packages/skopeo
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2024-28180

Browse Source
This commit is contained in:
jianli-97 2024-05-11 11:07:38 +08:00
parent f7ad9bb539
commit 6272ae85d8
2 changed files with 71 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

63
0002-fix-CVE-2024-28180.patch Normal file
View File

@ -0,0 +1,63 @@
From b9893bf221e4f5791631c8e7152a10a69b57b8de Mon Sep 17 00:00:00 2001
From: bwzhang <zhangbowei@kylinos.cn>
Date: Wed, 24 Apr 2024 10:37:19 +0800
Subject: [PATCH] fix CVE-2024-28180
---
vendor/gopkg.in/square/go-jose.v2/encoding.go | 21 +++++++++++++++----
1 file changed, 17 insertions(+), 4 deletions(-)
diff --git a/vendor/gopkg.in/square/go-jose.v2/encoding.go b/vendor/gopkg.in/square/go-jose.v2/encoding.go
index 70f7385..c31eb91 100644
--- a/vendor/gopkg.in/square/go-jose.v2/encoding.go
+++ b/vendor/gopkg.in/square/go-jose.v2/encoding.go
@@ -21,6 +21,7 @@ import (
"compress/flate"
"encoding/base64"
"encoding/binary"
+ "fmt"
"io"
"math/big"
"strings"
@@ -85,7 +86,7 @@ func decompress(algorithm CompressionAlgorithm, input []byte) ([]byte, error) {
}
}
-// Compress with DEFLATE
+// deflate compresses the input.
func deflate(input []byte) ([]byte, error) {
output := new(bytes.Buffer)
@@ -97,15 +98,27 @@ func deflate(input []byte) ([]byte, error) {
return output.Bytes(), err
}
-// Decompress with DEFLATE
+// inflate decompresses the input.
+//
+// Errors if the decompressed data would be >250kB or >10x the size of the
+// compressed data, whichever is larger
func inflate(input []byte) ([]byte, error) {
output := new(bytes.Buffer)
reader := flate.NewReader(bytes.NewBuffer(input))
- _, err := io.Copy(output, reader)
- if err != nil {
+ maxCompressedSize := 10 * int64(len(input))
+ if maxCompressedSize < 250000 {
+ maxCompressedSize = 250000
+ }
+
+ limit := maxCompressedSize + 1
+ n, err := io.CopyN(output, reader, limit)
+ if err != nil && err != io.EOF {
return nil, err
}
+ if n == limit {
+ return nil, fmt.Errorf("uncompressed data would be too large (>%d bytes)", maxCompressedSize)
+ }
err = reader.Close()
return output.Bytes(), err
--
2.20.1

9
skopeo.spec
View File

@ -30,7 +30,7 @@ ExcludeArch: ppc64
Name: %{repo}
Epoch: 1
Version: 1.8.0
Release: 2
Release: 3
Summary: Work with remote images registries - retrieving information, images, signing content
License: ASL 2.0
URL: %{git0}
@ -38,6 +38,7 @@ Source0: %{git0}/archive/%{build_version}.tar.gz
Source1: https://github.com/cpuguy83/go-md2man/archive/v1.0.10.tar.gz
Patch0001: 0001-fix-CVE-2022-41723.patch
Patch0002: 0002-fix-CVE-2024-28180.patch
BuildRequires: go-srpm-macros git-core pkgconfig(devmapper) make
BuildRequires: golang >= 1.16.6
@ -321,6 +322,12 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath}
%{_prefix}/share/bash-completion/completions/%{name}
%changelog
* Sat May 11 2024 lijian <lijian2@kylinos.cn> - 1:1.8.0-3
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC: fix CVE-2024-28180
* Thu Apr 18 2024 zhangbowei <zhangbowei@kylinos.cn> -1:1.8.0-2
- Type:bugfix
- CVE:NA