From 64dd902d3179d6a02122a44aa2e7ee17f6feae64 Mon Sep 17 00:00:00 2001 From: bwzhang Date: Tue, 2 Apr 2024 16:44:09 +0800 Subject: [PATCH] fix CVE-2024-28180 --- 0009-fix-CVE-2024-28180.patch | 64 +++++++++++++++++++++++++++++++++++ cri-o.spec | 9 ++++- 2 files changed, 72 insertions(+), 1 deletion(-) create mode 100644 0009-fix-CVE-2024-28180.patch diff --git a/0009-fix-CVE-2024-28180.patch b/0009-fix-CVE-2024-28180.patch new file mode 100644 index 0000000..f608400 --- /dev/null +++ b/0009-fix-CVE-2024-28180.patch @@ -0,0 +1,64 @@ +From 1c45722eafa2472be93499378135324a6f1514e9 Mon Sep 17 00:00:00 2001 +From: bwzhang +Date: Tue, 2 Apr 2024 16:31:36 +0800 +Subject: [PATCH] fix CVE-2024-28180 + +--- + vendor/gopkg.in/square/go-jose.v2/encoding.go | 21 +++++++++++++++---- + 1 file changed, 17 insertions(+), 4 deletions(-) + +diff --git a/vendor/gopkg.in/square/go-jose.v2/encoding.go b/vendor/gopkg.in/square/go-jose.v2/encoding.go +index 70f7385..c31eb91 100644 +--- a/vendor/gopkg.in/square/go-jose.v2/encoding.go ++++ b/vendor/gopkg.in/square/go-jose.v2/encoding.go +@@ -21,6 +21,7 @@ import ( + "compress/flate" + "encoding/base64" + "encoding/binary" ++ "fmt" + "io" + "math/big" + "strings" +@@ -85,7 +86,7 @@ func decompress(algorithm CompressionAlgorithm, input []byte) ([]byte, error) { + } + } + +-// Compress with DEFLATE ++// deflate compresses the input. + func deflate(input []byte) ([]byte, error) { + output := new(bytes.Buffer) + +@@ -97,15 +98,27 @@ func deflate(input []byte) ([]byte, error) { + return output.Bytes(), err + } + +-// Decompress with DEFLATE ++// inflate decompresses the input. ++// ++// Errors if the decompressed data would be >250kB or >10x the size of the ++// compressed data, whichever is larger + func inflate(input []byte) ([]byte, error) { + output := new(bytes.Buffer) + reader := flate.NewReader(bytes.NewBuffer(input)) + +- _, err := io.Copy(output, reader) +- if err != nil { ++ maxCompressedSize := 10 * int64(len(input)) ++ if maxCompressedSize < 250000 { ++ maxCompressedSize = 250000 ++ } ++ ++ limit := maxCompressedSize + 1 ++ n, err := io.CopyN(output, reader, limit) ++ if err != nil && err != io.EOF { + return nil, err + } ++ if n == limit { ++ return nil, fmt.Errorf("uncompressed data would be too large (>%d bytes)", maxCompressedSize) ++ } + + err = reader.Close() + return output.Bytes(), err +-- +2.20.1 + diff --git a/cri-o.spec b/cri-o.spec index d008ecc..b5174ec 100644 --- a/cri-o.spec +++ b/cri-o.spec @@ -21,7 +21,7 @@ Name: cri-o Version: 1.23.2 Epoch: 0 -Release: 10 +Release: 11 Summary: Open Container Initiative-based implementation of Kubernetes Container Runtime Interface License: ASL 2.0 URL: https://github.com/cri-o/cri-o @@ -37,6 +37,7 @@ Patch0005: 0005-fix-CVE-2023-39325.patch Patch0006: 0006-fix-CVE-2022-41723.patch Patch0007: 0007-fix-CVE-2024-24786.patch Patch0008: 0008-fix-CVE-2023-48795.patch +Patch0009: 0009-fix-CVE-2024-28180.patch ExclusiveArch: %{?go_arches:%{go_arches}}%{!?go_arches:%{ix86} x86_64 aarch64 %{arm}} BuildRequires: golang >= 1.17, git-core, glib2-devel, glibc-static, openEuler-rpm-config @@ -167,6 +168,12 @@ install -dp %{buildroot}%{_sharedstatedir}/containers %{_datadir}/zsh/site-functions/_%{service_name}* %changelog +* Tue Apr 2 2024 zhangbowei - 0:1.23.2-11 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC: CVE-2024-28180 + * Mon Apr 1 2024 zhangbowei - 0:1.23.2-10 - Type:bugfix - CVE:NA