Upgrade vitess to v17.0.7 to fix CVE-2024-32886 (#9374)

SPECS/vitess/CVE-2023-44487.patch

@@ -1,152 +0,0 @@
-From cfb6510164d254bb74e00f066883d4a74458f6b5 Mon Sep 17 00:00:00 2001
-From: Damien Neil <dneil@google.com>
-Date: Fri, 6 Oct 2023 09:51:19 -0700
-Subject: [PATCH] http2: limit maximum handler goroutines to
- MaxConcurrentStreams
-
-When the peer opens a new stream while we have MaxConcurrentStreams
-handler goroutines running, defer starting a handler until one
-of the existing handlers exits.
-
-Fixes golang/go#63417
-Fixes CVE-2023-39325
-
-Change-Id: If0531e177b125700f3e24c5ebd24b1023098fa6d
-Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2045854
-TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
-Reviewed-by: Ian Cottrell <iancottrell@google.com>
-Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
-Run-TryBot: Damien Neil <dneil@google.com>
-Reviewed-on: https://go-review.googlesource.com/c/net/+/534215
-Reviewed-by: Michael Pratt <mpratt@google.com>
-Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
-LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
-Auto-Submit: Dmitri Shuralyov <dmitshur@golang.org>
-Reviewed-by: Damien Neil <dneil@google.com>
-
-Modified to apply to vendored code by: Daniel McIlvaney <damcilva@microsoft.com>
- - Adjusted paths
- - Removed reference to server_test.go
----
- vendor/golang.org/x/net/http2/server.go | 66 ++++++++++++++++++++++++-
- 1 file changed, 64 insertions(+), 2 deletions(-)
-
-diff --git a/vendor/golang.org/x/net/http2/server.go b/vendor/golang.org/x/net/http2/server.go
-index 8cb14f3..6000140 100644
---- a/vendor/golang.org/x/net/http2/server.go
-+++ b/vendor/golang.org/x/net/http2/server.go
-@@ -581,9 +581,11 @@ type serverConn struct {
- 	advMaxStreams               uint32 // our SETTINGS_MAX_CONCURRENT_STREAMS advertised the client
- 	curClientStreams            uint32 // number of open streams initiated by the client
- 	curPushedStreams            uint32 // number of open streams initiated by server push
-+	curHandlers                 uint32 // number of running handler goroutines
- 	maxClientStreamID           uint32 // max ever seen from client (odd), or 0 if there have been no client requests
- 	maxPushPromiseID            uint32 // ID of the last push promise (even), or 0 if there have been no pushes
- 	streams                     map[uint32]*stream
-+	unstartedHandlers           []unstartedHandler
- 	initialStreamSendWindowSize int32
- 	maxFrameSize                int32
- 	peerMaxHeaderListSize       uint32            // zero means unknown (default)
-@@ -981,6 +983,8 @@ func (sc *serverConn) serve() {
- 					return
- 				case gracefulShutdownMsg:
- 					sc.startGracefulShutdownInternal()
-+				case handlerDoneMsg:
-+					sc.handlerDone()
- 				default:
- 					panic("unknown timer")
- 				}
-@@ -1028,6 +1032,7 @@ var (
- 	idleTimerMsg        = new(serverMessage)
- 	shutdownTimerMsg    = new(serverMessage)
- 	gracefulShutdownMsg = new(serverMessage)
-+	handlerDoneMsg      = new(serverMessage)
- )
-
- func (sc *serverConn) onSettingsTimer() { sc.sendServeMsg(settingsTimerMsg) }
-@@ -2022,8 +2027,7 @@ func (sc *serverConn) processHeaders(f *MetaHeadersFrame) error {
- 		}
- 	}
-
--	go sc.runHandler(rw, req, handler)
--	return nil
-+	return sc.scheduleHandler(id, rw, req, handler)
- }
-
- func (sc *serverConn) upgradeRequest(req *http.Request) {
-@@ -2043,6 +2047,10 @@ func (sc *serverConn) upgradeRequest(req *http.Request) {
- 		sc.conn.SetReadDeadline(time.Time{})
- 	}
-
-+	// This is the first request on the connection,
-+	// so start the handler directly rather than going
-+	// through scheduleHandler.
-+	sc.curHandlers++
- 	go sc.runHandler(rw, req, sc.handler.ServeHTTP)
- }
-
-@@ -2283,8 +2291,62 @@ func (sc *serverConn) newResponseWriter(st *stream, req *http.Request) *response
- 	return &responseWriter{rws: rws}
- }
-
-+type unstartedHandler struct {
-+	streamID uint32
-+	rw       *responseWriter
-+	req      *http.Request
-+	handler  func(http.ResponseWriter, *http.Request)
-+}
-+
-+// scheduleHandler starts a handler goroutine,
-+// or schedules one to start as soon as an existing handler finishes.
-+func (sc *serverConn) scheduleHandler(streamID uint32, rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) error {
-+	sc.serveG.check()
-+	maxHandlers := sc.advMaxStreams
-+	if sc.curHandlers < maxHandlers {
-+		sc.curHandlers++
-+		go sc.runHandler(rw, req, handler)
-+		return nil
-+	}
-+	if len(sc.unstartedHandlers) > int(4*sc.advMaxStreams) {
-+		return sc.countError("too_many_early_resets", ConnectionError(ErrCodeEnhanceYourCalm))
-+	}
-+	sc.unstartedHandlers = append(sc.unstartedHandlers, unstartedHandler{
-+		streamID: streamID,
-+		rw:       rw,
-+		req:      req,
-+		handler:  handler,
-+	})
-+	return nil
-+}
-+
-+func (sc *serverConn) handlerDone() {
-+	sc.serveG.check()
-+	sc.curHandlers--
-+	i := 0
-+	maxHandlers := sc.advMaxStreams
-+	for ; i < len(sc.unstartedHandlers); i++ {
-+		u := sc.unstartedHandlers[i]
-+		if sc.streams[u.streamID] == nil {
-+			// This stream was reset before its goroutine had a chance to start.
-+			continue
-+		}
-+		if sc.curHandlers >= maxHandlers {
-+			break
-+		}
-+		sc.curHandlers++
-+		go sc.runHandler(u.rw, u.req, u.handler)
-+		sc.unstartedHandlers[i] = unstartedHandler{} // don't retain references
-+	}
-+	sc.unstartedHandlers = sc.unstartedHandlers[i:]
-+	if len(sc.unstartedHandlers) == 0 {
-+		sc.unstartedHandlers = nil
-+	}
-+}
-+
- // Run on its own goroutine.
- func (sc *serverConn) runHandler(rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) {
-+	defer sc.sendServeMsg(handlerDoneMsg)
- 	didPanic := true
- 	defer func() {
- 		rw.rws.stream.cancelCtx()
---
-2.33.8

