From 16d26e6fff3c3dbd12ea025a999e3689dc9967cd Mon Sep 17 00:00:00 2001 From: jianli-97 Date: Sat, 11 May 2024 10:37:04 +0800 Subject: [PATCH] fix CVE-2023-29406 --- 0001-fix-CVE-2023-29406.patch | 26 ++++++++++++++++++++++++++ skopeo.spec | 9 ++++++++- 2 files changed, 34 insertions(+), 1 deletion(-) create mode 100644 0001-fix-CVE-2023-29406.patch diff --git a/0001-fix-CVE-2023-29406.patch b/0001-fix-CVE-2023-29406.patch new file mode 100644 index 0000000..6148bb2 --- /dev/null +++ b/0001-fix-CVE-2023-29406.patch @@ -0,0 +1,26 @@ +From 03bccc9aa2a29a03f5a65d56b0ceaace4a66a0d5 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Sat, 11 May 2024 10:33:04 +0800 +Subject: [PATCH] fix CVE-2023-29406 + +--- + vendor/golang.org/x/net/http2/transport.go | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/vendor/golang.org/x/net/http2/transport.go b/vendor/golang.org/x/net/http2/transport.go +index 4f09897..e1bb430 100644 +--- a/vendor/golang.org/x/net/http2/transport.go ++++ b/vendor/golang.org/x/net/http2/transport.go +@@ -1739,6 +1739,9 @@ func (cc *ClientConn) encodeHeaders(req *http.Request, addGzipHeader bool, trail + if err != nil { + return nil, err + } ++ if !httpguts.ValidHostHeader(host) { ++ return nil, errors.New("http: invalid Host header") ++ } + + var path string + if req.Method != "CONNECT" { +-- +2.33.0 + diff --git a/skopeo.spec b/skopeo.spec index b3adde6..6527e94 100644 --- a/skopeo.spec +++ b/skopeo.spec @@ -30,7 +30,7 @@ ExcludeArch: ppc64 Name: %{repo} Epoch: 1 Version: 1.8.0 -Release: 4 +Release: 5 Summary: Work with remote images registries - retrieving information, images, signing content License: ASL 2.0 URL: %{git0} @@ -39,6 +39,7 @@ Source1: https://github.com/cpuguy83/go-md2man/archive/v1.0.10.tar.gz Patch0001: 0001-fix-CVE-2022-41723.patch Patch0002: 0002-fix-CVE-2024-28180.patch +Patch0003: 0001-fix-CVE-2023-29406.patch BuildRequires: go-srpm-macros git-core pkgconfig(devmapper) make BuildRequires: golang >= 1.16.6 @@ -322,6 +323,12 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath} %{_prefix}/share/bash-completion/completions/%{name} %changelog +* Sat May 11 2024 lijian - 1:1.8.0-5 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC: fix CVE-2023-29406 + * Wed Apr 24 2024 zhangbowei - 1:1.8.0-4 - Type:bugfix - CVE:NA -- Gitee