From 47e14799119154502da7425df8d9b84c34a0e4ac Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Tue, 3 Dec 2024 04:59:32 -0800 Subject: [PATCH] [AUTO-CHERRYPICK] Fix CVE-2024-24786 in multiple packages by patching - branch 3.0-dev (#11285) Co-authored-by: Bala --- SPECS/cf-cli/CVE-2024-24786.patch | 152 ++++++++++++++++++ SPECS/cf-cli/cf-cli.spec | 7 +- SPECS/containerd/CVE-2024-24786.patch | 152 ++++++++++++++++++ SPECS/containerd/containerd.spec | 6 +- .../CVE-2024-24786.patch | 152 ++++++++++++++++++ .../containerized-data-importer.spec | 6 +- SPECS/coredns/CVE-2024-24786.patch | 152 ++++++++++++++++++ SPECS/coredns/coredns.spec | 6 +- SPECS/docker-cli/CVE-2024-24786.patch | 152 ++++++++++++++++++ SPECS/docker-cli/docker-cli.spec | 6 +- SPECS/influxdb/CVE-2024-24786.patch | 152 ++++++++++++++++++ SPECS/influxdb/influxdb.spec | 6 +- SPECS/kubevirt/CVE-2024-24786.patch | 152 ++++++++++++++++++ SPECS/kubevirt/kubevirt.spec | 6 +- .../libcontainers-common/CVE-2024-24786.patch | 152 ++++++++++++++++++ .../libcontainers-common.spec | 9 +- SPECS/moby-containerd-cc/CVE-2024-24786.patch | 152 ++++++++++++++++++ .../moby-containerd-cc.spec | 6 +- SPECS/moby-engine/CVE-2024-24786.patch | 152 ++++++++++++++++++ SPECS/moby-engine/moby-engine.spec | 6 +- .../CVE-2024-24786.patch | 152 ++++++++++++++++++ .../node-problem-detector.spec | 12 +- SPECS/packer/CVE-2024-24786.patch | 152 ++++++++++++++++++ SPECS/packer/packer.spec | 6 +- SPECS/prometheus/CVE-2024-24786.patch | 152 ++++++++++++++++++ SPECS/prometheus/prometheus.spec | 6 +- 26 files changed, 2049 insertions(+), 15 deletions(-) create mode 100644 SPECS/cf-cli/CVE-2024-24786.patch create mode 100644 SPECS/containerd/CVE-2024-24786.patch create mode 100644 SPECS/containerized-data-importer/CVE-2024-24786.patch create mode 100644 SPECS/coredns/CVE-2024-24786.patch create mode 100644 SPECS/docker-cli/CVE-2024-24786.patch create mode 100644 SPECS/influxdb/CVE-2024-24786.patch create mode 100644 SPECS/kubevirt/CVE-2024-24786.patch create mode 100644 SPECS/libcontainers-common/CVE-2024-24786.patch create mode 100644 SPECS/moby-containerd-cc/CVE-2024-24786.patch create mode 100644 SPECS/moby-engine/CVE-2024-24786.patch create mode 100644 SPECS/node-problem-detector/CVE-2024-24786.patch create mode 100644 SPECS/packer/CVE-2024-24786.patch create mode 100644 SPECS/prometheus/CVE-2024-24786.patch diff --git a/SPECS/cf-cli/CVE-2024-24786.patch b/SPECS/cf-cli/CVE-2024-24786.patch new file mode 100644 index 00000000000..6c80204f5b0 --- /dev/null +++ b/SPECS/cf-cli/CVE-2024-24786.patch @@ -0,0 +1,152 @@ +From 1576982839ab9771784526720ed0a2f4a2aa2280 Mon Sep 17 00:00:00 2001 +From: bala +Date: Mon, 25 Nov 2024 16:47:53 +0000 +Subject: [PATCH] Vendor patch applied + +--- + .../protobuf/encoding/protojson/decode.go | 12 ++++ + .../encoding/protojson/well_known_types.go | 59 +++++++------------ + .../protobuf/internal/encoding/json/decode.go | 2 +- + 3 files changed, 33 insertions(+), 40 deletions(-) + +diff --git a/vendor/google.golang.org/protobuf/encoding/protojson/decode.go b/vendor/google.golang.org/protobuf/encoding/protojson/decode.go +index 5f28148..67fe4e7 100644 +--- a/vendor/google.golang.org/protobuf/encoding/protojson/decode.go ++++ b/vendor/google.golang.org/protobuf/encoding/protojson/decode.go +@@ -11,6 +11,7 @@ import ( + "strconv" + "strings" + ++ "google.golang.org/protobuf/encoding/protowire" + "google.golang.org/protobuf/internal/encoding/json" + "google.golang.org/protobuf/internal/encoding/messageset" + "google.golang.org/protobuf/internal/errors" +@@ -47,6 +48,10 @@ type UnmarshalOptions struct { + protoregistry.MessageTypeResolver + protoregistry.ExtensionTypeResolver + } ++ ++ // RecursionLimit limits how deeply messages may be nested. ++ // If zero, a default limit is applied. ++ RecursionLimit int + } + + // Unmarshal reads the given []byte and populates the given proto.Message +@@ -67,6 +72,9 @@ func (o UnmarshalOptions) unmarshal(b []byte, m proto.Message) error { + if o.Resolver == nil { + o.Resolver = protoregistry.GlobalTypes + } ++ if o.RecursionLimit == 0 { ++ o.RecursionLimit = protowire.DefaultRecursionLimit ++ } + + dec := decoder{json.NewDecoder(b), o} + if err := dec.unmarshalMessage(m.ProtoReflect(), false); err != nil { +@@ -114,6 +122,10 @@ func (d decoder) syntaxError(pos int, f string, x ...interface{}) error { + + // unmarshalMessage unmarshals a message into the given protoreflect.Message. + func (d decoder) unmarshalMessage(m protoreflect.Message, skipTypeURL bool) error { ++ d.opts.RecursionLimit-- ++ if d.opts.RecursionLimit < 0 { ++ return errors.New("exceeded max recursion depth") ++ } + if unmarshal := wellKnownTypeUnmarshaler(m.Descriptor().FullName()); unmarshal != nil { + return unmarshal(d, m) + } +diff --git a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go +index 6c37d41..4b177c8 100644 +--- a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go ++++ b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go +@@ -176,7 +176,7 @@ func (d decoder) unmarshalAny(m protoreflect.Message) error { + // Use another decoder to parse the unread bytes for @type field. This + // avoids advancing a read from current decoder because the current JSON + // object may contain the fields of the embedded type. +- dec := decoder{d.Clone(), UnmarshalOptions{}} ++ dec := decoder{d.Clone(), UnmarshalOptions{RecursionLimit: d.opts.RecursionLimit}} + tok, err := findTypeURL(dec) + switch err { + case errEmptyObject: +@@ -308,48 +308,29 @@ Loop: + // array) in order to advance the read to the next JSON value. It relies on + // the decoder returning an error if the types are not in valid sequence. + func (d decoder) skipJSONValue() error { +- tok, err := d.Read() +- if err != nil { +- return err +- } +- // Only need to continue reading for objects and arrays. +- switch tok.Kind() { +- case json.ObjectOpen: +- for { +- tok, err := d.Read() +- if err != nil { +- return err +- } +- switch tok.Kind() { +- case json.ObjectClose: +- return nil +- case json.Name: +- // Skip object field value. +- if err := d.skipJSONValue(); err != nil { +- return err +- } +- } ++ var open int ++ for { ++ tok, err := d.Read() ++ if err != nil { ++ return err + } +- +- case json.ArrayOpen: +- for { +- tok, err := d.Peek() +- if err != nil { +- return err +- } +- switch tok.Kind() { +- case json.ArrayClose: +- d.Read() +- return nil +- default: +- // Skip array item. +- if err := d.skipJSONValue(); err != nil { +- return err +- } ++ switch tok.Kind() { ++ case json.ObjectClose, json.ArrayClose: ++ open-- ++ case json.ObjectOpen, json.ArrayOpen: ++ open++ ++ if open > d.opts.RecursionLimit { ++ return errors.New("exceeded max recursion depth") + } ++ case json.EOF: ++ // This can only happen if there's a bug in Decoder.Read. ++ // Avoid an infinite loop if this does happen. ++ return errors.New("unexpected EOF") ++ } ++ if open == 0 { ++ return nil + } + } +- return nil + } + + // unmarshalAnyValue unmarshals the given custom-type message from the JSON +diff --git a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go +index d043a6e..d2b3ac0 100644 +--- a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go ++++ b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go +@@ -121,7 +121,7 @@ func (d *Decoder) Read() (Token, error) { + + case ObjectClose: + if len(d.openStack) == 0 || +- d.lastToken.kind == comma || ++ d.lastToken.kind&(Name|comma) != 0 || + d.openStack[len(d.openStack)-1] != ObjectOpen { + return