From 5781f0f5aa3f97c3a15bcb8894425fec977b5d9e Mon Sep 17 00:00:00 2001 From: lvxiangcong Date: Thu, 20 Feb 2025 10:05:11 +0800 Subject: [PATCH] Batch fix sync failed cves for openEuler-22.03-LTS-SP3 branch --- 0006-backport-fix-CVE-2022-41723.patch | 143 ++++++++++++++++++++++ 0007-backport-fix-CVE-2022-34038.patch | 42 +++++++ 0008-backport-fix-CVE-2023-32082.patch | 160 +++++++++++++++++++++++++ 0009-backport-fix-CVE-2021-28235.patch | 141 ++++++++++++++++++++++ 0010-backport-fix-CVE-2023-39325.patch | 131 ++++++++++++++++++++ etcd.spec | 19 ++- 6 files changed, 635 insertions(+), 1 deletion(-) create mode 100644 0006-backport-fix-CVE-2022-41723.patch create mode 100644 0007-backport-fix-CVE-2022-34038.patch create mode 100644 0008-backport-fix-CVE-2023-32082.patch create mode 100644 0009-backport-fix-CVE-2021-28235.patch create mode 100644 0010-backport-fix-CVE-2023-39325.patch diff --git a/0006-backport-fix-CVE-2022-41723.patch b/0006-backport-fix-CVE-2022-41723.patch new file mode 100644 index 0000000..ecdbe4b --- /dev/null +++ b/0006-backport-fix-CVE-2022-41723.patch @@ -0,0 +1,143 @@ +From 33fc2e1988454d3a2f9d887161884f76f344178f Mon Sep 17 00:00:00 2001 +From: lvxiangcong +Date: Fri, 14 Feb 2025 14:29:45 +0800 +Subject: [PATCH] backport fix cve-2022-41723 + +--- + vendor/golang.org/x/net/http2/hpack/hpack.go | 80 ++++++++++++-------- + 1 file changed, 50 insertions(+), 30 deletions(-) + +diff --git a/vendor/golang.org/x/net/http2/hpack/hpack.go b/vendor/golang.org/x/net/http2/hpack/hpack.go +index 85f18a2..0d3fd2b 100644 +--- a/vendor/golang.org/x/net/http2/hpack/hpack.go ++++ b/vendor/golang.org/x/net/http2/hpack/hpack.go +@@ -359,6 +359,7 @@ func (d *Decoder) parseFieldLiteral(n uint8, it indexType) error { + + var hf HeaderField + wantStr := d.emitEnabled || it.indexed() ++ var undecodedName undecodedString + if nameIdx > 0 { + ihf, ok := d.at(nameIdx) + if !ok { +@@ -366,15 +367,27 @@ func (d *Decoder) parseFieldLiteral(n uint8, it indexType) error { + } + hf.Name = ihf.Name + } else { +- hf.Name, buf, err = d.readString(buf, wantStr) ++ undecodedName, buf, err = d.readString(buf) + if err != nil { + return err + } + } +- hf.Value, buf, err = d.readString(buf, wantStr) ++ undecodedValue, buf, err := d.readString(buf) + if err != nil { + return err + } ++ if wantStr { ++ if nameIdx <= 0 { ++ hf.Name, err = d.decodeString(undecodedName) ++ if err != nil { ++ return err ++ } ++ } ++ hf.Value, err = d.decodeString(undecodedValue) ++ if err != nil { ++ return err ++ } ++ } + d.buf = buf + if it.indexed() { + d.dynTab.add(hf) +@@ -383,6 +396,7 @@ func (d *Decoder) parseFieldLiteral(n uint8, it indexType) error { + return d.callEmit(hf) + } + ++ + func (d *Decoder) callEmit(hf HeaderField) error { + if d.maxStrLen != 0 { + if len(hf.Name) > d.maxStrLen || len(hf.Value) > d.maxStrLen { +@@ -459,46 +473,52 @@ func readVarInt(n byte, p []byte) (i uint64, remain []byte, err error) { + return 0, origP, errNeedMore + } + +-// readString decodes an hpack string from p. ++// readString reads an hpack string from p. + // +-// wantStr is whether s will be used. If false, decompression and +-// []byte->string garbage are skipped if s will be ignored +-// anyway. This does mean that huffman decoding errors for non-indexed +-// strings past the MAX_HEADER_LIST_SIZE are ignored, but the server +-// is returning an error anyway, and because they're not indexed, the error +-// won't affect the decoding state. +-func (d *Decoder) readString(p []byte, wantStr bool) (s string, remain []byte, err error) { ++// It returns a reference to the encoded string data to permit deferring decode costs ++// until after the caller verifies all data is present. ++func (d *Decoder) readString(p []byte) (u undecodedString, remain []byte, err error) { + if len(p) == 0 { +- return "", p, errNeedMore ++ return u, p, errNeedMore + } + isHuff := p[0]&128 != 0 + strLen, p, err := readVarInt(7, p) + if err != nil { +- return "", p, err ++ return u, p, err + } + if d.maxStrLen != 0 && strLen > uint64(d.maxStrLen) { +- return "", nil, ErrStringLength ++ // Returning an error here means Huffman decoding errors ++ // for non-indexed strings past the maximum string length ++ // are ignored, but the server is returning an error anyway ++ // and because the string is not indexed the error will not ++ // affect the decoding state. ++ return u, nil, ErrStringLength + } + if uint64(len(p)) < strLen { +- return "", p, errNeedMore +- } +- if !isHuff { +- if wantStr { +- s = string(p[:strLen]) +- } +- return s, p[strLen:], nil ++ return u, p, errNeedMore + } ++ u.isHuff = isHuff ++ u.b = p[:strLen] ++ return u, p[strLen:], nil ++} + +- if wantStr { +- buf := bufPool.Get().(*bytes.Buffer) +- buf.Reset() // don't trust others +- defer bufPool.Put(buf) +- if err := huffmanDecode(buf, d.maxStrLen, p[:strLen]); err != nil { +- buf.Reset() +- return "", nil, err +- } ++type undecodedString struct { ++ isHuff bool ++ b []byte ++} ++ ++func (d *Decoder) decodeString(u undecodedString) (string, error) { ++ if !u.isHuff { ++ return string(u.b), nil ++ } ++ buf := bufPool.Get().(*bytes.Buffer) ++ buf.Reset() // don't trust others ++ var s string ++ err := huffmanDecode(buf, d.maxStrLen, u.b) ++ if err == nil { + s = buf.String() +- buf.Reset() // be nice to GC + } +- return s, p[strLen:], nil ++ buf.Reset() // be nice to GC ++ bufPool.Put(buf) ++ return s, err + } +-- +2.46.0 + diff --git a/0007-backport-fix-CVE-2022-34038.patch b/0007-backport-fix-CVE-2022-34038.patch new file mode 100644 index 0000000..07915a0 --- /dev/null +++ b/0007-backport-fix-CVE-2022-34038.patch @@ -0,0 +1,42 @@ +From 3d941cd2d0897d204a2f36fe70eb6011892461d9 Mon Sep 17 00:00:00 2001 +From: lvxiangcong +Date: Mon, 17 Feb 2025 10:19:48 +0800 +Subject: [PATCH] backport-fix-cve-2022-34038 + +--- + pkg/ioutil/pagewriter.go | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/pkg/ioutil/pagewriter.go b/pkg/ioutil/pagewriter.go +index cf9a8dc..10d921d 100644 +--- a/pkg/ioutil/pagewriter.go ++++ b/pkg/ioutil/pagewriter.go +@@ -16,6 +16,7 @@ package ioutil + + import ( + "io" ++ "fmt" + ) + + var defaultBufferBytes = 128 * 1024 +@@ -38,9 +39,17 @@ type PageWriter struct { + bufWatermarkBytes int + } + ++// Assert will panic with a given formatted message if the given condition is false. ++func Assert(condition bool, msg string, v int) { ++ if !condition { ++ panic(fmt.Sprintf("assertion failed:" +msg, v)) ++ } ++} ++ + // NewPageWriter creates a new PageWriter. pageBytes is the number of bytes + // to write per page. pageOffset is