Fixed CVE-2023-45142 and CVE-2023-45288 in `opa` (#9550)
This commit is contained in:
Родитель
e80d176a27
Коммит
eed172897e
|
@ -0,0 +1,86 @@
|
|||
From 63b4ddd633bde166d2b2800dbc6ad6a64f77b838 Mon Sep 17 00:00:00 2001
|
||||
From: Damien Neil <dneil@google.com>
|
||||
Date: Wed, 10 Jan 2024 13:41:39 -0800
|
||||
Subject: [PATCH] http2: close connections when receiving too many headers
|
||||
|
||||
Maintaining HPACK state requires that we parse and process
|
||||
all HEADERS and CONTINUATION frames on a connection.
|
||||
When a request's headers exceed MaxHeaderBytes, we don't
|
||||
allocate memory to store the excess headers but we do
|
||||
parse them. This permits an attacker to cause an HTTP/2
|
||||
endpoint to read arbitrary amounts of data, all associated
|
||||
with a request which is going to be rejected.
|
||||
|
||||
Set a limit on the amount of excess header frames we
|
||||
will process before closing a connection.
|
||||
|
||||
Thanks to Bartek Nowotarski for reporting this issue.
|
||||
|
||||
Fixes CVE-2023-45288
|
||||
Fixes golang/go#65051
|
||||
|
||||
Change-Id: I15df097268df13bb5a9e9d3a5c04a8a141d850f6
|
||||
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2130527
|
||||
Reviewed-by: Roland Shoemaker <bracewell@google.com>
|
||||
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
|
||||
Reviewed-on: https://go-review.googlesource.com/c/net/+/576155
|
||||
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
|
||||
Auto-Submit: Dmitri Shuralyov <dmitshur@golang.org>
|
||||
Reviewed-by: Than McIntosh <thanm@google.com>
|
||||
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
|
||||
---
|
||||
vendor/golang.org/x/net/http2/frame.go | 31 ++++++++++++++++++++++++++
|
||||
1 file changed, 31 insertions(+)
|
||||
|
||||
diff --git a/vendor/golang.org/x/net/http2/frame.go b/vendor/golang.org/x/net/http2/frame.go
|
||||
index c1f6b90..175c154 100644
|
||||
--- a/vendor/golang.org/x/net/http2/frame.go
|
||||
+++ b/vendor/golang.org/x/net/http2/frame.go
|
||||
@@ -1565,6 +1565,7 @@ func (fr *Framer) readMetaFrame(hf *HeadersFrame) (*MetaHeadersFrame, error) {
|
||||
if size > remainSize {
|
||||
hdec.SetEmitEnabled(false)
|
||||
mh.Truncated = true
|
||||
+ remainSize = 0
|
||||
return
|
||||
}
|
||||
remainSize -= size
|
||||
@@ -1577,6 +1578,36 @@ func (fr *Framer) readMetaFrame(hf *HeadersFrame) (*MetaHeadersFrame, error) {
|
||||
var hc headersOrContinuation = hf
|
||||
for {
|
||||
frag := hc.HeaderBlockFragment()
|
||||
+
|
||||
+ // Avoid parsing large amounts of headers that we will then discard.
|
||||
+ // If the sender exceeds the max header list size by too much,
|
||||
+ // skip parsing the fragment and close the connection.
|
||||
+ //
|
||||
+ // "Too much" is either any CONTINUATION frame after we've already
|
||||
+ // exceeded the max header list size (in which case remainSize is 0),
|
||||
+ // or a frame whose encoded size is more than twice the remaining
|
||||
+ // header list bytes we're willing to accept.
|
||||
+ if int64(len(frag)) > int64(2*remainSize) {
|
||||
+ if VerboseLogs {
|
||||
+ log.Printf("http2: header list too large")
|
||||
+ }
|
||||
+ // It would be nice to send a RST_STREAM before sending the GOAWAY,
|
||||
+ // but the struture of the server's frame writer makes this difficult.
|
||||
+ return nil, ConnectionError(ErrCodeProtocol)
|
||||
+ }
|
||||
+
|
||||
+ // Also close the connection after any CONTINUATION frame following an
|
||||
+ // invalid header, since we stop tracking the size of the headers after
|
||||
+ // an invalid one.
|
||||
+ if invalid != nil {
|
||||
+ if VerboseLogs {
|
||||
+ log.Printf("http2: invalid header: %v", invalid)
|
||||
+ }
|
||||
+ // It would be nice to send a RST_STREAM before sending the GOAWAY,
|
||||
+ // but the struture of the server's frame writer makes this difficult.
|
||||
+ return nil, ConnectionError(ErrCodeProtocol)
|
||||
+ }
|
||||
+
|
||||
if _, err := hdec.Write(frag); err != nil {
|
||||
return nil, ConnectionError(ErrCodeCompression)
|
||||
}
|
||||
--
|
||||
2.44.0
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
{
|
||||
"Signatures": {
|
||||
"opa-0.55.0.tar.gz": "4db886ffe0cbe20b58631befdc9a46a336525e6d88aec4fc9c29360d0d0bfd6c"
|
||||
"opa-0.63.0.tar.gz": "0639466031325de698c61d55850c35d14a7a260ead5d5a06540ee142950818b0"
|
||||
}
|
||||
}
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
%global short_commit e88ad165
|
||||
Summary: Open source, general-purpose policy engine
|
||||
Name: opa
|
||||
Version: 0.55.0
|
||||
Version: 0.63.0
|
||||
Release: 1%{?dist}
|
||||
# Upstream license specification: MIT and Apache-2.0
|
||||
# Main package: ASL 2.0
|
||||
|
@ -20,6 +20,7 @@ Source0: %{name}-%{version}.tar.gz
|
|||
Patch0: 0001-Make-telemetry-opt-out.patch
|
||||
# Skip tests requiring network
|
||||
Patch1: 0001-Skip-tests-requiring-network.patch
|
||||
Patch2: CVE-2023-45288.patch
|
||||
# Warn users about WebAssembly missing
|
||||
BuildRequires: golang
|
||||
BuildRequires: make
|
||||
|
@ -53,6 +54,10 @@ install -D -p -m 0644 man/* %{buildroot}%{_mandir}/man1/
|
|||
%{_bindir}/*
|
||||
|
||||
%changelog
|
||||
* Fri Jun 28 2024 Pawel Winogrodzki <pawelwi@microsoft.com> - 0.63.0-1
|
||||
- Auto-upgrade to 0.63.0 - CVE-2023-45142
|
||||
- Adding a patch for CVE-2023-45288.
|
||||
|
||||
* Fri Oct 27 2023 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 0.55.0-1
|
||||
- Auto-upgrade to 0.55.0 - Azure Linux 3.0 - package upgrades
|
||||
|
||||
|
|
|
@ -14913,8 +14913,8 @@
|
|||
"type": "other",
|
||||
"other": {
|
||||
"name": "opa",
|
||||
"version": "0.55.0",
|
||||
"downloadUrl": "https://github.com/open-policy-agent/opa/archive/refs/tags/v0.55.0.tar.gz"
|
||||
"version": "0.63.0",
|
||||
"downloadUrl": "https://github.com/open-policy-agent/opa/archive/refs/tags/v0.63.0.tar.gz"
|
||||
}
|
||||
}
|
||||
},
|
||||
|
|
Загрузка…
Ссылка в новой задаче