gh: address CVE-2022-32149

Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com>

SPECS/gh/CVE-2022-32149.patch

@@ -0,0 +1,65 @@
+From a47ab91255e04dda4ca0d734afef58216c7479a2 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <bracewell@google.com>
+Date: Fri, 2 Sep 2022 09:35:37 -0700
+Subject: [PATCH] language: reject excessively large Accept-Language strings
+
+Backported to apply on vendor direcotry by @mfrw
+
+The BCP 47 tag parser has quadratic time complexity due to inherent
+aspects of its design. Since the parser is, by design, exposed to
+untrusted user input, this can be leveraged to force a program to
+consume significant time parsing Accept-Language headers.
+
+The parser cannot be easily rewritten to fix this behavior for
+various reasons. Instead the solution implemented in this CL is to
+limit the total complexity of tags passed into ParseAcceptLanguage
+by limiting the number of dashes in the string to 1000. This should
+be more than enough for the majority of real world use cases, where
+the number of tags being sent is likely to be in the single digits.
+
+Thanks to the OSS-Fuzz project for discovering this issue and to Adam
+Korczynski (ADA Logics) for writing the fuzz case and for reporting the
+issue.
+
+Fixes CVE-2022-32149
+Fixes golang/go#56152
+
+Change-Id: I7bda1d84cee2b945039c203f26869d58ee9374ae
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1565112
+Reviewed-by: Damien Neil <dneil@google.com>
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/text/+/442235
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Auto-Submit: Roland Shoemaker <roland@golang.org>
+Run-TryBot: Roland Shoemaker <roland@golang.org>
+Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
+---
+ vendor/golang.org/x/text/language/parse.go | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/vendor/golang.org/x/text/language/parse.go b/vendor/golang.org/x/text/language/parse.go
+index 59b0410..b982d9e 100644
+--- a/vendor/golang.org/x/text/language/parse.go
++++ b/vendor/golang.org/x/text/language/parse.go
+@@ -147,6 +147,7 @@ func update(b *language.Builder, part ...interface{}) (err error) {
+ }
+ 
+ var errInvalidWeight = errors.New("ParseAcceptLanguage: invalid weight")
++var errTagListTooLarge = errors.New("tag list exceeds max length")
+ 
+ // ParseAcceptLanguage parses the contents of an Accept-Language header as
+ // defined in http://www.ietf.org/rfc/rfc2616.txt and returns a list of Tags and
+@@ -164,6 +165,10 @@ func ParseAcceptLanguage(s string) (tag []Tag, q []float32, err error) {
+ 		}
+ 	}()
+ 
++	if strings.Count(s, "-") > 1000 {
++		return nil, nil, errTagListTooLarge
++	}
++
+ 	var entry string
+ 	for s != "" {
+ 		if entry, s = split(s, ','); entry == "" {
+-- 
+2.40.1
+

SPECS/gh/gh.spec

@@ -1,7 +1,7 @@
 Summary:        GitHub official command line tool
 Name:           gh
 Version:        2.13.0
-Release:        19%{?dist}
+Release:        21%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -30,6 +30,7 @@ Source1:        %{name}-%{version}-vendor.tar.gz
 # Available upstream in 2.16.0
 Patch0:         fix-relative-time-search-tests.patch
 Patch1:         CVE-2021-43565.patch
+Patch2:         CVE-2022-32149.patch
 
 BuildRequires:  golang
 BuildRequires:  git
@@ -45,6 +46,7 @@ GitHub official command line tool.
 %patch0 -p1
 tar --no-same-owner -xf %{SOURCE1}
 %patch1 -p1
+%patch2 -p1
 
 %build
 export GOPATH=%{our_gopath}
@@ -75,13 +77,14 @@ make test
 %{_datadir}/zsh/site-functions/_gh
 
 %changelog
-<<<<<<< HEAD
+* Tue Sep 03 2024 Muhammad Falak R Wani <mwani@microsoft.com> - 2.13.0-21
+- Patch CVE-2022-32149
+
+* Fri Jul 19 2024 Archana Choudhary <archana1@microsoft.com> - 2.13.0-20
+- Patch for CVE-2021-43565
+
 * Wed Jul 17 2024 Muhammad Falak R Wani <mwani@microsoft.com> - 2.13.0-19
 - Drop requirement on a specific version of golang
-=======
-* Fri Jul 19 2024 Archana Choudhary <archana1@microsoft.com> - 2.13.0-19
-- Patch for CVE-2021-43565
->>>>>>> 9b583d8ff (gh: patch CVE-2021-43565 (#9894))
 
 * Thu Jun 06 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 2.13.0-18
 - Bump release to rebuild with go 1.21.11