diff --git a/0009-backport-fix-CVE-2023-39325.patch b/0009-backport-fix-CVE-2023-39325.patch new file mode 100644 index 0000000000000000000000000000000000000000..73fdd555bda800cd72fd4bb860634ae5d42ca4a8 --- /dev/null +++ b/0009-backport-fix-CVE-2023-39325.patch @@ -0,0 +1,131 @@ +From 31f47cbf4b06ae00b58ffa554706bbc26b17e948 Mon Sep 17 00:00:00 2001 +From: lvxiangcong +Date: Tue, 18 Feb 2025 16:22:42 +0800 +Subject: [PATCH] backport fix cve-2023-39325 + +--- + vendor/golang.org/x/net/http2/server.go | 68 +++++++++++++++++++++++-- + 1 file changed, 65 insertions(+), 3 deletions(-) + +diff --git a/vendor/golang.org/x/net/http2/server.go b/vendor/golang.org/x/net/http2/server.go +index 5e01ce9ab..f447050c8 100644 +--- a/vendor/golang.org/x/net/http2/server.go ++++ b/vendor/golang.org/x/net/http2/server.go +@@ -521,9 +521,11 @@ type serverConn struct { + advMaxStreams uint32 // our SETTINGS_MAX_CONCURRENT_STREAMS advertised the client + curClientStreams uint32 // number of open streams initiated by the client + curPushedStreams uint32 // number of open streams initiated by server push ++ curHandlers uint32 // number of running handler goroutines + maxClientStreamID uint32 // max ever seen from client (odd), or 0 if there have been no client requests + maxPushPromiseID uint32 // ID of the last push promise (even), or 0 if there have been no pushes + streams map[uint32]*stream ++ unstartedHandlers []unstartedHandler + initialStreamSendWindowSize int32 + maxFrameSize int32 + headerTableSize uint32 +@@ -895,6 +897,8 @@ func (sc *serverConn) serve() { + return + case gracefulShutdownMsg: + sc.startGracefulShutdownInternal() ++ case handlerDoneMsg: ++ sc.handlerDone() + default: + panic("unknown timer") + } +@@ -940,6 +944,7 @@ var ( + idleTimerMsg = new(serverMessage) + shutdownTimerMsg = new(serverMessage) + gracefulShutdownMsg = new(serverMessage) ++ handlerDoneMsg = new(serverMessage) + ) + + func (sc *serverConn) onSettingsTimer() { sc.sendServeMsg(settingsTimerMsg) } +@@ -1880,8 +1885,9 @@ func (sc *serverConn) processHeaders(f *MetaHeadersFrame) error { + sc.conn.SetReadDeadline(time.Time{}) + } + +- go sc.runHandler(rw, req, handler) +- return nil ++ //go sc.runHandler(rw, req, handler) ++ //return sc.sch ++ return sc.scheduleHandler(id,rw,req,handler) + } + + func (st *stream) processTrailerHeaders(f *MetaHeadersFrame) error { +@@ -2124,8 +2130,64 @@ func (sc *serverConn) newWriterAndRequestNoBody(st *stream, rp requestParam) (*r + return rw, req, nil + } + ++type unstartedHandler struct { ++ streamID uint32 ++ rw *responseWriter ++ req *http.Request ++ handler func(http.ResponseWriter, *http.Request) ++} ++ ++// scheduleHandler starts a handler goroutine, ++// or schedules one to start as soon as an existing handler finishes. ++func (sc *serverConn) scheduleHandler(streamID uint32, rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) error { ++ sc.serveG.check() ++ maxHandlers := sc.advMaxStreams ++ if sc.curHandlers < maxHandlers { ++ sc.curHandlers++ ++ go sc.runHandler(rw, req, handler) ++ return nil ++ } ++ if len(sc.unstartedHandlers) > int(4*sc.advMaxStreams) { ++ //return sc.countError("too_many_early_resets", ConnectionError(ErrCodeEnhanceYourCalm)) ++ return ConnectionError(ErrCodeEnhanceYourCalm) ++ } ++ sc.unstartedHandlers = append(sc.unstartedHandlers, unstartedHandler{ ++ streamID: streamID, ++ rw: rw, ++ req: req, ++ handler: handler, ++ }) ++ return nil ++} ++ ++ ++func (sc *serverConn)handlerDone(){ ++ sc.serveG.check() ++ sc.curHandlers-- ++ i := 0 ++ maxHandlers := sc.advMaxStreams ++ for ; i < len(sc.unstartedHandlers); i++ { ++ u := sc.unstartedHandlers[i] ++ if sc.streams[u.streamID] == nil { ++ // This stream was reset before its goroutine had a chance to start. ++ continue ++ } ++ if sc.curHandlers >= maxHandlers { ++ break ++ } ++ sc.curHandlers++ ++ go sc.runHandler(u.rw, u.req, u.handler) ++ sc.unstartedHandlers[i] = unstartedHandler{} // don't retain references ++ } ++ sc.unstartedHandlers = sc.unstartedHandlers[i:] ++ if len(sc.unstartedHandlers) == 0 { ++ sc.unstartedHandlers = nil ++ } ++} ++ + // Run on its own goroutine. + func (sc *serverConn) runHandler(rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) { ++ defer sc.sendServeMsg(handlerDoneMsg) + didPanic := true + defer func() { + rw.rws.stream.cancelCtx() +@@ -2879,7 +2941,7 @@ func (sc *serverConn) startPush(msg *startPushRequest) { + // Should not happen, since we've already validated msg.url. + panic(fmt.Sprintf("newWriterAndRequestNoBody(%+v): %v", msg.url, err)) + } +- ++ sc.curHandlers++ + go sc.runHandler(rw, req, sc.handler.ServeHTTP) + return promisedID, nil + } +-- +2.25.1 + diff --git a/etcd.spec b/etcd.spec index 031e64a538fc8839fb0d9f2352c8f028ffc3019d..91d2cebcdbedd8fa199e0b1d26d02c0edcfa12a8 100644 --- a/etcd.spec +++ b/etcd.spec @@ -31,7 +31,7 @@ system.} %global gosupfiles integration/fixtures/* etcdserver/api/v2http/testdata/* Name: etcd -Release: 9 +Release: 10 Summary: Distributed reliable key-value store for the most critical data of a distributed system # Upstream license specification: Apache-2.0 @@ -52,7 +52,7 @@ Patch5: 0005-backport-fix-CVE-2022-41723.patch Patch6: 0006-backport-fix-CVE-2022-34038.patch Patch7: 0007-backport-fix-CVE-2023-32082.patch Patch8: 0008-backport-fix-CVE-2021-28235.patch - +Patch9: 0009-backport-fix-CVE-2023-39325.patch BuildRequires: golang BuildRequires: python3-devel %{?systemd_requires} @@ -75,6 +75,7 @@ Requires(pre): shadow-utils %patch6 -p1 %patch7 -p1 %patch8 -p1 +%patch9 -p1 # For compatibility cp -aR etcdserver/api/snap snap cp -aR etcdserver/api/membership etcdserver/membership @@ -160,6 +161,12 @@ getent passwd %{name} >/dev/null || useradd -r -g %{name} -d %{_sharedstatedir}/ %endif %changelog +* Tue Feb 18 2025 lvxiangcong - 3.4.14-10 +- Type:CVE +- CVE:CVE-2023-39325 +- SUG:NA +- DESC: backport fix 2023-39325 + * Mon Feb 17 2025 lvxiangcong - 3.4.14-9 - Type:CVE - CVE:CVE-2023-32082 CVE-2021-28235