[AUTO-CHERRYPICK] Fix CVE-2022-32149 in cri-o - branch main (#10451)
Co-authored-by: sindhu-karri <33163197+sindhu-karri@users.noreply.github.com> Co-authored-by: Pawel Winogrodzki <pawelwi@microsoft.com>
This commit is contained in:
CBL-Mariner-Bot
GitHub
Родитель
9c0a877fcf
Коммит
ef135f4b46
|
|
@ -0,0 +1,68 @@
|
|||
From b293cbe0fda9dcbedf27b41767d0b19e08ef51c6 Mon Sep 17 00:00:00 2001
|
||||
From: Sindhu Karri <lakarri@microsoft.com>
|
||||
Date: Fri, 13 Sep 2024 06:35:51 +0000
|
||||
Subject: [PATCH] Fix CVE-2022-32149
|
||||
|
||||
---
|
||||
From 434eadcdbc3b0256971992e8c70027278364c72c Mon Sep 17 00:00:00 2001
|
||||
From: Roland Shoemaker <bracewell@google.com>
|
||||
Date: Fri, 2 Sep 2022 09:35:37 -0700
|
||||
Subject: [PATCH] language: reject excessively large Accept-Language strings
|
||||
|
||||
The BCP 47 tag parser has quadratic time complexity due to inherent
|
||||
aspects of its design. Since the parser is, by design, exposed to
|
||||
untrusted user input, this can be leveraged to force a program to
|
||||
consume significant time parsing Accept-Language headers.
|
||||
|
||||
The parser cannot be easily rewritten to fix this behavior for
|
||||
various reasons. Instead the solution implemented in this CL is to
|
||||
limit the total complexity of tags passed into ParseAcceptLanguage
|
||||
by limiting the number of dashes in the string to 1000. This should
|
||||
be more than enough for the majority of real world use cases, where
|
||||
the number of tags being sent is likely to be in the single digits.
|
||||
|
||||
Thanks to the OSS-Fuzz project for discovering this issue and to Adam
|
||||
Korczynski (ADA Logics) for writing the fuzz case and for reporting the
|
||||
issue.
|
||||
|
||||
Fixes CVE-2022-32149
|
||||
Fixes golang/go#56152
|
||||
|
||||
Change-Id: I7bda1d84cee2b945039c203f26869d58ee9374ae
|
||||
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1565112
|
||||
Reviewed-by: Damien Neil <dneil@google.com>
|
||||
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
|
||||
Reviewed-on: https://go-review.googlesource.com/c/text/+/442235
|
||||
TryBot-Result: Gopher Robot <gobot@golang.org>
|
||||
Auto-Submit: Roland Shoemaker <roland@golang.org>
|
||||
Run-TryBot: Roland Shoemaker <roland@golang.org>
|
||||
---
|
||||
vendor/golang.org/x/text/language/parse.go | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/vendor/golang.org/x/text/language/parse.go b/vendor/golang.org/x/text/language/parse.go
|
||||
index 11acfd8..3bba19f 100644
|
||||
--- a/vendor/golang.org/x/text/language/parse.go
|
||||
+++ b/vendor/golang.org/x/text/language/parse.go
|
||||
@@ -133,6 +133,7 @@ func update(b *language.Builder, part ...interface{}) (err error) {
|
||||
}
|
||||
|
||||
var errInvalidWeight = errors.New("ParseAcceptLanguage: invalid weight")
|
||||
+var errTagListTooLarge = errors.New("tag list exceeds max length")
|
||||
|
||||
// ParseAcceptLanguage parses the contents of an Accept-Language header as
|
||||
// defined in http://www.ietf.org/rfc/rfc2616.txt and returns a list of Tags and
|
||||
@@ -142,6 +143,10 @@ var errInvalidWeight = errors.New("ParseAcceptLanguage: invalid weight")
|
||||
// Tags with a weight of zero will be dropped. An error will be returned if the
|
||||
// input could not be parsed.
|
||||
func ParseAcceptLanguage(s string) (tag []Tag, q []float32, err error) {
|
||||
+ if strings.Count(s, "-") > 1000 {
|
||||
+ return nil, nil, errTagListTooLarge
|
||||
+ }
|
||||
+
|
||||
var entry string
|
||||
for s != "" {
|
||||
if entry, s = split(s, ','); entry == "" {
|
||||
--
|
||||
2.33.8
|
||||
|
||||
|
|
@ -26,7 +26,7 @@ Summary: OCI-based implementation of Kubernetes Container Runtime Interfa
|
|||
# Define macros for further referenced sources
|
||||
Name: cri-o
|
||||
Version: 1.22.3
|
||||
Release: 7%{?dist}
|
||||
Release: 8%{?dist}
|
||||
License: ASL 2.0
|
||||
Vendor: Microsoft Corporation
|
||||
Distribution: Mariner
|
||||
|
|
@ -67,6 +67,7 @@ Patch11: CVE-2024-3154.patch
|
|||
Patch12: CVE-2024-3727.patch
|
||||
Patch13: CVE-2021-43565.patch
|
||||
Patch14: CVE-2024-6104.patch
|
||||
Patch15: CVE-2022-32149.patch
|
||||
BuildRequires: btrfs-progs-devel
|
||||
BuildRequires: device-mapper-devel
|
||||
BuildRequires: fdupes
|
||||
|
|
@ -219,6 +220,9 @@ mkdir -p /opt/cni/bin
|
|||
%{_fillupdir}/sysconfig.kubelet
|
||||
|
||||
%changelog
|
||||
* Thu Sep 12 2024 Sindhu Karri <lakarri@microsoft.com> - 1.22.3-8
|
||||
- Patch CVE-2022-32149
|
||||
|
||||
* Mon Sep 09 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 1.22.3-7
|
||||
- Bump release to rebuild with go 1.22.7
|
||||
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче