From 64a47f589de7d82846875e9bf05ae191d8c62d11 Mon Sep 17 00:00:00 2001 From: jianli-97 Date: Sat, 11 May 2024 11:50:22 +0800 Subject: [PATCH 1/2] fix CVE-2024-28180 --- 0001-fix-CVE-2024-28180.patch | 43 +++++++++++++++++++++++++++++++++++ skopeo.spec | 11 +++++++-- 2 files changed, 52 insertions(+), 2 deletions(-) create mode 100644 0001-fix-CVE-2024-28180.patch diff --git a/0001-fix-CVE-2024-28180.patch b/0001-fix-CVE-2024-28180.patch new file mode 100644 index 0000000..3bab665 --- /dev/null +++ b/0001-fix-CVE-2024-28180.patch @@ -0,0 +1,43 @@ +From a4e799e2c3777a01af5617bc4623a3c2925b4de9 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Sat, 11 May 2024 11:49:09 +0800 +Subject: [PATCH] fix CVE-2024-28180 + +--- + vendor/gopkg.in/square/go-jose.v2/encoding.go | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/vendor/gopkg.in/square/go-jose.v2/encoding.go b/vendor/gopkg.in/square/go-jose.v2/encoding.go +index b9687c6..e5442e9 100644 +--- a/vendor/gopkg.in/square/go-jose.v2/encoding.go ++++ b/vendor/gopkg.in/square/go-jose.v2/encoding.go +@@ -21,6 +21,7 @@ import ( + "compress/flate" + "encoding/base64" + "encoding/binary" ++ "fmt" + "io" + "math/big" + "regexp" +@@ -96,10 +97,16 @@ func inflate(input []byte) ([]byte, error) { + output := new(bytes.Buffer) + reader := flate.NewReader(bytes.NewBuffer(input)) + +- _, err := io.Copy(output, reader) +- if err != nil { ++ maxCompressedSize := max(250_000, 10*int64(len(input))) ++ ++ limit := maxCompressedSize + 1 ++ n, err := io.CopyN(output, reader, limit) ++ if err != nil && err != io.EOF { + return nil, err + } ++ if n == limit { ++ return nil, fmt.Errorf("uncompressed data would be too large (>%d bytes)", maxCompressedSize) ++ } + + err = reader.Close() + return output.Bytes(), err +-- +2.33.0 + diff --git a/skopeo.spec b/skopeo.spec index e8c4a5c..28b1f53 100644 --- a/skopeo.spec +++ b/skopeo.spec @@ -30,7 +30,7 @@ ExcludeArch: ppc64 Name: %{repo} Epoch: 1 Version: 1.1.0 -Release: 10 +Release: 11 Summary: Work with remote images registries - retrieving information, images, signing content License: ASL 2.0 URL: https://github.com/containers/skopeo @@ -38,6 +38,7 @@ Source0: https://github.com/containers/skopeo/archive/v1.1.0.tar.gz Source1: https://github.com/cpuguy83/go-md2man/archive/v1.0.10.tar.gz Source2: registries.conf Source3: seccomp.json +Patch0: 0001-fix-CVE-2024-28180.patch BuildRequires: go-srpm-macros golang git pkgconfig(devmapper) make BuildRequires: gpgme-devel libassuan-devel btrfs-progs-devel ostree-devel glib2-devel @@ -226,7 +227,7 @@ This package installs a default signature store configuration and a default policy under `/etc/containers/`. %prep -%autosetup -Sgit -n %{name}-%{commit0} +%autosetup -Sgit -n %{name}-%{commit0} -p1 tar -xf %SOURCE1 %build @@ -341,6 +342,12 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath} %{_datadir}/bash-completion/completions/%{name} %changelog +* Sat May 11 2024 lijian - 1:1.1.0-11 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC: fix CVE-2024-28180 + * Tue Feb 20 2024 liukuo - 1:1.1.0-10 - Type:bugfix - ID:NA -- Gitee From 7efa306f1b7075e01718f23039f0e194a5851df9 Mon Sep 17 00:00:00 2001 From: jianli-97 Date: Sat, 11 May 2024 15:25:08 +0800 Subject: [PATCH 2/2] fix CVE-2023-29406 --- 0001-fix-CVE-2023-29406.patch | 36 +++++++++++++++++++++++++++++++++++ skopeo.spec | 9 ++++++++- 2 files changed, 44 insertions(+), 1 deletion(-) create mode 100644 0001-fix-CVE-2023-29406.patch diff --git a/0001-fix-CVE-2023-29406.patch b/0001-fix-CVE-2023-29406.patch new file mode 100644 index 0000000..7ebf283 --- /dev/null +++ b/0001-fix-CVE-2023-29406.patch @@ -0,0 +1,36 @@ +From ac58df6e3e942588e37fef97d2d9c7fac0301345 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Sat, 11 May 2024 15:22:21 +0800 +Subject: [PATCH] fix CVE-2023-29406 + +--- + vendor/golang.org/x/net/http2/transport.go | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/vendor/golang.org/x/net/http2/transport.go b/vendor/golang.org/x/net/http2/transport.go +index 54acc1e..7bb42c3 100644 +--- a/vendor/golang.org/x/net/http2/transport.go ++++ b/vendor/golang.org/x/net/http2/transport.go +@@ -1397,6 +1397,9 @@ func (cs *clientStream) awaitFlowControl(maxBytes int) (taken int32, err error) + // requires cc.mu be held. + func (cc *ClientConn) encodeHeaders(req *http.Request, addGzipHeader bool, trailers string, contentLength int64) ([]byte, error) { + cc.hbuf.Reset() ++ if req.URL == nil { ++ return nil, errors.New("http2: Request.URI is nil") ++ } + + host := req.Host + if host == "" { +@@ -1406,6 +1409,9 @@ func (cc *ClientConn) encodeHeaders(req *http.Request, addGzipHeader bool, trail + if err != nil { + return nil, err + } ++ if !httpguts.ValidHostHeader(host) { ++ return nil, errors.New("http: invalid Host header") ++ } + + var path string + if req.Method != "CONNECT" { +-- +2.33.0 + diff --git a/skopeo.spec b/skopeo.spec index 28b1f53..e9f2fd0 100644 --- a/skopeo.spec +++ b/skopeo.spec @@ -30,7 +30,7 @@ ExcludeArch: ppc64 Name: %{repo} Epoch: 1 Version: 1.1.0 -Release: 11 +Release: 12 Summary: Work with remote images registries - retrieving information, images, signing content License: ASL 2.0 URL: https://github.com/containers/skopeo @@ -39,6 +39,7 @@ Source1: https://github.com/cpuguy83/go-md2man/archive/v1.0.10.tar.gz Source2: registries.conf Source3: seccomp.json Patch0: 0001-fix-CVE-2024-28180.patch +Patch1: 0001-fix-CVE-2023-29406.patch BuildRequires: go-srpm-macros golang git pkgconfig(devmapper) make BuildRequires: gpgme-devel libassuan-devel btrfs-progs-devel ostree-devel glib2-devel @@ -342,6 +343,12 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath} %{_datadir}/bash-completion/completions/%{name} %changelog +* Sat May 11 2024 lijian - 1:1.1.0-12 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC: fix CVE-2023-29406 + * Sat May 11 2024 lijian - 1:1.1.0-11 - Type:bugfix - CVE:NA -- Gitee