moby-engine - Address CVE-2022-2879 (#9515)

Co-authored-by: CBL-Mariner Servicing Account <cblmargh@microsoft.com>

SPECS/moby-engine/CVE-2022-2879.patch

@@ -0,0 +1,67 @@
+backport of https://go-review.googlesource.com/c/go/+/439355
+
+diff -ru moby-25.0.3-orig/vendor/github.com/vbatts/tar-split/archive/tar/format.go moby-25.0.3/vendor/github.com/vbatts/tar-split/archive/tar/format.go
+--- moby-25.0.3-orig/vendor/github.com/vbatts/tar-split/archive/tar/format.go	2024-06-25 20:24:50.140546435 +0000
++++ moby-25.0.3/vendor/github.com/vbatts/tar-split/archive/tar/format.go	2024-06-25 20:29:46.781983752 +0000
+@@ -143,6 +143,10 @@
+ 	blockSize  = 512 // Size of each block in a tar stream
+ 	nameSize   = 100 // Max length of the name field in USTAR format
+ 	prefixSize = 155 // Max length of the prefix field in USTAR format
++
++	// Max length of a special file (PAX header, GNU long name or link).
++	// This matches the limit used by libarchive.
++	maxSpecialFileSize = 1 << 20
+ )
+ 
+ // blockPadding computes the number of bytes needed to pad offset up to the
+diff -ru moby-25.0.3-orig/vendor/github.com/vbatts/tar-split/archive/tar/reader.go moby-25.0.3/vendor/github.com/vbatts/tar-split/archive/tar/reader.go
+--- moby-25.0.3-orig/vendor/github.com/vbatts/tar-split/archive/tar/reader.go	2024-06-25 20:24:50.140546435 +0000
++++ moby-25.0.3/vendor/github.com/vbatts/tar-split/archive/tar/reader.go	2024-06-25 20:40:39.127243087 +0000
+@@ -139,7 +139,7 @@
+ 			continue // This is a meta header affecting the next header
+ 		case TypeGNULongName, TypeGNULongLink:
+ 			format.mayOnlyBe(FormatGNU)
+-			realname, err := io.ReadAll(tr)
++			realname, err := readSpecialFile(tr)
+ 			if err != nil {
+ 				return nil, err
+ 			}
+@@ -333,7 +333,7 @@
+ // parsePAX parses PAX headers.
+ // If an extended header (type 'x') is invalid, ErrHeader is returned
+ func parsePAX(r io.Reader) (map[string]string, error) {
+-	buf, err := io.ReadAll(r)
++	buf, err := readSpecialFile(r)
+ 	if err != nil {
+ 		return nil, err
+ 	}
+@@ -844,6 +844,16 @@
+ 	}
+ }
+ 
++// readSpecialFile is like io.ReadAll except it returns
++// ErrFieldTooLong if more than maxSpecialFileSize is read.
++func readSpecialFile(r io.Reader) ([]byte, error) {
++	buf, err := io.ReadAll(io.LimitReader(r, maxSpecialFileSize+1))
++	if len(buf) > maxSpecialFileSize {
++		return nil, ErrFieldTooLong
++	}
++	return buf, err
++}
++
+ func (sr sparseFileReader) LogicalRemaining() int64 {
+ 	return sr.sp[len(sr.sp)-1].endOffset() - sr.pos
+ }
+diff -ru moby-25.0.3-orig/vendor/github.com/vbatts/tar-split/archive/tar/writer.go moby-25.0.3/vendor/github.com/vbatts/tar-split/archive/tar/writer.go
+--- moby-25.0.3-orig/vendor/github.com/vbatts/tar-split/archive/tar/writer.go	2024-06-25 20:24:50.140546435 +0000
++++ moby-25.0.3/vendor/github.com/vbatts/tar-split/archive/tar/writer.go	2024-06-25 20:33:09.754491550 +0000
+@@ -199,6 +199,9 @@
+ 			flag = TypeXHeader
+ 		}
+ 		data := buf.String()
++		if len(data) > maxSpecialFileSize {
++			return ErrFieldTooLong
++		}
+ 		if err := tw.writeRawFile(name, data, flag, FormatPAX); err != nil || isGlobal {
+ 			return err // Global headers return here
+ 		}

SPECS/moby-engine/moby-engine.spec

@@ -3,7 +3,7 @@
 Summary: The open-source application container engine
 Name:    moby-engine
 Version: 25.0.3
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: ASL 2.0
 Group:   Tools/Container
 URL: https://mobyproject.org
@@ -15,6 +15,8 @@ Source1: docker.service
 Source2: docker.socket
 Source3: daemon.json
 
+Patch0:  CVE-2022-2879.patch
+
 %{?systemd_requires}
 
 BuildRequires: bash
@@ -114,6 +116,9 @@ fi
 %{_unitdir}/*
 
 %changelog
+* Tue Jun 25 2024 Nicolas Guibourge <nicolasg@microsoft.com> - 25.0.3-3
+- Address CVE-2022-2879
+
 * Thu Mar 21 2024 Henry Beberman <henry.beberman@microsoft.com> - 25.0.3-2
 - Add the in-tree version of docker proxy built from cmd/docker-proxy into /usr/libexec
 - Set userland-proxy-path explicitly by introducing /etc/docker/daemon.json