Fix CVE-2022-32149

2024-04-25 09:51:17 +08:00 · 2024-04-25 09:51:17 +08:00 · a7ada06f7f
commit a7ada06f7f
parent e9f86f9ff7
2 changed files with 92 additions and 2 deletions
--- a/0001-CVE-2022-32149.patch
+++ b/0001-CVE-2022-32149.patch
@ -0,0 +1,83 @@
 From d3e0b7bbfb2b6ae861c2b7d9b257fc46fcd0b5b2 Mon Sep 17 00:00:00 2001
 From: rpm-build <rpm-build>
 Date: Thu, 25 Apr 2024 09:30:21 +0800
 Subject: [PATCH] CVE-2022-32149
 ---
 .../vendor/golang.org/x/text/language/parse.go               | 5 +++++
 .../vendor/golang.org/x/text/language/parse.go               | 5 +++++
 vendor/golang.org/x/text/language/parse.go                   | 5 +++++
 3 files changed, 15 insertions(+)
 diff --git a/dnsname-18822f9a4fb35d1349eb256f4cd2bfd372474d84/vendor/golang.org/x/text/language/parse.go b/dnsname-18822f9a4fb35d1349eb256f4cd2bfd372474d84/vendor/golang.org/x/text/language/parse.go
 index fca2d30..5265091 100644
 --- a/dnsname-18822f9a4fb35d1349eb256f4cd2bfd372474d84/vendor/golang.org/x/text/language/parse.go
 +++ b/dnsname-18822f9a4fb35d1349eb256f4cd2bfd372474d84/vendor/golang.org/x/text/language/parse.go
@@ -764,6 +764,7 @@ func nextExtension(s string, p int) int {
 }
 var errInvalidWeight = errors.New("ParseAcceptLanguage: invalid weight")
 +var errTagListTooLarge = errors.New("tag list exceeds max length")
 // ParseAcceptLanguage parses the contents of an Accept-Language header as
 // defined in http://www.ietf.org/rfc/rfc2616.txt and returns a list of Tags and
@@ -773,6 +774,10 @@ var errInvalidWeight = errors.New("ParseAcceptLanguage: invalid weight")
 // Tags with a weight of zero will be dropped. An error will be returned if the
 // input could not be parsed.
 func ParseAcceptLanguage(s string) (tag []Tag, q []float32, err error) {
 +	if strings.Count(s, "-") > 1000 {
 +		return nil, nil, errTagListTooLarge
 +	}
 +
 	var entry string
 	for s != "" {
 		if entry, s = split(s, ','); entry == "" {
 diff --git a/gvisor-tap-vsock-4ee84d66bd86668f011733d8873989b5862bcd07/vendor/golang.org/x/text/language/parse.go b/gvisor-tap-vsock-4ee84d66bd86668f011733d8873989b5862bcd07/vendor/golang.org/x/text/language/parse.go
 index 59b0410..b982d9e 100644
 --- a/gvisor-tap-vsock-4ee84d66bd86668f011733d8873989b5862bcd07/vendor/golang.org/x/text/language/parse.go
 +++ b/gvisor-tap-vsock-4ee84d66bd86668f011733d8873989b5862bcd07/vendor/golang.org/x/text/language/parse.go
@@ -147,6 +147,7 @@ func update(b *language.Builder, part ...interface{}) (err error) {
 }
 var errInvalidWeight = errors.New("ParseAcceptLanguage: invalid weight")
 +var errTagListTooLarge = errors.New("tag list exceeds max length")
 // ParseAcceptLanguage parses the contents of an Accept-Language header as
 // defined in http://www.ietf.org/rfc/rfc2616.txt and returns a list of Tags and
@@ -164,6 +165,10 @@ func ParseAcceptLanguage(s string) (tag []Tag, q []float32, err error) {
 		}
 	}()
 +	if strings.Count(s, "-") > 1000 {
 +		return nil, nil, errTagListTooLarge
 +	}
 +
 	var entry string
 	for s != "" {
 		if entry, s = split(s, ','); entry == "" {
 diff --git a/vendor/golang.org/x/text/language/parse.go b/vendor/golang.org/x/text/language/parse.go
 index 59b0410..b982d9e 100644
 --- a/vendor/golang.org/x/text/language/parse.go
 +++ b/vendor/golang.org/x/text/language/parse.go
@@ -147,6 +147,7 @@ func update(b *language.Builder, part ...interface{}) (err error) {
 }
 var errInvalidWeight = errors.New("ParseAcceptLanguage: invalid weight")
 +var errTagListTooLarge = errors.New("tag list exceeds max length")
 // ParseAcceptLanguage parses the contents of an Accept-Language header as
 // defined in http://www.ietf.org/rfc/rfc2616.txt and returns a list of Tags and
@@ -164,6 +165,10 @@ func ParseAcceptLanguage(s string) (tag []Tag, q []float32, err error) {
 		}
 	}()
 +	if strings.Count(s, "-") > 1000 {
 +		return nil, nil, errTagListTooLarge
 +	}
 +
 	var entry string
 	for s != "" {
 		if entry, s = split(s, ','); entry == "" {
 -- 
 2.33.0
--- a/podman.spec
+++ b/podman.spec
@ -2,7 +2,7 @@
 Name:          podman
 Version:       3.4.4
-Release:       1
+Release:       2
 Summary:       A daemonless container engine for managing Containers
 Epoch:         1
 License:       ASL 2.0
@ -65,6 +65,7 @@ Provides: bundled(golang(k8s.io/apimachinery)) = v0.19.0
 Patch1:   0001-Fix-the-invalid-memory-address-reference.patch
 Patch2:   0002-add-openEuler-hardened-ld.patch
 Patch3:   0001-CVE-2022-32149.patch
 %description
 Podman manages the entire container ecosystem which includes pods,
@ -141,7 +142,7 @@ Conflicts:      docker docker-latest docker-ce docker-ee moby-engine
 Help document for the podman package
 %prep
-%autosetup -Sgit -n %{name}-%{version}
+%setup -n %{name}-%{version}
 # untar dnsname
 tar zxf %{SOURCE1}
 # untar %%{name}-machine-cni
@ -149,6 +150,9 @@ tar zxf %{SOURCE2}
 # untar %%{name}-gvproxy
 tar zxf %{SOURCE3}
 tar -xf %SOURCE4
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
 %build
 GO_MD2MAN_PATH="$(pwd)%{_bindir}"
@ -319,6 +323,9 @@ done
 %{_libexecdir}/%{name}/gvproxy
 %changelog
 * Thu Apr 25 2024 lijian <lijian2@kylinos.cn> - 1:3.4.4-2
 - Fix CVE-2022-32149
 * Tue Jul 05 2022 fushanqing <fushanqing@kylinos.cn> - 1:3.4.4-1
 - update to 3.4.4