SPECS/vitess/CVE-2023-45288.patch

@@ -1,86 +0,0 @@
-From 63b4ddd633bde166d2b2800dbc6ad6a64f77b838 Mon Sep 17 00:00:00 2001
-From: Damien Neil <dneil@google.com>
-Date: Wed, 10 Jan 2024 13:41:39 -0800
-Subject: [PATCH] http2: close connections when receiving too many headers
-
-Maintaining HPACK state requires that we parse and process
-all HEADERS and CONTINUATION frames on a connection.
-When a request's headers exceed MaxHeaderBytes, we don't
-allocate memory to store the excess headers but we do
-parse them. This permits an attacker to cause an HTTP/2
-endpoint to read arbitrary amounts of data, all associated
-with a request which is going to be rejected.
-
-Set a limit on the amount of excess header frames we
-will process before closing a connection.
-
-Thanks to Bartek Nowotarski for reporting this issue.
-
-Fixes CVE-2023-45288
-Fixes golang/go#65051
-
-Change-Id: I15df097268df13bb5a9e9d3a5c04a8a141d850f6
-Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2130527
-Reviewed-by: Roland Shoemaker <bracewell@google.com>
-Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
-Reviewed-on: https://go-review.googlesource.com/c/net/+/576155
-Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
-Auto-Submit: Dmitri Shuralyov <dmitshur@golang.org>
-Reviewed-by: Than McIntosh <thanm@google.com>
-LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
----
- vendor/golang.org/x/net/http2/frame.go | 31 ++++++++++++++++++++++++++
- 1 file changed, 31 insertions(+)
-
-diff --git a/vendor/golang.org/x/net/http2/frame.go b/vendor/golang.org/x/net/http2/frame.go
-index c1f6b90..175c154 100644
---- a/vendor/golang.org/x/net/http2/frame.go
-+++ b/vendor/golang.org/x/net/http2/frame.go
-@@ -1565,6 +1565,7 @@ func (fr *Framer) readMetaFrame(hf *HeadersFrame) (*MetaHeadersFrame, error) {
- 		if size > remainSize {
- 			hdec.SetEmitEnabled(false)
- 			mh.Truncated = true
-+			remainSize = 0
- 			return
- 		}
- 		remainSize -= size
-@@ -1577,6 +1578,36 @@ func (fr *Framer) readMetaFrame(hf *HeadersFrame) (*MetaHeadersFrame, error) {
- 	var hc headersOrContinuation = hf
- 	for {
- 		frag := hc.HeaderBlockFragment()
-+
-+		// Avoid parsing large amounts of headers that we will then discard.
-+		// If the sender exceeds the max header list size by too much,
-+		// skip parsing the fragment and close the connection.
-+		//
-+		// "Too much" is either any CONTINUATION frame after we've already
-+		// exceeded the max header list size (in which case remainSize is 0),
-+		// or a frame whose encoded size is more than twice the remaining
-+		// header list bytes we're willing to accept.
-+		if int64(len(frag)) > int64(2*remainSize) {
-+			if VerboseLogs {
-+				log.Printf("http2: header list too large")
-+			}
-+			// It would be nice to send a RST_STREAM before sending the GOAWAY,
-+			// but the struture of the server's frame writer makes this difficult.
-+			return nil, ConnectionError(ErrCodeProtocol)
-+		}
-+
-+		// Also close the connection after any CONTINUATION frame following an
-+		// invalid header, since we stop tracking the size of the headers after
-+		// an invalid one.
-+		if invalid != nil {
-+			if VerboseLogs {
-+				log.Printf("http2: invalid header: %v", invalid)
-+			}
-+			// It would be nice to send a RST_STREAM before sending the GOAWAY,
-+			// but the struture of the server's frame writer makes this difficult.
-+			return nil, ConnectionError(ErrCodeProtocol)
-+		}
-+
- 		if _, err := hdec.Write(frag); err != nil {
- 			return nil, ConnectionError(ErrCodeCompression)
- 		}
--- 
-2.44.0
-

