From d87f7c6b122ac7a7f0675c10e68e409f64318a6c Mon Sep 17 00:00:00 2001 From: jianli-97 Date: Sat, 11 May 2024 11:34:44 +0800 Subject: [PATCH] fix CVE-2024-28180 --- 0002-fix-CVE-2024-28180.patch | 63 +++++++++++++++++++++++++++++++++++ skopeo.spec | 12 +++++-- 2 files changed, 72 insertions(+), 3 deletions(-) create mode 100644 0002-fix-CVE-2024-28180.patch diff --git a/0002-fix-CVE-2024-28180.patch b/0002-fix-CVE-2024-28180.patch new file mode 100644 index 0000000..96b161e --- /dev/null +++ b/0002-fix-CVE-2024-28180.patch @@ -0,0 +1,63 @@ +From b9893bf221e4f5791631c8e7152a10a69b57b8de Mon Sep 17 00:00:00 2001 +From: bwzhang +Date: Wed, 24 Apr 2024 10:37:19 +0800 +Subject: [PATCH] fix CVE-2024-28180 + +--- + vendor/gopkg.in/square/go-jose.v2/encoding.go | 21 +++++++++++++++---- + 1 file changed, 17 insertions(+), 4 deletions(-) + +diff --git a/vendor/gopkg.in/square/go-jose.v2/encoding.go b/vendor/gopkg.in/square/go-jose.v2/encoding.go +index 70f7385..c31eb91 100644 +--- a/vendor/gopkg.in/square/go-jose.v2/encoding.go ++++ b/vendor/gopkg.in/square/go-jose.v2/encoding.go +@@ -21,6 +21,7 @@ import ( + "compress/flate" + "encoding/base64" + "encoding/binary" ++ "fmt" + "io" + "math/big" + "strings" +@@ -85,7 +86,7 @@ func decompress(algorithm CompressionAlgorithm, input []byte) ([]byte, error) { + } + } + +-// Compress with DEFLATE ++// deflate compresses the input. + func deflate(input []byte) ([]byte, error) { + output := new(bytes.Buffer) + +@@ -97,15 +98,27 @@ func deflate(input []byte) ([]byte, error) { + return output.Bytes(), err + } + +-// Decompress with DEFLATE ++// inflate decompresses the input. ++// ++// Errors if the decompressed data would be >250kB or >10x the size of the ++// compressed data, whichever is larger + func inflate(input []byte) ([]byte, error) { + output := new(bytes.Buffer) + reader := flate.NewReader(bytes.NewBuffer(input)) + +- _, err := io.Copy(output, reader) +- if err != nil { ++ maxCompressedSize := 10 * int64(len(input)) ++ if maxCompressedSize < 250000 { ++ maxCompressedSize = 250000 ++ } ++ ++ limit := maxCompressedSize + 1 ++ n, err := io.CopyN(output, reader, limit) ++ if err != nil && err != io.EOF { + return nil, err + } ++ if n == limit { ++ return nil, fmt.Errorf("uncompressed data would be too large (>%d bytes)", maxCompressedSize) ++ } + + err = reader.Close() + return output.Bytes(), err +-- +2.20.1 diff --git a/skopeo.spec b/skopeo.spec index 5aadd33..bee9d56 100644 --- a/skopeo.spec +++ b/skopeo.spec @@ -30,7 +30,7 @@ ExcludeArch: ppc64 Name: %{repo} Epoch: 1 Version: 1.5.2 -Release: 5 +Release: 6 Summary: Work with remote images registries - retrieving information, images, signing content License: ASL 2.0 URL: %{git0} @@ -39,8 +39,8 @@ Source1: https://github.com/cpuguy83/go-md2man/archive/v1.0.10.tar.gz Source2: registries.conf Source3: sys-unix.tar.gz Patch0: 0001-add-loong64-support-for-etcd.patch -Patch0002: 0002-fix-CVE-2022-41723.patch - +Patch0002: 0002-fix-CVE-2022-41723.patch +Patch0003: 0002-fix-CVE-2024-28180.patch BuildRequires: go-srpm-macros git-core pkgconfig(devmapper) make BuildRequires: golang >= 1.16.6 BuildRequires: gpgme-devel libassuan-devel btrfs-progs-devel ostree-devel glib2-devel @@ -354,6 +354,12 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath} %{_prefix}/share/bash-completion/completions/%{name} %changelog +* Sat May 11 2024 lijian - 1:1.5.2-6 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC: fix CVE-2024-28180 + * Thu Apr 18 2024 zhangbowei -1:1.5.2-5 - Type:bugfix - CVE:NA -- Gitee