diff --git a/0001-fix-CVE-2023-29406.patch b/0001-fix-CVE-2023-29406.patch new file mode 100644 index 0000000000000000000000000000000000000000..6148bb2083d5cedf0948a66a50daed9b6e9c548f --- /dev/null +++ b/0001-fix-CVE-2023-29406.patch @@ -0,0 +1,26 @@ +From 03bccc9aa2a29a03f5a65d56b0ceaace4a66a0d5 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Sat, 11 May 2024 10:33:04 +0800 +Subject: [PATCH] fix CVE-2023-29406 + +--- + vendor/golang.org/x/net/http2/transport.go | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/vendor/golang.org/x/net/http2/transport.go b/vendor/golang.org/x/net/http2/transport.go +index 4f09897..e1bb430 100644 +--- a/vendor/golang.org/x/net/http2/transport.go ++++ b/vendor/golang.org/x/net/http2/transport.go +@@ -1739,6 +1739,9 @@ func (cc *ClientConn) encodeHeaders(req *http.Request, addGzipHeader bool, trail + if err != nil { + return nil, err + } ++ if !httpguts.ValidHostHeader(host) { ++ return nil, errors.New("http: invalid Host header") ++ } + + var path string + if req.Method != "CONNECT" { +-- +2.33.0 + diff --git a/skopeo.spec b/skopeo.spec index 827dcced74549e19a32a7d1ef676f6fc0cc7d809..17ff1169857e6712eb3aa8f6cc1187ddf4261a6c 100644 --- a/skopeo.spec +++ b/skopeo.spec @@ -30,7 +30,7 @@ ExcludeArch: ppc64 Name: %{repo} Epoch: 1 Version: 1.5.2 -Release: 5 +Release: 6 Summary: Work with remote images registries - retrieving information, images, signing content License: ASL 2.0 URL: %{git0} @@ -40,6 +40,7 @@ Source2: registries.conf Patch0001: 0001-fix-CVE-2022-41723.patch Patch0002: 0002-fix-CVE-2024-28180.patch +Patch0003: 0001-fix-CVE-2023-29406.patch BuildRequires: go-srpm-macros git-core pkgconfig(devmapper) make BuildRequires: golang >= 1.16.6 @@ -350,6 +351,12 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath} %{_prefix}/share/bash-completion/completions/%{name} %changelog +* Sat May 11 2024 lijian - 1:1.5.2-6 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC: fix CVE-2023-29406 + * Sat May 11 2024 lijian - 1:1.5.2-5 - Type:bugfix - CVE:NA