Fix CVE-2022-32149

0001-CVE-2022-32149.patch

@@ -0,0 +1,83 @@
+From d3e0b7bbfb2b6ae861c2b7d9b257fc46fcd0b5b2 Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Thu, 25 Apr 2024 09:30:21 +0800
+Subject: [PATCH] CVE-2022-32149
+
+---
+ .../vendor/golang.org/x/text/language/parse.go               | 5 +++++
+ .../vendor/golang.org/x/text/language/parse.go               | 5 +++++
+ vendor/golang.org/x/text/language/parse.go                   | 5 +++++
+ 3 files changed, 15 insertions(+)
+
+diff --git a/dnsname-18822f9a4fb35d1349eb256f4cd2bfd372474d84/vendor/golang.org/x/text/language/parse.go b/dnsname-18822f9a4fb35d1349eb256f4cd2bfd372474d84/vendor/golang.org/x/text/language/parse.go
+index fca2d30..5265091 100644
+--- a/dnsname-18822f9a4fb35d1349eb256f4cd2bfd372474d84/vendor/golang.org/x/text/language/parse.go
++++ b/dnsname-18822f9a4fb35d1349eb256f4cd2bfd372474d84/vendor/golang.org/x/text/language/parse.go
+@@ -764,6 +764,7 @@ func nextExtension(s string, p int) int {
+ }
+ 
+ var errInvalidWeight = errors.New("ParseAcceptLanguage: invalid weight")
++var errTagListTooLarge = errors.New("tag list exceeds max length")
+ 
+ // ParseAcceptLanguage parses the contents of an Accept-Language header as
+ // defined in http://www.ietf.org/rfc/rfc2616.txt and returns a list of Tags and
+@@ -773,6 +774,10 @@ var errInvalidWeight = errors.New("ParseAcceptLanguage: invalid weight")
+ // Tags with a weight of zero will be dropped. An error will be returned if the
+ // input could not be parsed.
+ func ParseAcceptLanguage(s string) (tag []Tag, q []float32, err error) {
++	if strings.Count(s, "-") > 1000 {
++		return nil, nil, errTagListTooLarge
++	}
++
+ 	var entry string
+ 	for s != "" {
+ 		if entry, s = split(s, ','); entry == "" {
+diff --git a/gvisor-tap-vsock-4ee84d66bd86668f011733d8873989b5862bcd07/vendor/golang.org/x/text/language/parse.go b/gvisor-tap-vsock-4ee84d66bd86668f011733d8873989b5862bcd07/vendor/golang.org/x/text/language/parse.go
+index 59b0410..b982d9e 100644
+--- a/gvisor-tap-vsock-4ee84d66bd86668f011733d8873989b5862bcd07/vendor/golang.org/x/text/language/parse.go
++++ b/gvisor-tap-vsock-4ee84d66bd86668f011733d8873989b5862bcd07/vendor/golang.org/x/text/language/parse.go
+@@ -147,6 +147,7 @@ func update(b *language.Builder, part ...interface{}) (err error) {
+ }
+ 
+ var errInvalidWeight = errors.New("ParseAcceptLanguage: invalid weight")
++var errTagListTooLarge = errors.New("tag list exceeds max length")
+ 
+ // ParseAcceptLanguage parses the contents of an Accept-Language header as
+ // defined in http://www.ietf.org/rfc/rfc2616.txt and returns a list of Tags and
+@@ -164,6 +165,10 @@ func ParseAcceptLanguage(s string) (tag []Tag, q []float32, err error) {
+ 		}
+ 	}()
+ 
++	if strings.Count(s, "-") > 1000 {
++		return nil, nil, errTagListTooLarge
++	}
++
+ 	var entry string
+ 	for s != "" {
+ 		if entry, s = split(s, ','); entry == "" {
+diff --git a/vendor/golang.org/x/text/language/parse.go b/vendor/golang.org/x/text/language/parse.go
+index 59b0410..b982d9e 100644
+--- a/vendor/golang.org/x/text/language/parse.go
++++ b/vendor/golang.org/x/text/language/parse.go
+@@ -147,6 +147,7 @@ func update(b *language.Builder, part ...interface{}) (err error) {
+ }
+ 
+ var errInvalidWeight = errors.New("ParseAcceptLanguage: invalid weight")
++var errTagListTooLarge = errors.New("tag list exceeds max length")
+ 
+ // ParseAcceptLanguage parses the contents of an Accept-Language header as
+ // defined in http://www.ietf.org/rfc/rfc2616.txt and returns a list of Tags and
+@@ -164,6 +165,10 @@ func ParseAcceptLanguage(s string) (tag []Tag, q []float32, err error) {
+ 		}
+ 	}()
+ 
++	if strings.Count(s, "-") > 1000 {
++		return nil, nil, errTagListTooLarge
++	}
++
+ 	var entry string
+ 	for s != "" {
+ 		if entry, s = split(s, ','); entry == "" {
+-- 
+2.33.0
+

podman.spec

@@ -2,7 +2,7 @@
 
 Name:          podman
 Version:       3.4.4
-Release:       1
+Release:       2
 Summary:       A daemonless container engine for managing Containers
 Epoch:         1
 License:       ASL 2.0
@@ -65,6 +65,7 @@ Provides: bundled(golang(k8s.io/apimachinery)) = v0.19.0
 
 Patch1:   0001-Fix-the-invalid-memory-address-reference.patch
 Patch2:   0002-add-openEuler-hardened-ld.patch
+Patch3:   0001-CVE-2022-32149.patch
 
 %description
 Podman manages the entire container ecosystem which includes pods,
@@ -141,7 +142,7 @@ Conflicts:      docker docker-latest docker-ce docker-ee moby-engine
 Help document for the podman package
 
 %prep
-%autosetup -Sgit -n %{name}-%{version}
+%setup -n %{name}-%{version}
 # untar dnsname
 tar zxf %{SOURCE1}
 # untar %%{name}-machine-cni
@@ -149,6 +150,9 @@ tar zxf %{SOURCE2}
 # untar %%{name}-gvproxy
 tar zxf %{SOURCE3}
 tar -xf %SOURCE4
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
 
 %build
 GO_MD2MAN_PATH="$(pwd)%{_bindir}"
@@ -319,6 +323,9 @@ done
 %{_libexecdir}/%{name}/gvproxy
 
 %changelog
+* Thu Apr 25 2024 lijian <lijian2@kylinos.cn> - 1:3.4.4-2
+- Fix CVE-2022-32149
+
 * Tue Jul 05 2022 fushanqing <fushanqing@kylinos.cn> - 1:3.4.4-1
 - update to 3.4.4