diff --git a/backport-fix-CVE-2023-39325.patch b/backport-fix-CVE-2023-39325.patch new file mode 100644 index 0000000000000000000000000000000000000000..7284d95c695b25f436afa7fc9cb2aa713fefabdf --- /dev/null +++ b/backport-fix-CVE-2023-39325.patch @@ -0,0 +1,130 @@ +From 37a23493eba78020d33687e94c57f9e57f096c4c Mon Sep 17 00:00:00 2001 +From: Jianmin +Date: Sun, 24 Aug 2025 15:07:07 +0800 +Subject: [PATCH] [backport] fix CVE-2023-39325 + +From: https://go-review.googlesource.com/c/net/+/534215 +--- + vendor/golang.org/x/net/http2/server.go | 66 ++++++++++++++++++++++++- + 1 file changed, 64 insertions(+), 2 deletions(-) + +diff --git a/vendor/golang.org/x/net/http2/server.go b/vendor/golang.org/x/net/http2/server.go +index e644d9b..63ad5ca 100644 +--- a/vendor/golang.org/x/net/http2/server.go ++++ b/vendor/golang.org/x/net/http2/server.go +@@ -520,9 +520,11 @@ type serverConn struct { + advMaxStreams uint32 // our SETTINGS_MAX_CONCURRENT_STREAMS advertised the client + curClientStreams uint32 // number of open streams initiated by the client + curPushedStreams uint32 // number of open streams initiated by server push ++ curHandlers uint32 // number of running handler goroutines + maxClientStreamID uint32 // max ever seen from client (odd), or 0 if there have been no client requests + maxPushPromiseID uint32 // ID of the last push promise (even), or 0 if there have been no pushes + streams map[uint32]*stream ++ unstartedHandlers []unstartedHandler + initialStreamSendWindowSize int32 + maxFrameSize int32 + headerTableSize uint32 +@@ -909,6 +911,8 @@ func (sc *serverConn) serve() { + return + case gracefulShutdownMsg: + sc.startGracefulShutdownInternal() ++ case handlerDoneMsg: ++ sc.handlerDone() + default: + panic("unknown timer") + } +@@ -954,6 +958,7 @@ var ( + idleTimerMsg = new(serverMessage) + shutdownTimerMsg = new(serverMessage) + gracefulShutdownMsg = new(serverMessage) ++ handlerDoneMsg = new(serverMessage) + ) + + func (sc *serverConn) onSettingsTimer() { sc.sendServeMsg(settingsTimerMsg) } +@@ -1911,8 +1916,7 @@ func (sc *serverConn) processHeaders(f *MetaHeadersFrame) error { + sc.conn.SetReadDeadline(time.Time{}) + } + +- go sc.runHandler(rw, req, handler) +- return nil ++ return sc.scheduleHandler(id, rw, req, handler) + } + + func (st *stream) processTrailerHeaders(f *MetaHeadersFrame) error { +@@ -2159,8 +2163,62 @@ func (sc *serverConn) newWriterAndRequestNoBody(st *stream, rp requestParam) (*r + return rw, req, nil + } + ++type unstartedHandler struct { ++ streamID uint32 ++ rw *responseWriter ++ req *http.Request ++ handler func(http.ResponseWriter, *http.Request) ++} ++ ++// scheduleHandler starts a handler goroutine, ++// or schedules one to start as soon as an existing handler finishes. ++func (sc *serverConn) scheduleHandler(streamID uint32, rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) error { ++ sc.serveG.check() ++ maxHandlers := sc.advMaxStreams ++ if sc.curHandlers < maxHandlers { ++ sc.curHandlers++ ++ go sc.runHandler(rw, req, handler) ++ return nil ++ } ++ if len(sc.unstartedHandlers) > int(4*sc.advMaxStreams) { ++ return sc.countError("too_many_early_resets", ConnectionError(ErrCodeEnhanceYourCalm)) ++ } ++ sc.unstartedHandlers = append(sc.unstartedHandlers, unstartedHandler{ ++ streamID: streamID, ++ rw: rw, ++ req: req, ++ handler: handler, ++ }) ++ return nil ++} ++ ++func (sc *serverConn) handlerDone() { ++ sc.serveG.check() ++ sc.curHandlers-- ++ i := 0 ++ maxHandlers := sc.advMaxStreams ++ for ; i < len(sc.unstartedHandlers); i++ { ++ u := sc.unstartedHandlers[i] ++ if sc.streams[u.streamID] == nil { ++ // This stream was reset before its goroutine had a chance to start. ++ continue ++ } ++ if sc.curHandlers >= maxHandlers { ++ break ++ } ++ sc.curHandlers++ ++ go sc.runHandler(u.rw, u.req, u.handler) ++ sc.unstartedHandlers[i] = unstartedHandler{} // don't retain references ++ } ++ sc.unstartedHandlers = sc.unstartedHandlers[i:] ++ if len(sc.unstartedHandlers) == 0 { ++ sc.unstartedHandlers = nil ++ } ++} ++ + // Run on its own goroutine. + func (sc *serverConn) runHandler(rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) { ++ defer sc.sendServeMsg(handlerDoneMsg) + didPanic := true + defer func() { + rw.rws.stream.cancelCtx() +@@ -2923,6 +2981,10 @@ func (sc *serverConn) startPush(msg *startPushRequest) { + panic(fmt.Sprintf("newWriterAndRequestNoBody(%+v): %v", msg.url, err)) + } + ++ // This is the first request on the connection, ++ // so start the handler directly rather than going ++ // through scheduleHandler. ++ sc.curHandlers++ + go sc.runHandler(rw, req, sc.handler.ServeHTTP) + return promisedID, nil + } +-- +2.39.5 (Apple Git-154) + diff --git a/skopeo.spec b/skopeo.spec index 9ccf8f5f65a352a88a6a592dd59f3544e89880a0..acca727f92f4c3771208dd761a56e99a736b75da 100644 --- a/skopeo.spec +++ b/skopeo.spec @@ -30,7 +30,7 @@ ExcludeArch: ppc64 Name: %{repo} Epoch: 1 Version: 1.8.0 -Release: 6 +Release: 7 Summary: Work with remote images registries - retrieving information, images, signing content License: ASL 2.0 URL: %{git0} @@ -41,6 +41,7 @@ Patch0001: 0001-fix-CVE-2022-41723.patch Patch0002: 0002-fix-CVE-2024-28180.patch Patch0003: 0001-fix-CVE-2023-29406.patch Patch0004: backport-fix-CVE-2025-27144.patch +Patch0005: backport-fix-CVE-2023-39325.patch BuildRequires: go-srpm-macros git-core pkgconfig(devmapper) make BuildRequires: golang >= 1.16.6 @@ -324,6 +325,12 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath} %{_prefix}/share/bash-completion/completions/%{name} %changelog +* Sun Aug 24 2025 Jianmin - 1:1.8.0-7 +- Type:cve +- CVE:CVE-2023-39325 and CVE-2023-44487 +- SUG:NA +- DESC:backport CVE-2023-39325 and CVE-2023-44487 + * Fri Aug 22 2025 Hongyu Pu - 1:1.8.0-6 - Type:cve - CVE:CVE-2025-27144