diff --git a/SPECS/opa/CVE-2023-45288.patch b/SPECS/opa/CVE-2023-45288.patch new file mode 100644 index 0000000000..676fcbace5 --- /dev/null +++ b/SPECS/opa/CVE-2023-45288.patch @@ -0,0 +1,86 @@ +From 63b4ddd633bde166d2b2800dbc6ad6a64f77b838 Mon Sep 17 00:00:00 2001 +From: Damien Neil +Date: Wed, 10 Jan 2024 13:41:39 -0800 +Subject: [PATCH] http2: close connections when receiving too many headers + +Maintaining HPACK state requires that we parse and process +all HEADERS and CONTINUATION frames on a connection. +When a request's headers exceed MaxHeaderBytes, we don't +allocate memory to store the excess headers but we do +parse them. This permits an attacker to cause an HTTP/2 +endpoint to read arbitrary amounts of data, all associated +with a request which is going to be rejected. + +Set a limit on the amount of excess header frames we +will process before closing a connection. + +Thanks to Bartek Nowotarski for reporting this issue. + +Fixes CVE-2023-45288 +Fixes golang/go#65051 + +Change-Id: I15df097268df13bb5a9e9d3a5c04a8a141d850f6 +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2130527 +Reviewed-by: Roland Shoemaker +Reviewed-by: Tatiana Bradley +Reviewed-on: https://go-review.googlesource.com/c/net/+/576155 +Reviewed-by: Dmitri Shuralyov +Auto-Submit: Dmitri Shuralyov +Reviewed-by: Than McIntosh +LUCI-TryBot-Result: Go LUCI +--- + vendor/golang.org/x/net/http2/frame.go | 31 ++++++++++++++++++++++++++ + 1 file changed, 31 insertions(+) + +diff --git a/vendor/golang.org/x/net/http2/frame.go b/vendor/golang.org/x/net/http2/frame.go +index c1f6b90..175c154 100644 +--- a/vendor/golang.org/x/net/http2/frame.go ++++ b/vendor/golang.org/x/net/http2/frame.go +@@ -1565,6 +1565,7 @@ func (fr *Framer) readMetaFrame(hf *HeadersFrame) (*MetaHeadersFrame, error) { + if size > remainSize { + hdec.SetEmitEnabled(false) + mh.Truncated = true ++ remainSize = 0 + return + } + remainSize -= size +@@ -1577,6 +1578,36 @@ func (fr *Framer) readMetaFrame(hf *HeadersFrame) (*MetaHeadersFrame, error) { + var hc headersOrContinuation = hf + for { + frag := hc.HeaderBlockFragment() ++ ++ // Avoid parsing large amounts of headers that we will then discard. ++ // If the sender exceeds the max header list size by too much, ++ // skip parsing the fragment and close the connection. ++ // ++ // "Too much" is either any CONTINUATION frame after we've already ++ // exceeded the max header list size (in which case remainSize is 0), ++ // or a frame whose encoded size is more than twice the remaining ++ // header list bytes we're willing to accept. ++ if int64(len(frag)) > int64(2*remainSize) { ++ if VerboseLogs { ++ log.Printf("http2: header list too large") ++ } ++ // It would be nice to send a RST_STREAM before sending the GOAWAY, ++ // but the struture of the server's frame writer makes this difficult. ++ return nil, ConnectionError(ErrCodeProtocol) ++ } ++ ++ // Also close the connection after any CONTINUATION frame following an ++ // invalid header, since we stop tracking the size of the headers after ++ // an invalid one. ++ if invalid != nil { ++ if VerboseLogs { ++ log.Printf("http2: invalid header: %v", invalid) ++ } ++ // It would be nice to send a RST_STREAM before sending the GOAWAY, ++ // but the struture of the server's frame writer makes this difficult. ++ return nil, ConnectionError(ErrCodeProtocol) ++ } ++ + if _, err := hdec.Write(frag); err != nil { + return nil, ConnectionError(ErrCodeCompression) + } +-- +2.44.0 + diff --git a/SPECS/opa/opa.signatures.json b/SPECS/opa/opa.signatures.json index 43509c93c3..d5856b6013 100644 --- a/SPECS/opa/opa.signatures.json +++ b/SPECS/opa/opa.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "opa-0.55.0.tar.gz": "4db886ffe0cbe20b58631befdc9a46a336525e6d88aec4fc9c29360d0d0bfd6c" + "opa-0.63.0.tar.gz": "0639466031325de698c61d55850c35d14a7a260ead5d5a06540ee142950818b0" } } diff --git a/SPECS/opa/opa.spec b/SPECS/opa/opa.spec index 0654202bad..15234f9a43 100644 --- a/SPECS/opa/opa.spec +++ b/SPECS/opa/opa.spec @@ -4,7 +4,7 @@ %global short_commit e88ad165 Summary: Open source, general-purpose policy engine Name: opa -Version: 0.55.0 +Version: 0.63.0 Release: 1%{?dist} # Upstream license specification: MIT and Apache-2.0 # Main package: ASL 2.0 @@ -20,6 +20,7 @@ Source0: %{name}-%{version}.tar.gz Patch0: 0001-Make-telemetry-opt-out.patch # Skip tests requiring network Patch1: 0001-Skip-tests-requiring-network.patch +Patch2: CVE-2023-45288.patch # Warn users about WebAssembly missing BuildRequires: golang BuildRequires: make @@ -53,6 +54,10 @@ install -D -p -m 0644 man/* %{buildroot}%{_mandir}/man1/ %{_bindir}/* %changelog +* Fri Jun 28 2024 Pawel Winogrodzki - 0.63.0-1 +- Auto-upgrade to 0.63.0 - CVE-2023-45142 +- Adding a patch for CVE-2023-45288. + * Fri Oct 27 2023 CBL-Mariner Servicing Account - 0.55.0-1 - Auto-upgrade to 0.55.0 - Azure Linux 3.0 - package upgrades diff --git a/cgmanifest.json b/cgmanifest.json index 160e2d7868..58d4675bce 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -14913,8 +14913,8 @@ "type": "other", "other": { "name": "opa", - "version": "0.55.0", - "downloadUrl": "https://github.com/open-policy-agent/opa/archive/refs/tags/v0.55.0.tar.gz" + "version": "0.63.0", + "downloadUrl": "https://github.com/open-policy-agent/opa/archive/refs/tags/v0.63.0.tar.gz" } } },