!91 【轻量级 PR】：rebuild for 22.03LTS_SP4

From: @wangyueliang 
Reviewed-by: @jianli-97 
Signed-off-by: @jianli-97

0001-fix-CVE-2022-41723.patch

@@ -0,0 +1,159 @@
+From 11bc24fcd1f15f54849c7aebefe1bbdc0d75437b Mon Sep 17 00:00:00 2001
+From: bwzhang <zhangbowei@kylinos.cn>
+Date: Sun, 7 Apr 2024 17:04:42 +0800
+Subject: [PATCH] fix CVE-2022-41723
+
+http2/hpack: avoid quadratic complexity in hpack decoding
+
+When parsing a field literal containing two Huffman-encoded strings,
+don't decode the first string until verifying all data is present.
+Avoids forced quadratic complexity when repeatedly parsing a partial
+field, repeating the Huffman decoding of the string on each iteration.
+
+Thanks to Philippe Antoine (Catena cyber) for reporting this issue.
+
+Fixes golang/go#57855
+Fixes CVE-2022-41723
+
+Change-Id: I58a743df450a4a4923dddd5cf6bb0592b0a7bdf3
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1688184
+TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
+Reviewed-by: Julie Qiu <julieqiu@google.com>
+Run-TryBot: Damien Neil <dneil@google.com>
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/net/+/468135
+Run-TryBot: Michael Pratt <mpratt@google.com>
+Reviewed-by: Roland Shoemaker <roland@golang.org>
+Reviewed-by: Than McIntosh <thanm@google.com>
+Auto-Submit: Michael Pratt <mpratt@google.com>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+---
+ vendor/golang.org/x/net/http2/hpack/hpack.go | 79 ++++++++++++--------
+ 1 file changed, 49 insertions(+), 30 deletions(-)
+
+diff --git a/vendor/golang.org/x/net/http2/hpack/hpack.go b/vendor/golang.org/x/net/http2/hpack/hpack.go
+index 85f18a2..7e7e4cf 100644
+--- a/vendor/golang.org/x/net/http2/hpack/hpack.go
++++ b/vendor/golang.org/x/net/http2/hpack/hpack.go
+@@ -359,6 +359,7 @@ func (d *Decoder) parseFieldLiteral(n uint8, it indexType) error {
+ 
+ 	var hf HeaderField
+ 	wantStr := d.emitEnabled || it.indexed()
++	var undecodedName undecodedString
+ 	if nameIdx > 0 {
+ 		ihf, ok := d.at(nameIdx)
+ 		if !ok {
+@@ -366,15 +367,27 @@ func (d *Decoder) parseFieldLiteral(n uint8, it indexType) error {
+ 		}
+ 		hf.Name = ihf.Name
+ 	} else {
+-		hf.Name, buf, err = d.readString(buf, wantStr)
++		undecodedName, buf, err = d.readString(buf)
+ 		if err != nil {
+ 			return err
+ 		}
+ 	}
+-	hf.Value, buf, err = d.readString(buf, wantStr)
++	undecodedValue, buf, err := d.readString(buf)
+ 	if err != nil {
+ 		return err
+ 	}
++	if wantStr {
++		if nameIdx <= 0 {
++			hf.Name, err = d.decodeString(undecodedName)
++			if err != nil {
++				return err
++			}
++		}
++		hf.Value, err = d.decodeString(undecodedValue)
++		if err != nil {
++			return err
++		}
++	}
+ 	d.buf = buf
+ 	if it.indexed() {
+ 		d.dynTab.add(hf)
+@@ -459,46 +472,52 @@ func readVarInt(n byte, p []byte) (i uint64, remain []byte, err error) {
+ 	return 0, origP, errNeedMore
+ }
+ 
+-// readString decodes an hpack string from p.
++// readString reads an hpack string from p.
+ //
+-// wantStr is whether s will be used. If false, decompression and
+-// []byte->string garbage are skipped if s will be ignored
+-// anyway. This does mean that huffman decoding errors for non-indexed
+-// strings past the MAX_HEADER_LIST_SIZE are ignored, but the server
+-// is returning an error anyway, and because they're not indexed, the error
+-// won't affect the decoding state.
+-func (d *Decoder) readString(p []byte, wantStr bool) (s string, remain []byte, err error) {
++// It returns a reference to the encoded string data to permit deferring decode costs
++// until after the caller verifies all data is present.
++func (d *Decoder) readString(p []byte) (u undecodedString, remain []byte, err error) {
+ 	if len(p) == 0 {
+-		return "", p, errNeedMore
++		return u, p, errNeedMore
+ 	}
+ 	isHuff := p[0]&128 != 0
+ 	strLen, p, err := readVarInt(7, p)
+ 	if err != nil {
+-		return "", p, err
++		return u, p, err
+ 	}
+ 	if d.maxStrLen != 0 && strLen > uint64(d.maxStrLen) {
+-		return "", nil, ErrStringLength
++		// Returning an error here means Huffman decoding errors
++		// for non-indexed strings past the maximum string length
++		// are ignored, but the server is returning an error anyway
++		// and because the string is not indexed the error will not
++		// affect the decoding state.
++		return u, nil, ErrStringLength
+ 	}
+ 	if uint64(len(p)) < strLen {
+-		return "", p, errNeedMore
+-	}
+-	if !isHuff {
+-		if wantStr {
+-			s = string(p[:strLen])
+-		}
+-		return s, p[strLen:], nil
++		return u, p, errNeedMore
+ 	}
++	u.isHuff = isHuff
++	u.b = p[:strLen]
++	return u, p[strLen:], nil
++}
+ 
+-	if wantStr {
+-		buf := bufPool.Get().(*bytes.Buffer)
+-		buf.Reset() // don't trust others
+-		defer bufPool.Put(buf)
+-		if err := huffmanDecode(buf, d.maxStrLen, p[:strLen]); err != nil {
+-			buf.Reset()
+-			return "", nil, err
+-		}
++type undecodedString struct {
++	isHuff bool
++	b      []byte
++}
++
++func (d *Decoder) decodeString(u undecodedString) (string, error) {
++	if !u.isHuff {
++		return string(u.b), nil
++	}
++	buf := bufPool.Get().(*bytes.Buffer)
++	buf.Reset() // don't trust others
++	var s string
++	err := huffmanDecode(buf, d.maxStrLen, u.b)
++	if err == nil {
+ 		s = buf.String()
+-		buf.Reset() // be nice to GC
+ 	}
+-	return s, p[strLen:], nil
++	buf.Reset() // be nice to GC
++	bufPool.Put(buf)
++	return s, err
+ }
+-- 
+2.20.1
+

0001-fix-CVE-2023-29406.patch

@@ -0,0 +1,26 @@
+From 03bccc9aa2a29a03f5a65d56b0ceaace4a66a0d5 Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Sat, 11 May 2024 10:33:04 +0800
+Subject: [PATCH] fix CVE-2023-29406
+
+---
+ vendor/golang.org/x/net/http2/transport.go | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/vendor/golang.org/x/net/http2/transport.go b/vendor/golang.org/x/net/http2/transport.go
+index 4f09897..e1bb430 100644
+--- a/vendor/golang.org/x/net/http2/transport.go
++++ b/vendor/golang.org/x/net/http2/transport.go
+@@ -1739,6 +1739,9 @@ func (cc *ClientConn) encodeHeaders(req *http.Request, addGzipHeader bool, trail
+ 	if err != nil {
+ 		return nil, err
+ 	}
++	if !httpguts.ValidHostHeader(host) {
++		return nil, errors.New("http: invalid Host header")
++	}
+ 
+ 	var path string
+ 	if req.Method != "CONNECT" {
+-- 
+2.33.0
+

0002-fix-CVE-2024-28180.patch

@@ -0,0 +1,63 @@
+From b9893bf221e4f5791631c8e7152a10a69b57b8de Mon Sep 17 00:00:00 2001
+From: bwzhang <zhangbowei@kylinos.cn>
+Date: Wed, 24 Apr 2024 10:37:19 +0800
+Subject: [PATCH] fix CVE-2024-28180
+
+---
+ vendor/gopkg.in/square/go-jose.v2/encoding.go | 21 +++++++++++++++----
+ 1 file changed, 17 insertions(+), 4 deletions(-)
+
+diff --git a/vendor/gopkg.in/square/go-jose.v2/encoding.go b/vendor/gopkg.in/square/go-jose.v2/encoding.go
+index 70f7385..c31eb91 100644
+--- a/vendor/gopkg.in/square/go-jose.v2/encoding.go
++++ b/vendor/gopkg.in/square/go-jose.v2/encoding.go
+@@ -21,6 +21,7 @@ import (
+ 	"compress/flate"
+ 	"encoding/base64"
+ 	"encoding/binary"
++	"fmt"
+ 	"io"
+ 	"math/big"
+ 	"strings"
+@@ -85,7 +86,7 @@ func decompress(algorithm CompressionAlgorithm, input []byte) ([]byte, error) {
+ 	}
+ }
+ 
+-// Compress with DEFLATE
++// deflate compresses the input.
+ func deflate(input []byte) ([]byte, error) {
+ 	output := new(bytes.Buffer)
+ 
+@@ -97,15 +98,27 @@ func deflate(input []byte) ([]byte, error) {
+ 	return output.Bytes(), err
+ }
+ 
+-// Decompress with DEFLATE
++// inflate decompresses the input.
++//
++// Errors if the decompressed data would be >250kB or >10x the size of the
++// compressed data, whichever is larger
+ func inflate(input []byte) ([]byte, error) {
+ 	output := new(bytes.Buffer)
+ 	reader := flate.NewReader(bytes.NewBuffer(input))
+ 
+-	_, err := io.Copy(output, reader)
+-	if err != nil {
++	maxCompressedSize := 10 * int64(len(input))
++	if maxCompressedSize < 250000 {
++		maxCompressedSize = 250000
++	}
++
++	limit := maxCompressedSize + 1
++	n, err := io.CopyN(output, reader, limit)
