fix CVE-2023-29406

0001-fix-CVE-2023-29406.patch

@@ -0,0 +1,26 @@
+From 03bccc9aa2a29a03f5a65d56b0ceaace4a66a0d5 Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Sat, 11 May 2024 10:33:04 +0800
+Subject: [PATCH] fix CVE-2023-29406
+
+---
+ vendor/golang.org/x/net/http2/transport.go | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/vendor/golang.org/x/net/http2/transport.go b/vendor/golang.org/x/net/http2/transport.go
+index 4f09897..e1bb430 100644
+--- a/vendor/golang.org/x/net/http2/transport.go
++++ b/vendor/golang.org/x/net/http2/transport.go
+@@ -1739,6 +1739,9 @@ func (cc *ClientConn) encodeHeaders(req *http.Request, addGzipHeader bool, trail
+ 	if err != nil {
+ 		return nil, err
+ 	}
++	if !httpguts.ValidHostHeader(host) {
++		return nil, errors.New("http: invalid Host header")
++	}
+ 
+ 	var path string
+ 	if req.Method != "CONNECT" {
+-- 
+2.33.0
+

skopeo.spec

@@ -30,7 +30,7 @@ ExcludeArch: ppc64
 Name: %{repo}
 Epoch: 1
 Version: 1.8.0
-Release: 3
+Release: 4
 Summary: Work with remote images registries - retrieving information, images, signing content
 License: ASL 2.0
 URL: %{git0}
@@ -39,6 +39,7 @@ Source1: https://github.com/cpuguy83/go-md2man/archive/v1.0.10.tar.gz
 
 Patch0001:     0001-fix-CVE-2022-41723.patch
 Patch0002:     0002-fix-CVE-2024-28180.patch
+Patch0003:     0001-fix-CVE-2023-29406.patch
 
 BuildRequires: go-srpm-macros git-core pkgconfig(devmapper) make
 BuildRequires: golang >= 1.16.6
@@ -322,6 +323,12 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath}
 %{_prefix}/share/bash-completion/completions/%{name}
 
 %changelog
+* Sat May 11 2024 lijian <lijian2@kylinos.cn> - 1:1.8.0-4
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC: fix CVE-2023-29406
+
 * Sat May 11 2024 lijian <lijian2@kylinos.cn> - 1:1.8.0-3
 - Type:bugfix
 - CVE:NA