fix CVE-2024-28180

2024-04-02 16:44:09 +08:00 · 2024-04-02 16:44:09 +08:00 · 64dd902d31
commit 64dd902d31
parent a44b07bad1
2 changed files with 72 additions and 1 deletions
--- a/0009-fix-CVE-2024-28180.patch
+++ b/0009-fix-CVE-2024-28180.patch
@ -0,0 +1,64 @@
+From 1c45722eafa2472be93499378135324a6f1514e9 Mon Sep 17 00:00:00 2001
+From: bwzhang <zhangbowei@kylinos.cn>
+Date: Tue, 2 Apr 2024 16:31:36 +0800
+Subject: [PATCH] fix CVE-2024-28180
+
+---
+ vendor/gopkg.in/square/go-jose.v2/encoding.go | 21 +++++++++++++++----
+ 1 file changed, 17 insertions(+), 4 deletions(-)
+
+diff --git a/vendor/gopkg.in/square/go-jose.v2/encoding.go b/vendor/gopkg.in/square/go-jose.v2/encoding.go
+index 70f7385..c31eb91 100644
+--- a/vendor/gopkg.in/square/go-jose.v2/encoding.go
+++ b/vendor/gopkg.in/square/go-jose.v2/encoding.go
+@@ -21,6 +21,7 @@ import (
+ 	"compress/flate"
+ 	"encoding/base64"
+ 	"encoding/binary"
+	"fmt"
+ 	"io"
+ 	"math/big"
+ 	"strings"
+@@ -85,7 +86,7 @@ func decompress(algorithm CompressionAlgorithm, input []byte) ([]byte, error) {
+ 	}
+ }
+ 
+-// Compress with DEFLATE
+// deflate compresses the input.
+ func deflate(input []byte) ([]byte, error) {
+ 	output := new(bytes.Buffer)
+ 
+@@ -97,15 +98,27 @@ func deflate(input []byte) ([]byte, error) {
+ 	return output.Bytes(), err
+ }
+ 
+-// Decompress with DEFLATE
+// inflate decompresses the input.
+//
+// Errors if the decompressed data would be >250kB or >10x the size of the
+// compressed data, whichever is larger
+ func inflate(input []byte) ([]byte, error) {
+ 	output := new(bytes.Buffer)
+ 	reader := flate.NewReader(bytes.NewBuffer(input))
+ 
+-	_, err := io.Copy(output, reader)
+-	if err != nil {
+	maxCompressedSize := 10 * int64(len(input))
+	if maxCompressedSize < 250000 {
+		maxCompressedSize = 250000
+	}
+
+	limit := maxCompressedSize + 1
+	n, err := io.CopyN(output, reader, limit)
+	if err != nil && err != io.EOF {
+ 		return nil, err
+ 	}
+	if n == limit {
+		return nil, fmt.Errorf("uncompressed data would be too large (>%d bytes)", maxCompressedSize)
+	}
+ 
+ 	err = reader.Close()
+ 	return output.Bytes(), err
+-- 
+2.20.1
+
--- a/cri-o.spec
+++ b/cri-o.spec
@ -21,7 +21,7 @@
 Name:           cri-o
 Version:        1.23.2
 Epoch:          0
-Release:        10
+Release:        11
 Summary:        Open Container Initiative-based implementation of Kubernetes Container Runtime Interface
 License:        ASL 2.0
 URL:            https://github.com/cri-o/cri-o
@ -37,6 +37,7 @@ Patch0005:      0005-fix-CVE-2023-39325.patch
 Patch0006:      0006-fix-CVE-2022-41723.patch
 Patch0007:      0007-fix-CVE-2024-24786.patch
 Patch0008:      0008-fix-CVE-2023-48795.patch
+Patch0009:      0009-fix-CVE-2024-28180.patch

 ExclusiveArch:  %{?go_arches:%{go_arches}}%{!?go_arches:%{ix86} x86_64 aarch64 %{arm}}
 BuildRequires:  golang >= 1.17, git-core, glib2-devel, glibc-static, openEuler-rpm-config
@ -167,6 +168,12 @@ install -dp %{buildroot}%{_sharedstatedir}/containers
 %{_datadir}/zsh/site-functions/_%{service_name}*

 %changelog
+* Tue Apr 2 2024 zhangbowei <zhangbowei@kylinos.cn> - 0:1.23.2-11
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC: CVE-2024-28180
+
 * Mon Apr 1 2024 zhangbowei <zhangbowei@kylinos.cn> - 0:1.23.2-10
 - Type:bugfix
 - CVE:NA