++	if err != nil && err != io.EOF {
+ 		return nil, err
+ 	}
++	if n == limit {
++		return nil, fmt.Errorf("uncompressed data would be too large (>%d bytes)", maxCompressedSize)
++	}
+ 
+ 	err = reader.Close()
+ 	return output.Bytes(), err
+-- 
+2.20.1

skopeo.spec

@@ -21,7 +21,7 @@
 %global import_path %{provider_prefix}
 %global git0 https://%{import_path}
 
-%global build_version v1.5.2
+%global build_version v1.8.0
 
 %define epoch 1
 
@@ -29,18 +29,23 @@ ExcludeArch: ppc64
 
 Name: %{repo}
 Epoch: 1
-Version: 1.5.2
-Release: 2
+Version: 1.8.0
+Release: 5
 Summary: Work with remote images registries - retrieving information, images, signing content
 License: ASL 2.0
 URL: %{git0}
 Source0: %{git0}/archive/%{build_version}.tar.gz
 Source1: https://github.com/cpuguy83/go-md2man/archive/v1.0.10.tar.gz
 
+Patch0001:     0001-fix-CVE-2022-41723.patch
+Patch0002:     0002-fix-CVE-2024-28180.patch
+Patch0003:     0001-fix-CVE-2023-29406.patch
+
 BuildRequires: go-srpm-macros git-core pkgconfig(devmapper) make
 BuildRequires: golang >= 1.16.6
 BuildRequires: gpgme-devel libassuan-devel btrfs-progs-devel ostree-devel glib2-devel
 Requires: containers-common
+
 Provides: bundled(golang(github.com/beorn7/perks)) = 4c0e84591b9aa9e6dcfdf3e020114cd81f89d5f9
 Provides: bundled(golang(github.com/BurntSushi/toml)) = master
 Provides: bundled(golang(github.com/containerd/continuity)) = d8fb8589b0e8e85b8c8bbaa8840226d0dfeb7371
@@ -212,7 +217,7 @@ providing packages with %{import_path} prefix.
 %endif
 
 %prep
-%autosetup -Sgit -n %{name}-%{version}
+%autosetup -Sgit -n %{name}-%{version} -p1
 tar -xf %SOURCE1
 
 %build
@@ -318,6 +323,33 @@ export GOPATH=%{buildroot}/%{gopath}:$(pwd)/vendor:%{gopath}
 %{_prefix}/share/bash-completion/completions/%{name}
 
 %changelog
+* Tue Jun 18 2024 wangyueliang <wangyueliang@kylinos.cn> - 1:1.8.0-5
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC: rebuild for 22.03LTS_SP4
+
+* Sat May 11 2024 lijian <lijian2@kylinos.cn> - 1:1.8.0-4
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC: fix CVE-2023-29406
+
+* Sat May 11 2024 lijian <lijian2@kylinos.cn> - 1:1.8.0-3
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC: fix CVE-2024-28180
+
+* Thu Apr 18 2024 zhangbowei <zhangbowei@kylinos.cn> -1:1.8.0-2
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC: fix CVE-2022-41723
+
+* Tue Oct 17 2023 lijian <lijian2@kylinos.cn> - 1:1.8.0-1
+- update to 1.8.0
+
 * Fri Jun 09 2023 duyiwei <duyiwei@kylinos.cn> - 1:1.5.2-2
 - remove subpackage containers-common