From 5571ace32804e2acdc10da88d8d351d57f6e297b Mon Sep 17 00:00:00 2001 From: bwzhang Date: Mon, 25 Mar 2024 11:04:01 +0800 Subject: [PATCH] fix CVE-2024-24786 --- 0007-fix-CVE-2024-24786.patch | 59 +++++++++++++++++++++++++++++++++++ k3s-containerd.spec | 9 +++++- 2 files changed, 67 insertions(+), 1 deletion(-) create mode 100644 0007-fix-CVE-2024-24786.patch diff --git a/0007-fix-CVE-2024-24786.patch b/0007-fix-CVE-2024-24786.patch new file mode 100644 index 0000000..dd79b26 --- /dev/null +++ b/0007-fix-CVE-2024-24786.patch @@ -0,0 +1,59 @@ +From 171172b7a8a24104415f1d461da7a839dd9933a3 Mon Sep 17 00:00:00 2001 +From: bwzhang +Date: Mon, 25 Mar 2024 10:47:11 +0800 +Subject: [PATCH] fix CVE-2024-24786 + +encoding/protojson, internal/encoding/json: handle missing object values + +In internal/encoding/json, report an error when encountering a } +when we are expecting an object field value. For example, the input + now correctly results in an error at the closing } token. + +In encoding/protojson, check for an unexpected EOF token in +skipJSONValue. This is redundant with the check in internal/encoding/json, +but adds a bit more defense against any other similar bugs that +might exist. + +Fixes CVE-2024-24786 + +Change-Id: I03d52512acb5091c8549e31ca74541d57e56c99d +Reviewed-on: https://go-review.googlesource.com/c/protobuf/+/569356 +TryBot-Bypass: Damien Neil +Reviewed-by: Roland Shoemaker +Commit-Queue: Damien Neil +--- + .../protobuf/encoding/protojson/well_known_types.go | 4 ++++ + .../protobuf/internal/encoding/json/decode.go | 2 +- + 2 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go +index 72924a9..d3825ba 100644 +--- a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go ++++ b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go +@@ -328,6 +328,10 @@ func (d decoder) skipJSONValue() error { + if err := d.skipJSONValue(); err != nil { + return err + } ++ case json.EOF: ++ // This can only happen if there's a bug in Decoder.Read. ++ // Avoid an infinite loop if this does happen. ++ return errors.New("unexpected EOF") + } + } + +diff --git a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go +index b13fd29..b2be4e8 100644 +--- a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go ++++ b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go +@@ -121,7 +121,7 @@ func (d *Decoder) Read() (Token, error) { + + case ObjectClose: + if len(d.openStack) == 0 || +- d.lastToken.kind == comma || ++ d.lastToken.kind&(Name|comma) != 0 || + d.openStack[len(d.openStack)-1] != ObjectOpen { + return Token{}, d.newSyntaxError(tok.pos, unexpectedFmt, tok.RawString()) + } +-- +2.20.1 + diff --git a/k3s-containerd.spec b/k3s-containerd.spec index 5b4f1e7..4e2d32e 100644 --- a/k3s-containerd.spec +++ b/k3s-containerd.spec @@ -3,7 +3,7 @@ %global version_suffix k3s1 Version: 1.6.6 Name: k3s-containerd -Release: 10 +Release: 11 Summary: An industry-standard container runtime License: Apache-2.0 URL: https://github.com/k3s-io/containerd @@ -15,6 +15,7 @@ Patch0003: 0003-fix-PLATYPUS-attack-of-RAPL-accessible-to-a-containe.patch Patch0004: 0004-fix-CVE-2023-25173.patch Patch0005: 0005-fix-CVE-2023-39325.patch Patch0006: 0006-fix-CVE-2022-41723.patch +Patch0007: 0007-fix-CVE-2024-24786.patch BuildRequires: golang glibc-static make btrfs-progs-devel @@ -75,6 +76,12 @@ cp -rf %{_builddir}/containerd-%{version}-%{version_suffix}/. %{buildroot}%{_lib %changelog +* Mon Mar 25 2024 zhangbowei - 1.6.6-k3s1-11 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC: fix CVE-2024-24786 + * Fri Mar 22 2024 zhangbowei - 1.6.6-k3s1-10 - Type:bugfix - CVE:NA -- Gitee