fix CVE-2022-41723
This commit is contained in:
bwzhang
parent
8cdf3dd4f3
commit
4a6685e4ca
159
0001-fix-CVE-2022-41723.patch
Normal file
159
0001-fix-CVE-2022-41723.patch
Normal file
@ -0,0 +1,159 @@
|
||||
From 11bc24fcd1f15f54849c7aebefe1bbdc0d75437b Mon Sep 17 00:00:00 2001
|
||||
From: bwzhang <zhangbowei@kylinos.cn>
|
||||
Date: Sun, 7 Apr 2024 17:04:42 +0800
|
||||
Subject: [PATCH] fix CVE-2022-41723
|
||||
|
||||
http2/hpack: avoid quadratic complexity in hpack decoding
|
||||
|
||||
When parsing a field literal containing two Huffman-encoded strings,
|
||||
don't decode the first string until verifying all data is present.
|
||||
Avoids forced quadratic complexity when repeatedly parsing a partial
|
||||
field, repeating the Huffman decoding of the string on each iteration.
|
||||
|
||||
Thanks to Philippe Antoine (Catena cyber) for reporting this issue.
|
||||
|
||||
Fixes golang/go#57855
|
||||
Fixes CVE-2022-41723
|
||||
|
||||
Change-Id: I58a743df450a4a4923dddd5cf6bb0592b0a7bdf3
|
||||
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1688184
|
||||
TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
|
||||
Reviewed-by: Julie Qiu <julieqiu@google.com>
|
||||
Run-TryBot: Damien Neil <dneil@google.com>
|
||||
Reviewed-by: Roland Shoemaker <bracewell@google.com>
|
||||
Reviewed-on: https://go-review.googlesource.com/c/net/+/468135
|
||||
Run-TryBot: Michael Pratt <mpratt@google.com>
|
||||
Reviewed-by: Roland Shoemaker <roland@golang.org>
|
||||
Reviewed-by: Than McIntosh <thanm@google.com>
|
||||
Auto-Submit: Michael Pratt <mpratt@google.com>
|
||||
TryBot-Result: Gopher Robot <gobot@golang.org>
|
||||
---
|
||||
vendor/golang.org/x/net/http2/hpack/hpack.go | 79 ++++++++++++--------
|
||||
1 file changed, 49 insertions(+), 30 deletions(-)
|
||||
|
||||
diff --git a/vendor/golang.org/x/net/http2/hpack/hpack.go b/vendor/golang.org/x/net/http2/hpack/hpack.go
|
||||
index 85f18a2..7e7e4cf 100644
|
||||
--- a/vendor/golang.org/x/net/http2/hpack/hpack.go
|
||||
+++ b/vendor/golang.org/x/net/http2/hpack/hpack.go
|
||||
@@ -359,6 +359,7 @@ func (d *Decoder) parseFieldLiteral(n uint8, it indexType) error {
|
||||
|
||||
var hf HeaderField
|
||||
wantStr := d.emitEnabled || it.indexed()
|
||||
+ var undecodedName undecodedString
|
||||
if nameIdx > 0 {
|
||||
ihf, ok := d.at(nameIdx)
|
||||
if !ok {
|
||||
@@ -366,15 +367,27 @@ func (d *Decoder) parseFieldLiteral(n uint8, it indexType) error {
|
||||
}
|
||||
hf.Name = ihf.Name
|
||||
} else {
|
||||
- hf.Name, buf, err = d.readString(buf, wantStr)
|
||||
+ undecodedName, buf, err = d.readString(buf)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
- hf.Value, buf, err = d.readString(buf, wantStr)
|
||||
+ undecodedValue, buf, err := d.readString(buf)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
+ if wantStr {
|
||||
+ if nameIdx <= 0 {
|
||||
+ hf.Name, err = d.decodeString(undecodedName)
|
||||
+ if err != nil {
|
||||
+ return err
|
||||
+ }
|
||||
+ }
|
||||
+ hf.Value, err = d.decodeString(undecodedValue)
|
||||
+ if err != nil {
|
||||
+ return err
|
||||
+ }
|
||||
+ }
|
||||
d.buf = buf
|
||||
if it.indexed() {
|
||||
d.dynTab.add(hf)
|
||||
@@ -459,46 +472,52 @@ func readVarInt(n byte, p []byte) (i uint64, remain []byte, err error) {
|
||||
return 0, origP, errNeedMore
|
||||
}
|
||||
|
||||
-// readString decodes an hpack string from p.
|
||||
+// readString reads an hpack string from p.
|
||||
//
|
||||
-// wantStr is whether s will be used. If false, decompression and
|
||||
-// []byte->string garbage are skipped if s will be ignored
|
||||
-// anyway. This does mean that huffman decoding errors for non-indexed
|
||||
-// strings past the MAX_HEADER_LIST_SIZE are ignored, but the server
|
||||
-// is returning an error anyway, and because they're not indexed, the error
|
||||
-// won't affect the decoding state.
|
||||
-func (d *Decoder) readString(p []byte, wantStr bool) (s string, remain []byte, err error) {
|
||||
+// It returns a reference to the encoded string data to permit deferring decode costs
|
||||
+// until after the caller verifies all data is present.
|
||||
+func (d *Decoder) readString(p []byte) (u undecodedString, remain []byte, err error) {
|
||||
if len(p) == 0 {
|
||||
- return "", p, errNeedMore
|
||||
+ return u, p, errNeedMore
|
||||
}
|
||||
isHuff := p[0]&128 != 0
|
||||
strLen, p, err := readVarInt(7, p)
|
||||
if err != nil {
|
||||
- return "", p, err
|
||||
+ return u, p, err
|
||||
}
|
||||
if d.maxStrLen != 0 && strLen > uint64(d.maxStrLen) {
|
||||
- return "", nil, ErrStringLength
|
||||
+ // Returning an error here means Huffman decoding errors
|
||||
+ // for non-indexed strings past the maximum string length
|
||||
+ // are ignored, but the server is returning an error anyway
|
||||
+ // and because the string is not indexed the error will not
|
||||
+ // affect the decoding state.
|
||||
+ return u, nil, ErrStringLength
|
||||
}
|
||||
if uint64(len(p)) < strLen {
|
||||
- return "", p, errNeedMore
|
||||
- }
|
||||
- if !isHuff {
|
||||
- if wantStr {
|
||||
- s = string(p[:strLen])
|
||||
- }
|
||||
- return s, p[strLen:], nil
|
||||
+ return u, p, errNeedMore
|
||||
}
|
||||
+ u.isHuff = isHuff
|
||||
+ u.b = p[:strLen]
|
||||
+ return u, p[strLen:], nil
|
||||
+}
|
||||
|
||||
- if wantStr {
|
||||
- buf := bufPool.Get().(*bytes.Buffer)
|
||||
- buf.Reset() // don't trust others
|
||||
- defer bufPool.Put(buf)
|
||||
- if err := huffmanDecode(buf, d.maxStrLen, p[:strLen]); err != nil {
|
||||
- buf.Reset()
|
||||
- return "", nil, err
|
||||
- }
|
||||
+type undecodedString struct {
|
||||
+ isHuff bool
|
||||
+ b []byte
|
||||
+}
|
||||
+
|
||||
+func (d *Decoder) decodeString(u undecodedString) (string, error) {
|
||||
+ if !u.isHuff {
|
||||
+ return string(u.b), nil
|
||||
+ }
|
||||
+ buf := bufPool.Get().(*bytes.Buffer)
|
||||
+ buf.Reset() // don't trust others
|
||||
+ var s string
|
||||
+ err := huffmanDecode(buf, d.maxStrLen, u.b)
|
||||
+ if err == nil {
|
||||
s = buf.String()
|
||||
- buf.Reset() // be nice to GC
|
||||
}
|
||||
- return s, p[strLen:], nil
|
||||
+ buf.Reset() // be nice to GC
|
||||
+ bufPool.Put(buf)
|
||||
+ return s, err
|
||||
}
|
||||
--
|
||||
2.20.1
|
||||
|
||||
12
skopeo.spec
12
skopeo.spec
@ -30,13 +30,15 @@ ExcludeArch: ppc64
|
||||
Name: %{repo}
|
||||
Epoch: 1
|
||||
Version: 1.8.0
|
||||
Release: 1
|
||||
Release: 2
|
||||
Summary: Work with remote images registries - retrieving information, images, signing content
|
||||
License: ASL 2.0
|
||||
URL: %{git0}
|
||||
Source0: %{git0}/archive/%{build_version}.tar.gz
|
||||
Source1: https://github.com/cpuguy83/go-md2man/archive/v1.0.10.tar.gz
|
||||
|
||||
Patch0001: 0001-fix-CVE-2022-41723.patch
|
||||
|
||||
BuildRequires: go-srpm-macros git-core pkgconfig(devmapper) make
|
||||
BuildRequires: golang >= 1.16.6
|
||||
BuildRequires: gpgme-devel libassuan-devel btrfs-progs-devel ostree-devel glib2-devel
|
||||
@ -213,7 +215,7 @@ providing packages with %{import_path} prefix.
|
||||
%endif
|
||||
|
||||
%prep
|
||||
%autosetup -Sgit -n %{name}-%{version}
|
||||
%autosetup -Sgit -n %{name}-%{version} -p1
|
||||
tar -xf %SOURCE1
|
||||
|
||||
%build
|
||||
@ -319,6 +321,12 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath}
|
||||
%{_prefix}/share/bash-completion/completions/%{name}
|
||||
|
||||
%changelog
|
||||
* Thu Apr 18 2024 zhangbowei <zhangbowei@kylinos.cn> -1:1.8.0-2
|
||||
- Type:bugfix
|
||||
- CVE:NA
|
||||
- SUG:NA
|
||||
- DESC: fix CVE-2022-41723
|
||||
|
||||
* Tue Oct 17 2023 lijian <lijian2@kylinos.cn> - 1:1.8.0-1
|
||||
- update to 1.8.0
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user