Token{}, d.newSyntaxError(tok.pos, unexpectedFmt, tok.RawString()) + } +-- +2.39.4 + diff --git a/SPECS/cf-cli/cf-cli.spec b/SPECS/cf-cli/cf-cli.spec index b468876cae9..10020f6b21e 100644 --- a/SPECS/cf-cli/cf-cli.spec +++ b/SPECS/cf-cli/cf-cli.spec @@ -5,7 +5,7 @@ Summary: The official command line client for Cloud Foundry. Name: cf-cli # Note: Upgrading the package also warrants an upgrade in the CF_BUILD_SHA Version: 8.7.3 -Release: 2%{?dist} +Release: 3%{?dist} License: Apache-2.0 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -32,6 +32,7 @@ Source0: https://github.com/cloudfoundry/cli/archive/refs/tags/v%{version # - For the value of "--mtime" use the date "2021-04-26 00:00Z" to simplify future updates. Source1: cli-%{version}-vendor.tar.gz Patch0: CVE-2023-39325.patch +Patch1: CVE-2024-24786.patch BuildRequires: golang >= 1.18.3 %global debug_package %{nil} @@ -44,6 +45,7 @@ The official command line client for Cloud Foundry. %setup -q -n cli-%{version} tar --no-same-owner -xf %{SOURCE1} %patch 0 -p1 +%patch 1 -p1 %build export GOPATH=%{our_gopath} @@ -65,6 +67,9 @@ install -p -m 755 -t %{buildroot}%{_bindir} ./out/cf %{_bindir}/cf %changelog +* Mon Nov 25 2024 Bala - 8.7.3-3 +- Fix CVE-2024-24786 + * Mon Jul 29 2024 Muhammad Falak - 8.7.3-2 - Fix CF_BUILD_SHA to have correct build sha in the binary - Move Source1 un-taring in prep section diff --git a/SPECS/containerd/CVE-2024-24786.patch b/SPECS/containerd/CVE-2024-24786.patch new file mode 100644 index 00000000000..6c80204f5b0 --- /dev/null +++ b/SPECS/containerd/CVE-2024-24786.patch @@ -0,0 +1,152 @@ +From 1576982839ab9771784526720ed0a2f4a2aa2280 Mon Sep 17 00:00:00 2001 +From: bala +Date: Mon, 25 Nov 2024 16:47:53 +0000 +Subject: [PATCH] Vendor patch applied + +--- + .../protobuf/encoding/protojson/decode.go | 12 ++++ + .../encoding/protojson/well_known_types.go | 59 +++++++------------ + .../protobuf/internal/encoding/json/decode.go | 2 +- + 3 files changed, 33 insertions(+), 40 deletions(-) + +diff --git a/vendor/google.golang.org/protobuf/encoding/protojson/decode.go b/vendor/google.golang.org/protobuf/encoding/protojson/decode.go +index 5f28148..67fe4e7 100644 +--- a/vendor/google.golang.org/protobuf/encoding/protojson/decode.go ++++ b/vendor/google.golang.org/protobuf/encoding/protojson/decode.go +@@ -11,6 +11,7 @@ import ( + "strconv" + "strings" + ++ "google.golang.org/protobuf/encoding/protowire" + "google.golang.org/protobuf/internal/encoding/json" + "google.golang.org/protobuf/internal/encoding/messageset" + "google.golang.org/protobuf/internal/errors" +@@ -47,6 +48,10 @@ type UnmarshalOptions struct { + protoregistry.MessageTypeResolver + protoregistry.ExtensionTypeResolver + } ++ ++ // RecursionLimit limits how deeply messages may be nested. ++ // If zero, a default limit is applied. ++ RecursionLimit int + } + + // Unmarshal reads the given []byte and populates the given proto.Message +@@ -67,6 +72,9 @@ func (o UnmarshalOptions) unmarshal(b []byte, m proto.Message) error { + if o.Resolver == nil { + o.Resolver = protoregistry.GlobalTypes + } ++ if o.RecursionLimit == 0 { ++ o.RecursionLimit = protowire.DefaultRecursionLimit ++ } + + dec := decoder{json.NewDecoder(b), o} + if err := dec.unmarshalMessage(m.ProtoReflect(), false); err != nil { +@@ -114,6 +122,10 @@ func (d decoder) syntaxError(pos int, f string, x ...interface{}) error { + + // unmarshalMessage unmarshals a message into the given protoreflect.Message. + func (d decoder) unmarshalMessage(m protoreflect.Message, skipTypeURL bool) error { ++ d.opts.RecursionLimit-- ++ if d.opts.RecursionLimit < 0 { ++ return errors.New("exceeded max recursion depth") ++ } + if unmarshal := wellKnownTypeUnmarshaler(m.Descriptor().FullName()); unmarshal != nil { + return unmarshal(d, m) + } +diff --git a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go +index 6c37d41..4b177c8 100644 +--- a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go ++++ b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go +@@ -176,7 +176,7 @@ func (d decoder) unmarshalAny(m protoreflect.Message) error { + // Use another decoder to parse the unread bytes for @type field. This + // avoids advancing a read from current decoder because the current JSON + // object may contain the fields of the embedded type. +- dec := decoder{d.Clone(), UnmarshalOptions{}} ++ dec := decoder{d.Clone(), UnmarshalOptions{RecursionLimit: d.opts.RecursionLimit}} + tok, err := findTypeURL(dec) + switch err { + case errEmptyObject: +@@ -308,48 +308,29 @@ Loop: + // array) in order to advance the read to the next JSON value. It relies on + // the decoder returning an error if the types are not in valid sequence. + func (d decoder) skipJSONValue() error { +- tok, err := d.Read() +- if err != nil { +- return err +- } +- // Only need to continue reading for objects and arrays. +- switch tok.Kind() { +- case json.ObjectOpen: +- for { +- tok, err := d.Read() +- if err != nil { +- return err +- } +- switch tok.Kind() { +- case json.ObjectClose: +- return nil +- case json.Name: +- // Skip object field value. +- if err := d.skipJSONValue(); err != nil { +- return err +- } +- } ++ var open int ++ for { ++ tok, err := d.Read() ++ if err != nil { ++ return err + } +- +- case json.ArrayOpen: +- for { +- tok, err := d.Peek() +- if err != nil { +- return err +- } +- switch tok.Kind() { +- case json.ArrayClose: +- d.Read() +- return nil +- default: +- // Skip array item. +- if err := d.skipJSONValue(); err != nil { +- return err +- } ++ switch tok.Kind() { ++ case json.ObjectClose, json.ArrayClose: ++ open-- ++ case json.ObjectOpen, json.ArrayOpen: ++ open++ ++ if open > d.opts.RecursionLimit { ++ return errors.New("exceeded max recursion depth") + } ++ case json.EOF: ++ // This can only happen if there's a bug in Decoder.Read. ++ // Avoid an infinite loop if this does happen. ++ return errors.New("unexpected EOF") ++ } ++ if open == 0 { ++ return nil + } + } +- return nil + } + + // unmarshalAnyValue unmarshals the given custom-type message from the JSON +diff --git a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go +index d043a6e..d2b3ac0 100644 +--- a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go ++++ b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go +@@ -121,7 +121,7 @@ func (d *Decoder) Read() (Token, error) { + + case ObjectClose: + if len(d.openStack) == 0 || +- d.lastToken.kind == comma || ++ d.lastToken.kind&(Name|comma) != 0 || + d.openStack[len(d.openStack)-1] != ObjectOpen { + return Token{}, d.newSyntaxError(tok.pos, unexpectedFmt, tok.RawString()) + } +-- +2.39.4 + diff --git a/SPECS/containerd/containerd.spec b/SPECS/containerd/containerd.spec index 0131e8910ca..ab507993597 100644 --- a/SPECS/containerd/containerd.spec +++ b/SPECS/containerd/containerd.spec @@ -4,7 +4,7 @@ Summary: Industry-standard container runtime Name: containerd Version: 1.7.13 -Release: 4%{?dist} +Release: 5%{?dist} License: ASL 2.0 Group: Tools/Container URL: https://www.containerd.io @@ -18,6 +18,7 @@ Patch0: Makefile.patch Patch1: fix_tests_for_golang1.21.patch Patch2: CVE-2023-44487.patch Patch3: CVE-2023-47108.patch +Patch4: CVE-2024-24786.patch %{?systemd_requires} @@ -87,6 +88,9 @@ fi %dir /opt/containerd/lib %changelog +* Mon Nov 25 2024 Bala - 1.7.13-5 +- Fix CVE-2024-24786 + * Tue Oct 15 2024 Muhammad Falak - 1.7.13-4 - Pin golang version to <= 1.22 diff --git a/SPECS/containerized-data-importer/CVE-2024-24786.patch b/SPECS/containerized-data-importer/CVE-2024-24786.patch