the starting offset of io.Writer. + func NewPageWriter(w io.Writer, pageBytes, pageOffset int) *PageWriter { ++ Assert(pageBytes > 0, "pageBytes %d is an invalid value, it must be greater than 0", pageBytes) + return &PageWriter{ + w: w, + pageOffset: pageOffset, +-- +2.46.0 + diff --git a/0008-backport-fix-CVE-2023-32082.patch b/0008-backport-fix-CVE-2023-32082.patch new file mode 100644 index 0000000..5222038 --- /dev/null +++ b/0008-backport-fix-CVE-2023-32082.patch @@ -0,0 +1,160 @@ +From a813426b143c11dcda7fc8402bf66fee7b348470 Mon Sep 17 00:00:00 2001 +From: lvxiangcong +Date: Mon, 17 Feb 2025 13:44:51 +0800 +Subject: [PATCH] backport fix cve-2023-32082 + +--- + etcdserver/v3_server.go | 51 +++++++++++++++++++++++++++++++++- + tests/e2e/ctl_v3_auth_test.go | 49 ++++++++++++++++++++++++++++++++ + tests/e2e/ctl_v3_lease_test.go | 9 ++++++ + 3 files changed, 108 insertions(+), 1 deletion(-) + +diff --git a/etcdserver/v3_server.go b/etcdserver/v3_server.go +index 1fa8e4e..93b2bc1 100644 +--- a/etcdserver/v3_server.go ++++ b/etcdserver/v3_server.go +@@ -298,7 +298,32 @@ func (s *EtcdServer) LeaseRenew(ctx context.Context, id lease.LeaseID) (int64, e + return -1, ErrCanceled + } + +-func (s *EtcdServer) LeaseTimeToLive(ctx context.Context, r *pb.LeaseTimeToLiveRequest) (*pb.LeaseTimeToLiveResponse, error) { ++func (s *EtcdServer) checkLeaseTimeToLive(ctx context.Context, leaseID lease.LeaseID) (error, uint64) { ++ rev := s.AuthStore().Revision() ++ if !s.AuthStore().IsAuthEnabled() { ++ return nil, rev ++ } ++ authInfo, err := s.AuthInfoFromCtx(ctx) ++ if err != nil { ++ return err, rev ++ } ++ if authInfo == nil { ++ return auth.ErrUserEmpty, rev ++ } ++ ++ l := s.lessor.Lookup(leaseID) ++ if l != nil { ++ for _, key := range l.Keys() { ++ if err := s.AuthStore().IsRangePermitted(authInfo, []byte(key), []byte{}); err != nil { ++ return err, 0 ++ } ++ } ++ } ++ ++ return nil, rev ++} ++ ++func (s *EtcdServer) leaseTimeToLive(ctx context.Context, r *pb.LeaseTimeToLiveRequest) (*pb.LeaseTimeToLiveResponse, error) { + if s.Leader() == s.ID() { + // primary; timetolive directly from leader + le := s.lessor.Lookup(lease.LeaseID(r.ID)) +@@ -345,6 +370,30 @@ func (s *EtcdServer) LeaseTimeToLive(ctx context.Context, r *pb.LeaseTimeToLiveR + return nil, ErrCanceled + } + ++func (s *EtcdServer) LeaseTimeToLive(ctx context.Context, r *pb.LeaseTimeToLiveRequest) (*pb.LeaseTimeToLiveResponse, error) { ++ var rev uint64 ++ var err error ++ if r.Keys { ++ // check RBAC permission only if Keys is true ++ err, rev = s.checkLeaseTimeToLive(ctx, lease.LeaseID(r.ID)) ++ if err != nil { ++ return nil, err ++ } ++ } ++ ++ resp, err := s.leaseTimeToLive(ctx, r) ++ if err != nil { ++ return nil, err ++ } ++ ++ if r.Keys { ++ if s.AuthStore().IsAuthEnabled() && rev != s.AuthStore().Revision() { ++ return nil, auth.ErrAuthOldRevision ++ } ++ } ++ return resp, nil ++} ++ + func (s *EtcdServer) LeaseLeases(ctx context.Context, r *pb.LeaseLeasesRequest) (*pb.LeaseLeasesResponse, error) { + ls := s.lessor.Leases() + lss := make([]*pb.LeaseStatus, len(ls)) +diff --git a/tests/e2e/ctl_v3_auth_test.go b/tests/e2e/ctl_v3_auth_test.go +index 2142394..728eafa 100644 +--- a/tests/e2e/ctl_v3_auth_test.go ++++ b/tests/e2e/ctl_v3_auth_test.go +@@ -69,6 +69,55 @@ func TestCtlV3AuthJWTExpire(t *testing.T) { testCtl(t, authTestJWTExpire, withCf + func TestCtlV3AuthCertCNAndUsernameNoPassword(t *testing.T) { + testCtl(t, authTestCertCNAndUsernameNoPassword, withCfg(configClientTLSCertAuth)) + } ++func TestCtlV3AuthLeaseTimeToLive(t *testing.T) { testCtl(t, authTestLeaseTimeToLive) } ++ ++func authTestLeaseTimeToLive(cx ctlCtx) { ++ if err := authEnable(cx); err != nil { ++ cx.t.Fatal(err) ++ } ++ cx.user, cx.pass = "root", "root" ++ ++ authSetupTestUser(cx) ++ ++ cx.user = "test-user" ++ cx.pass = "pass" ++ ++ leaseID, err := ctlV3LeaseGrant(cx, 10) ++ if err != nil { ++ cx.t.Fatal(err) ++ } ++ ++ err = ctlV3Put(cx, "foo", "val", leaseID) ++ if err != nil { ++ cx.t.Fatal(err) ++ } ++ ++ err = ctlV3LeaseTimeToLive(cx, leaseID, true) ++ if err != nil { ++ cx.t.Fatal(err) ++ } ++ ++ cx.user = "root" ++ cx.pass = "root" ++ err = ctlV3Put(cx, "bar", "val", leaseID) ++ if err != nil { ++ cx.t.Fatal(err) ++ } ++ ++ cx.user = "test-user" ++ cx.pass = "pass" ++ // the lease is attached to bar, which test-user cannot access ++ err = ctlV3LeaseTimeToLive(cx, leaseID, true) ++ if err == nil { ++ cx.t.Fatal("test-user must not be able to access to the lease, because it's attached to the key bar") ++ } ++ ++ // without --keys, access should be allowed ++ err = ctlV3LeaseTimeToLive(cx, leaseID, false) ++ if err != nil { ++ cx.t.Fatal(err) ++ } ++} + + func authEnableTest(cx ctlCtx) { + if err := authEnable(cx); err != nil { +diff --git a/tests/e2e/ctl_v3_lease_test.go b/tests/e2e/ctl_v3_lease_test.go +index 608b8ca..f90b1a5 100644 +--- a/tests/e2e/ctl_v3_lease_test.go ++++ b/tests/e2e/ctl_v3_lease_test.go +@@ -294,3 +294,12 @@ func ctlV3LeaseRevoke(cx ctlCtx, leaseID string) error { + cmdArgs := append(cx.PrefixArgs(), "lease", "revoke", leaseID) + return spawnWithExpect(cmdArgs, fmt.Sprintf("lease %s revoked", leaseID)) + } ++ ++func ctlV3LeaseTimeToLive(cx ctlCtx, leaseID string, withKeys bool) error { ++ cmdArgs := append(cx.PrefixArgs(), "lease", "timetolive", leaseID) ++ if withKeys { ++ cmdArgs = append(cmdArgs, "--keys") ++ } ++ return e2e.SpawnWithExpectWithEnv(cmdArgs, cx.envMap, fmt.Sprintf("lease %s granted with", leaseID)) ++} ++ +-- +2.46.0 + diff --git a/0009-backport-fix-CVE-2021-28235.patch b/0009-backport-fix-CVE-2021-28235.patch new file mode 100644 index 0000000..64e9319 --- /dev/null +++ b/0009-backport-fix-CVE-2021-28235.patch @@ -0,0 +1,141 @@ +From 5608bf772250843426cc2fa357fac0a55316ad37 Mon Sep 17 00:00:00 2001 +From: lvxiangcong +Date: Mon, 17 Feb 2025 14:46:45 +0800 +Subject: [PATCH] backport fix cve-2021-28235 + +--- + etcdserver/v3_server.go | 7 ++++ + tests/e2e/ctl_v3_auth_security_test.go | 58 ++++++++++++++++++++++++++ + tests/e2e/ctl_v3_test.go | 6 +++ + tests/e2e/util.go | 11 +++++ + 4 files changed, 82 insertions(+) + create mode 100644 tests/e2e/ctl_v3_auth_security_test.go + +diff --git a/etcdserver/v3_server.go b/etcdserver/v3_server.go +index 93b2bc1..8d8bd9c 100644 +--- a/etcdserver/v3_server.go ++++ b/etcdserver/v3_server.go +@@ -453,6 +453,13 @@ func (s *EtcdServer) Authenticate(ctx context.Context, r *pb.AuthenticateRequest + } + + lg := s.getLogger() ++ ++ // fix https://nvd.nist.gov/vuln/detail/CVE-2021-28235 ++ defer func() { ++ if r != nil { ++ r.Password = "" ++ } ++ }() + + var resp proto.Message + for { +diff --git a/tests/e2e/ctl_v3_auth_security_test.go b/tests/e2e/ctl_v3_auth_security_test.go +new file mode 100644 +index 0000000..b63a15f +--- /dev/null ++++ b/tests/e2e/ctl_v3_auth_security_test.go +@@ -0,0 +1,58 @@ ++// Copyright 2023 The etcd Authors ++// ++// Licensed under the Apache License, Version 2.0 (the "License"); ++// you may not use this file except in compliance with the License. ++// You may obtain a copy of the License at ++// ++// http://www.apache.org/licenses/LICENSE-2.0 ++// ++// Unless required by applicable law or agreed to in writing, software ++// distributed under the License is distributed on an "AS IS" BASIS, ++// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++// See the License for the specific language governing permissions and ++// limitations under the License. ++ ++//go:build !cluster_proxy ++ ++package e2e ++ ++import ( ++ "strings" ++ "testing" ++ ++ "github.com/stretchr/testify/require" ++ ++ "go.etcd.io/etcd/tests/v3/framework/e2e" ++) ++ ++// TestAuth_CVE_2021_28235 verifies https://nvd.nist.gov/vuln/detail/CVE-2021-28235 ++func TestAuth_CVE_2021_28235(t *testing.T) { ++ testCtl(t, authTest_CVE_2021_28235, withCfg(*e2e.NewConfigNoTLS()), withLogLevel("debug")) ++} ++ ++func authTest_CVE_2021_28235(cx ctlCtx) { ++ // create root user with root role ++ rootPass := "changeme123" ++ err := ctlV3User(cx, []string{"add", "root", "--interactive=false"}, "User root created", []string{rootPass}) ++ require.NoError(cx.t, err) ++ err = ctlV3User(cx, []string{"grant-role", "root", "root"}, "Role root is granted to user root", nil) ++ require.NoError(cx.t, err) ++ err = ctlV3AuthEnable(cx) ++ require.NoError(cx.t, err) ++ ++ // issue a put request ++ cx.user, cx.pass = "root", rootPass ++ err = ctlV3Put(cx, "foo", "bar", "") ++ require.NoError(cx.t, err) ++ ++ // GET /debug/requests ++ httpEndpoint := cx.epc.Procs[0].EndpointsHTTP()[0] ++ req := e2e.CURLReq{Endpoint: "/debug/requests?fam=grpc.Recv.etcdserverpb.Auth&b=0&exp=1", Timeout: 5} ++ respData, err := curl(httpEndpoint, "GET", req, e2e.ClientNonTLS) ++ require.NoError(cx.t, err) ++ ++ if strings.Contains(respData, rootPass) { ++ cx.t.Errorf("The root password is included in the request.\n %s", respData) ++ } ++} ++ +diff --git a/tests/e2e/ctl_v3_test.go b/tests/e2e/ctl_v3_test.go +index 04f5a65..74b1838 100644 +--- a/tests/e2e/ctl_v3_test.go ++++ b/tests/e2e/ctl_v3_test.go +@@ -130,6 +130,12 @@ func withFlagByEnv() ctlOption { + return func(cx *ctlCtx) { cx.envMap = make(map[string]struct{}) } + } + ++func withLogLevel(logLevel string) ctlOption { ++ return func(cx *ctlCtx) { ++ cx.cfg.LogLevel = logLevel ++ } ++} ++ + func testCtl(t *testing.T, testFunc func(ctlCtx), opts ...ctlOption) { + defer testutil.AfterTest(t) + +diff --git a/tests/e2e/util.go b/tests/e2e/util.go +index ce7289a..0e41225 100644 +--- a/tests/e2e/util.go ++++ b/tests/e2e/util.go +@@ -17,6 +17,7 @@ package e2e + import ( + "encoding/json" + "fmt" ++ "string" + "math/rand" + "strings" + "time" +@@ -108,3 +109,13 @@ func closeWithTimeout(p *expect.ExpectProcess, d time.Duration) error { + func toTLS(s string) string { + return strings.Replace(s, "http://", "https://", 1) + } ++ ++func curl(endpoint string, method string, curlReq e2e.CURLReq, connType e2e.ClientConnType) (string, error) { ++ args := e2e.CURLPrefixArgs(endpoint, e2e.ClientConfig{ConnectionType: connType}, false, method, curlReq) ++ lines, err := e2e.RunUtilCompletion(args, nil) ++ if err != nil { ++ return "", err ++ } ++ return strings.Join(lines, "\n"), nil ++} ++ +-- +2.46.0 + diff --git a/0010-backport-fix-CVE-2023-39325.patch b/0010-backport-fix-CVE-2023-39325.patch new file mode 100644 index 0000000..73fdd55 --- /dev/null +++ b/0010-backport-fix-CVE-2023-39325.patch @@ -0,0 +1,131 @@ +From 31f47cbf4b06ae00b58ffa554706bbc26b17e948 Mon Sep 17 00:00:00 2001 +From: lvxiangcong +Date: Tue, 18 Feb 2025 16:22:42 +0800 +Subject: [PATCH] backport fix cve-2023-39325 + +--- + vendor/golang.org/x/net/http2/server.go | 68 +++++++++++++++++++++++-- + 1 file changed, 65 insertions(+), 3 deletions(-) + +diff --git a/vendor/golang.org/x/net/http2/server.go b/vendor/golang.org/x/net/http2/server.go +index 5e01ce9ab..f447050c8 100644 +--- a/vendor/golang.org/x/net/http2/server.go ++++ b/vendor/golang.org/x/net/http2/server.go +@@ -521,9 +521,11 @@ type serverConn struct { + advMaxStreams uint32 // our SETTINGS_MAX_CONCURRENT_STREAMS advertised the client + curClientStreams uint32 // number of open streams initiated by the client + curPushedStreams uint32 // number of open streams initiated by server push ++ curHandlers uint32 // number of running handler goroutines + maxClientStreamID uint32 // max ever seen from client (odd), or 0 if there have been no client requests + maxPushPromiseID uint32 // ID of the last push promise (even), or 0 if there have been no pushes + streams map[uint32]*stream ++ unstartedHandlers []unstartedHandler + initialStreamSendWindowSize int32 + maxFrameSize int32 + headerTableSize uint32 +@@ -895,6 +897,8 @@ func (sc *serverConn) serve() { + return + case gracefulShutdownMsg: + sc.startGracefulShutdownInternal() ++ case handlerDoneMsg: ++ sc.handlerDone() + default: + panic("unknown timer") + } +@@ -940,6 +944,7 @@ var ( + idleTimerMsg = new(serverMessage) + shutdownTimerMsg = new(serverMessage) + gracefulShutdownMsg = new(serverMessage) ++ handlerDoneMsg = new(serverMessage) + ) + + func (sc *serverConn) onSettingsTimer() { sc.sendServeMsg(settingsTimerMsg) } +@@ -1880,8 +1885,9 @@ func (sc *serverConn) processHeaders(f *MetaHeadersFrame) error { + sc.conn.SetReadDeadline(time.Time{}) + } + +- go sc.runHandler(rw, req, handler) +- return nil ++ //go sc.runHandler(rw, req, handler) ++ //return sc.sch ++ return sc.scheduleHandler(id,rw,req,handler) + } + + func (st *stream) processTrailerHeaders(f *MetaHeadersFrame) error { +@@ -2124,8 +2130,64 @@ func (sc *serverConn) newWriterAndRequestNoBody(st *stream, rp requestParam) (*r + return rw, req, nil + } + ++type unstartedHandler struct { ++ streamID uint32 ++ rw *responseWriter ++ req *http.Request ++ handler func(http.ResponseWriter, *http.Request) ++} ++ ++// scheduleHandler starts a handler goroutine, ++// or schedules one to start as soon as an existing handler finishes. ++func (sc *serverConn) scheduleHandler(streamID uint32, rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) error { ++ sc.serveG.check() ++ maxHandlers := sc.advMaxStreams ++ if sc.curHandlers < maxHandlers { ++ sc.curHandlers++ ++ go sc.runHandler(rw, req, handler) ++ return nil ++ } ++ if len(sc.unstartedHandlers) > int(4*sc.advMaxStreams) { ++ //return sc.countError("too_many_early_resets", ConnectionError(ErrCodeEnhanceYourCalm)) ++ return ConnectionError(ErrCodeEnhanceYourCalm) ++ } ++ sc.unstartedHandlers = append(sc.unstartedHandlers, unstartedHandler{ ++ streamID: streamID, ++ rw: rw, ++ req: req, ++ handler: handler, ++ }) ++ return nil ++} ++ ++ ++func (sc *serverConn)handlerDone(){ ++ sc.serveG.check() ++ sc.curHandlers-- ++ i := 0 ++ maxHandlers := sc.advMaxStreams ++ for ; i < len(sc.unstartedHandlers); i++ { ++ u := sc.unstartedHandlers[i] ++ if sc.streams[u.streamID] == nil { ++ // This stream was reset before its goroutine had a chance to start. ++ continue ++ } ++ if sc.curHandlers >= maxHandlers { ++ break ++ } ++ sc.curHandlers++ ++ go sc.runHandler(u.rw, u.req, u.handler) ++ sc.unstartedHandlers[i] = unstartedHandler{} // don't retain references ++ } ++ sc.unstartedHandlers = sc.unstartedHandlers[i:] ++ if len(sc.unstartedHandlers) == 0 { ++ sc.unstartedHandlers = nil ++ } ++} ++ + // Run on its own goroutine. + func (sc *serverConn) runHandler(rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) { ++ defer sc.sendServeMsg(handlerDoneMsg) + didPanic := true + defer func() { + rw.rws.stream.cancelCtx() +@@ -2879,7 +2941,7 @@ func (sc *serverConn) startPush(msg *startPushRequest) { + // Should not happen, since we've already validated msg.url. + panic(fmt.Sprintf("newWriterAndRequestNoBody(%+v): %v", msg.url, err)) + } +- ++ sc.curHandlers++ + go sc.runHandler(rw, req, sc.handler.ServeHTTP) + return promisedID, nil + } +-- +2.25.1 + diff --git a/etcd.spec b/etcd.spec index 8afb1da..bf13581 100644 --- a/etcd.spec +++ b/etcd.spec @@ -31,7 +31,7 @@ system.} %global gosupfiles integration/fixtures/* etcdserver/api/v2http/testdata/* Name: etcd -Release: 8 +Release: 9 Summary: Distributed reliable key-value store for the most critical data of a distributed system # Upstream license specification: Apache-2.0 @@ -49,6 +49,12 @@ Patch2: 0002-Etcd-on-unsupported-platform-without-ETCD_UNSUPPORTED_ARCH=arm64-s Patch3: 0003-etcd-3.4.14-sw.patch Patch4: 0004-backport-Suppress-noisy-basic-auth-token-deletion-log.patch Patch5: 0005-backport-fix-CVE-2022-3064.patch +Patch6: 0006-backport-fix-CVE-2022-41723.patch +Patch7: 0007-backport-fix-CVE-2022-34038.patch +Patch8: 0008-backport-fix-CVE-2023-32082.patch +Patch9: 0009-backport-fix-CVE-2021-28235.patch +Patch10: 0010-backport-fix-CVE-2023-39325.patch + BuildRequires: golang BuildRequires: python3-devel %{?systemd_requires} @@ -70,6 +76,11 @@ Requires(pre): shadow-utils %endif %patch4 -p1 %patch5 -p1 +%patch6 -p1 +%patch7 -p1 +%patch8 -p1 +%patch9 -p1 +%patch10 -p1 # For compatibility cp -aR etcdserver/api/snap snap cp -aR etcdserver/api/membership etcdserver/membership @@ -155,6 +166,12 @@ getent passwd %{name} >/dev/null || useradd -r -g %{name} -d %{_sharedstatedir}/ %endif %changelog +* Thu Feb 20 2025 lvxiangcong - 3.4.14-9 +- Type:CVES +- CVES:CVE-2022-41723 CVE-2022-34038 CVE-2023-32082 CVE-2021-28235 CVE-2023-39325 +- SUG:NA +- DESC: Batch fix sync failed cves for openEuler-22.03-LTS-SP1 branch + * Thu Feb 13 2025 lvxiangcong - 3.4.14-8 - Type:CVE - CVE:CVE-2022-3064 -- Gitee