SPECS/vitess/vitess.signatures.json

@@ -1,6 +1,6 @@
 {
  "Signatures": {
-  "vitess-16.0.2-vendor.tar.gz": "86cb3d667cef20d65bd122d47f71271a3cb7163a1e474dd1feba17674435ce2e",
-  "vitess-16.0.2.tar.gz": "89328d683f2694de4ada21c7a815d396a853ad45d39607aca467996678b69e0c"
+  "vitess-17.0.7-vendor.tar.gz": "09f50053dfc4aa2b5caed55a5fabcb9f5b832fabead635797344f74216ae8b76",
+  "vitess-17.0.7.tar.gz": "1838b97ff30b182af576a7bc25bcd54532fcedccffd28778206c20774bb34c10"
  }
 }

SPECS/vitess/vitess.spec

@@ -2,8 +2,8 @@
 %bcond_without check
 
 Name:           vitess
-Version:        16.0.2
-Release:        9%{?dist}
+Version:        17.0.7
+Release:        1%{?dist}
 Summary:        Database clustering system for horizontal scaling of MySQL
 # Upstream license specification: MIT and Apache-2.0
 License:        MIT and ASL 2.0
@@ -26,8 +26,6 @@ Source0:        %{name}-%{version}.tar.gz
 #           -cf %%{name}-%%{version}-vendor.tar.gz vendor
 #
 Source1:        %{name}-%{version}-vendor.tar.gz
-Patch0:         CVE-2023-44487.patch
-Patch1:         CVE-2023-45288.patch
 BuildRequires: golang
 
 %description
@@ -105,6 +103,10 @@ go check -t go/cmd \
 %{_bindir}/*
 
 %changelog
+* Tue Jun 11 2024 Sumedh Sharma <sumsharma@microsoft.com> - 17.0.7-1
+- Bump version to 17.0.7 to address CVE-2024-32886
+- Remove patches already fixed in sources
+
 * Thu Jun 06 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 16.0.2-9
 - Bump release to rebuild with go 1.21.11
 

cgmanifest.json

@@ -29557,8 +29557,8 @@
         "type": "other",
         "other": {
           "name": "vitess",
-          "version": "16.0.2",
-          "downloadUrl": "https://github.com/vitessio/vitess/archive/refs/tags/v16.0.2.tar.gz"
+          "version": "17.0.7",
+          "downloadUrl": "https://github.com/vitessio/vitess/archive/refs/tags/v17.0.7.tar.gz"
         }
       }
     },