin/bower bin/bower
|
||||
ln -sf ../lib/node_modules/npm/bin/npm-cli.js bin/npm
|
||||
ln -sf ../lib/node_modules/npm/bin/npx-cli.js bin/npx
|
||||
|
||||
cp ../n/versions/node/14.18.0/bin/node .
|
||||
cp n/versions/node/14.18.0/bin/node bin
|
||||
|
||||
ls -al
|
||||
popd
|
||||
|
||||
cd %{_builddir}/%{srcdir}
|
||||
echo "Installing src caches"
|
||||
pushd ./src/ui
|
||||
echo "Installing bower_components"
|
||||
tar xf %{SOURCE1}
|
||||
%autopatch -p1
|
||||
|
||||
echo "Installing npm_modules"
|
||||
tar fx %{SOURCE2}
|
||||
popd
|
||||
rsync -azvhr $tmp_local_dir/ "%{_prefix}/local"
|
||||
rm -rf $tmp_local_dir
|
||||
|
||||
%build
|
||||
export JAVA_HOME="%{_libdir}/jvm/msopenjdk-11"
|
||||
export LD_LIBRARY_PATH="%{_libdir}/jvm/msopenjdk-11/lib/jli"
|
||||
|
||||
# Building using maven in offline mode.
|
||||
mvn -DskipTests package -o
|
||||
|
|
@ -122,7 +114,8 @@ mkdir -p %{buildroot}%{_sysconfdir}/cassandra-%{name}/configs
|
|||
mkdir -p %{buildroot}%{_sysconfdir}/bash_completion.d
|
||||
mkdir -p %{buildroot}%{_unitdir}
|
||||
mkdir -p %{buildroot}%{_datadir}/licenses/%{name}
|
||||
cd %{_builddir}/%{srcdir}/src/packaging
|
||||
|
||||
pushd src/packaging
|
||||
|
||||
cp resource/cassandra-reaper.yaml %{buildroot}%{_sysconfdir}/cassandra-%{name}/
|
||||
cp resource/cassandra-reaper*.yaml %{buildroot}%{_sysconfdir}/cassandra-%{name}/configs
|
||||
|
|
@ -139,7 +132,7 @@ cp debian/cassandra-%{name}.new.service %{buildroot}/%{_unitdir}/cassandra-%{nam
|
|||
chmod 0644 %{buildroot}/%{_unitdir}/cassandra-%{name}.service
|
||||
chmod 7555 %{buildroot}%{_sysconfdir}/init.d/cassandra-%{name}
|
||||
|
||||
cp %{_builddir}/%{srcdir}/LICENSE.txt %{buildroot}%{_datadir}/licenses/%{name}
|
||||
popd
|
||||
|
||||
%pre
|
||||
getent group reaper > /dev/null || groupadd -r reaper
|
||||
|
|
@ -178,6 +171,9 @@ fi
|
|||
%{_unitdir}/cassandra-%{name}.service
|
||||
|
||||
%changelog
|
||||
* Tue Jul 09 2024 Pawel Winogrodzki <pawelwi@microsoft.com> - 3.1.1-10
|
||||
- Patching CVE-2024-37890, CVE-2023-42282, and CVE-2017-18214.
|
||||
|
||||
* Thu May 23 2024 Archana Choudhary <archana1@microsoft.com> - 3.1.1-9
|
||||
- Repackage and update src/ui node modules and bower components to 3.1.1-1
|
||||
- Address CVE-2024-4068 by upgrading the version of the npm module "braces" to 3.0.3
|
||||
|
|
|
|||
|
|
@ -24,9 +24,7 @@ SOURCE_URL="https://github.com/thelastpickle/cassandra-reaper/archive/refs/tags/
|
|||
# Build cache names
|
||||
BOWER_COMPONENTS="reaper-bower-components-${VERSION}.tar.gz"
|
||||
SRC_UI_NODE_MODULES="reaper-srcui-node-modules-${VERSION}.tar.gz"
|
||||
BOWER_CACHE="reaper-bower-cache-${VERSION}.tar.gz"
|
||||
MAVEN_CACHE="reaper-m2-cache-${VERSION}.tar.gz"
|
||||
NPM_CACHE="reaper-npm-cache-${VERSION}.tar.gz"
|
||||
LOCAL_LIB_NODE_MODULES="reaper-local-lib-node-modules-${VERSION}.tar.gz"
|
||||
LOCAL_N="reaper-local-n-${VERSION}.tar.gz"
|
||||
|
||||
|
|
@ -103,17 +101,10 @@ function buildReaperSources {
|
|||
function createCacheTars {
|
||||
echo "Creating build caches."
|
||||
pushd ${homeCacheDir}
|
||||
echo "creating bower_cache tar..."
|
||||
tar -cf ${BOWER_CACHE} .cache
|
||||
mv ${BOWER_CACHE} ${reaperCacheDir}
|
||||
|
||||
echo "creating maven_cache tar..."
|
||||
tar -cf ${MAVEN_CACHE} .m2
|
||||
mv ${MAVEN_CACHE} ${reaperCacheDir}
|
||||
|
||||
echo "creating npm_cache tar..."
|
||||
tar -cf ${NPM_CACHE} .npm
|
||||
mv ${NPM_CACHE} ${reaperCacheDir}
|
||||
popd
|
||||
|
||||
pushd ${tempDir}/cassandra-reaper-${VERSION}/src/ui
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче