diff --git a/0001-fix-CVE-2024-24786.patch b/0001-fix-CVE-2024-24786.patch deleted file mode 100644 index fed0492f892aae355a40b060f48a89849b98e5bc..0000000000000000000000000000000000000000 --- a/0001-fix-CVE-2024-24786.patch +++ /dev/null @@ -1,59 +0,0 @@ -From fbc2b2ae98b0661838e6ba612e150fcd6b7c8029 Mon Sep 17 00:00:00 2001 -From: zhangxingrong -Date: Fri, 10 May 2024 15:32:39 +0800 -Subject: [PATCH] fix-CVE-2024-24786 - -encoding/protojson, internal/encoding/json: handle missing object values - -In internal/encoding/json, report an error when encountering a } -when we are expecting an object field value. For example, the input - now correctly results in an error at the closing } token. - -In encoding/protojson, check for an unexpected EOF token in -skipJSONValue. This is redundant with the check in internal/encoding/json, -but adds a bit more defense against any other similar bugs that -might exist. - -Fixes CVE-2024-24786 - -Change-Id: I03d52512acb5091c8549e31ca74541d57e56c99d -Reviewed-on: https://go-review.googlesource.com/c/protobuf/+/569356 -TryBot-Bypass: Damien Neil -Reviewed-by: Roland Shoemaker -Commit-Queue: Damien Neil ---- - .../protobuf/encoding/protojson/well_known_types.go | 4 ++++ - .../protobuf/internal/encoding/json/decode.go | 2 +- - 2 files changed, 5 insertions(+), 1 deletion(-) - -diff --git a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go -index 25329b7..4b177c8 100644 ---- a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go -+++ b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go -@@ -322,6 +322,10 @@ func (d decoder) skipJSONValue() error { - if open > d.opts.RecursionLimit { - return errors.New("exceeded max recursion depth") - } -+ case json.EOF: -+ // This can only happen if there's a bug in Decoder.Read. -+ // Avoid an infinite loop if this does happen. -+ return errors.New("unexpected EOF") - } - if open == 0 { - return nil -diff --git a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go -index d043a6e..d2b3ac0 100644 ---- a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go -+++ b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go -@@ -121,7 +121,7 @@ func (d *Decoder) Read() (Token, error) { - - case ObjectClose: - if len(d.openStack) == 0 || -- d.lastToken.kind == comma || -+ d.lastToken.kind&(Name|comma) != 0 || - d.openStack[len(d.openStack)-1] != ObjectOpen { - return Token{}, d.newSyntaxError(tok.pos, unexpectedFmt, tok.RawString()) - } --- -2.43.0 - diff --git a/ignition-2.18.0.tar.gz b/ignition-2.19.0.tar.gz similarity index 43% rename from ignition-2.18.0.tar.gz rename to ignition-2.19.0.tar.gz index d266c5690d4e7694639190047988a69544966835..d4e21418f69d16ed4cebafaae3a927f8e1847735 100644 Binary files a/ignition-2.18.0.tar.gz and b/ignition-2.19.0.tar.gz differ diff --git a/ignition.spec b/ignition.spec index 239736419a8c61e73761b57e66f4d221fa08a94d..a7e212d1bd0507431b05acab08350f7f7a788f63 100644 --- a/ignition.spec +++ b/ignition.spec @@ -5,14 +5,13 @@ %global gotest go test Name: ignition -Version: 2.18.0 +Version: 2.19.0 Release: 1 Summary: First boot installer and configuration tool License: Apache-2.0 URL: https://github.com/coreos/ignition Source0: https://github.com/coreos/ignition/archive/v%{version}/%{name}-%{version}.tar.gz -Patch0001: 0001-fix-CVE-2024-24786.patch BuildRequires: libblkid-devel BuildRequires: golang >= 1.20 @@ -224,6 +223,9 @@ install -p -m 0755 ./ignition %{buildroot}/%{dracutlibdir}/modules.d/30ignition %{_bindir}/ignition-validate %changelog +* Tue Jul 9 2024 zhangxingrong- - 2.19.0-1 +- update to version to 2.19.0 + * Fri May 10 2024 zhangxingrong - 2.18.0-1 - upgrade version to 2.18.0