new file mode 100644 index 00000000000..6c80204f5b0 --- /dev/null +++ b/SPECS/containerized-data-importer/CVE-2024-24786.patch @@ -0,0 +1,152 @@ +From 1576982839ab9771784526720ed0a2f4a2aa2280 Mon Sep 17 00:00:00 2001 +From: bala +Date: Mon, 25 Nov 2024 16:47:53 +0000 +Subject: [PATCH] Vendor patch applied + +--- + .../protobuf/encoding/protojson/decode.go | 12 ++++ + .../encoding/protojson/well_known_types.go | 59 +++++++------------ + .../protobuf/internal/encoding/json/decode.go | 2 +- + 3 files changed, 33 insertions(+), 40 deletions(-) + +diff --git a/vendor/google.golang.org/protobuf/encoding/protojson/decode.go b/vendor/google.golang.org/protobuf/encoding/protojson/decode.go +index 5f28148..67fe4e7 100644 +--- a/vendor/google.golang.org/protobuf/encoding/protojson/decode.go ++++ b/vendor/google.golang.org/protobuf/encoding/protojson/decode.go +@@ -11,6 +11,7 @@ import ( + "strconv" + "strings" + ++ "google.golang.org/protobuf/encoding/protowire" + "google.golang.org/protobuf/internal/encoding/json" + "google.golang.org/protobuf/internal/encoding/messageset" + "google.golang.org/protobuf/internal/errors" +@@ -47,6 +48,10 @@ type UnmarshalOptions struct { + protoregistry.MessageTypeResolver + protoregistry.ExtensionTypeResolver + } ++ ++ // RecursionLimit limits how deeply messages may be nested. ++ // If zero, a default limit is applied. ++ RecursionLimit int + } + + // Unmarshal reads the given []byte and populates the given proto.Message +@@ -67,6 +72,9 @@ func (o UnmarshalOptions) unmarshal(b []byte, m proto.Message) error { + if o.Resolver == nil { + o.Resolver = protoregistry.GlobalTypes + } ++ if o.RecursionLimit == 0 { ++ o.RecursionLimit = protowire.DefaultRecursionLimit ++ } + + dec := decoder{json.NewDecoder(b), o} + if err := dec.unmarshalMessage(m.ProtoReflect(), false); err != nil { +@@ -114,6 +122,10 @@ func (d decoder) syntaxError(pos int, f string, x ...interface{}) error { + + // unmarshalMessage unmarshals a message into the given protoreflect.Message. + func (d decoder) unmarshalMessage(m protoreflect.Message, skipTypeURL bool) error { ++ d.opts.RecursionLimit-- ++ if d.opts.RecursionLimit < 0 { ++ return errors.New("exceeded max recursion depth") ++ } + if unmarshal := wellKnownTypeUnmarshaler(m.Descriptor().FullName()); unmarshal != nil { + return unmarshal(d, m) + } +diff --git a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go +index 6c37d41..4b177c8 100644 +--- a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go ++++ b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go +@@ -176,7 +176,7 @@ func (d decoder) unmarshalAny(m protoreflect.Message) error { + // Use another decoder to parse the unread bytes for @type field. This + // avoids advancing a read from current decoder because the current JSON + // object may contain the fields of the embedded type. +- dec := decoder{d.Clone(), UnmarshalOptions{}} ++ dec := decoder{d.Clone(), UnmarshalOptions{RecursionLimit: d.opts.RecursionLimit}} + tok, err := findTypeURL(dec) + switch err { + case errEmptyObject: +@@ -308,48 +308,29 @@ Loop: + // array) in order to advance the read to the next JSON value. It relies on + // the decoder returning an error if the types are not in valid sequence. + func (d decoder) skipJSONValue() error { +- tok, err := d.Read() +- if err != nil { +- return err +- } +- // Only need to continue reading for objects and arrays. +- switch tok.Kind() { +- case json.ObjectOpen: +- for { +- tok, err := d.Read() +- if err != nil { +- return err +- } +- switch tok.Kind() { +- case json.ObjectClose: +- return nil +- case json.Name: +- // Skip object field value. +- if err := d.skipJSONValue(); err != nil { +- return err +- } +- } ++ var open int ++ for { ++ tok, err := d.Read() ++ if err != nil { ++ return err + } +- +- case json.ArrayOpen: +- for { +- tok, err := d.Peek() +- if err != nil { +- return err +- } +- switch tok.Kind() { +- case json.ArrayClose: +- d.Read() +- return nil +- default: +- // Skip array item. +- if err := d.skipJSONValue(); err != nil { +- return err +- } ++ switch tok.Kind() { ++ case json.ObjectClose, json.ArrayClose: ++ open-- ++ case json.ObjectOpen, json.ArrayOpen: ++ open++ ++ if open > d.opts.RecursionLimit { ++ return errors.New("exceeded max recursion depth") + } ++ case json.EOF: ++ // This can only happen if there's a bug in Decoder.Read. ++ // Avoid an infinite loop if this does happen. ++ return errors.New("unexpected EOF") ++ } ++ if open == 0 { ++ return nil + } + } +- return nil + } + + // unmarshalAnyValue unmarshals the given custom-type message from the JSON +diff --git a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go +index d043a6e..d2b3ac0 100644 +--- a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go ++++ b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go +@@ -121,7 +121,7 @@ func (d *Decoder) Read() (Token, error) { + + case ObjectClose: + if len(d.openStack) == 0 || +- d.lastToken.kind == comma || ++ d.lastToken.kind&(Name|comma) != 0 || + d.openStack[len(d.openStack)-1] != ObjectOpen { + return Token{}, d.newSyntaxError(tok.pos, unexpectedFmt, tok.RawString()) + } +-- +2.39.4 + diff --git a/SPECS/containerized-data-importer/containerized-data-importer.spec b/SPECS/containerized-data-importer/containerized-data-importer.spec index b82b8bf50b2..fbc47de7800 100644 --- a/SPECS/containerized-data-importer/containerized-data-importer.spec +++ b/SPECS/containerized-data-importer/containerized-data-importer.spec @@ -18,7 +18,7 @@ Summary: Container native virtualization Name: containerized-data-importer Version: 1.57.0 -Release: 5%{?dist} +Release: 6%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -27,6 +27,7 @@ URL: https://github.com/kubevirt/containerized-data-importer Source0: https://github.com/kubevirt/containerized-data-importer/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz Patch0: CVE-2024-3727.patch Patch1: CVE-2022-2879.patch +Patch2: CVE-2024-24786.patch BuildRequires: golang BuildRequires: golang-packaging BuildRequires: libnbd-devel @@ -221,6 +222,9 @@ install -m 0644 _out/manifests/release/cdi-cr.yaml %{buildroot}%{_datadir}/cdi/m %{_datadir}/cdi/manifests %changelog +* Mon Nov 25 2024 Bala - 1.57.0-6 +- Fix CVE-2024-24786 + * Fri Sep 06 2024 Aditya Dubey - 1.57.0-5 - Statically building binaries diff --git a/SPECS/coredns/CVE-2024-24786.patch b/SPECS/coredns/CVE-2024-24786.patch new file mode 100644 index 00000000000..6c80204f5b0 --- /dev/null +++ b/SPECS/coredns/CVE-2024-24786.patch @@ -0,0 +1,152 @@ +From 1576982839ab9771784526720ed0a2f4a2aa2280 Mon Sep 17 00:00:00 2001 +From: bala +Date: Mon, 25 Nov 2024 16:47:53 +0000 +Subject: [PATCH] Vendor patch applied + +--- + .../protobuf/encoding/protojson/decode.go | 12 ++++ + .../encoding/protojson/well_known_types.go | 59 +++++++------------ + .../protobuf/internal/encoding/json/decode.go | 2 +- + 3 files changed, 33 insertions(+), 40 deletions(-) + +diff --git a/vendor/google.golang.org/protobuf/encoding/protojson/decode.go b/vendor/google.golang.org/protobuf/encoding/protojson/decode.go +index 5f28148..67fe4e7 100644 +--- a/vendor/google.golang.org/protobuf/encoding/protojson/decode.go ++++ b/vendor/google.golang.org/protobuf/encoding/protojson/decode.go +@@ -11,6 +11,7 @@ import ( + "strconv" + "strings" + ++ "google.golang.org/protobuf/encoding/protowire" + "google.golang.org/protobuf/internal/encoding/json" + "google.golang.org/protobuf/internal/encoding/messageset" + "google.golang.org/protobuf/internal/errors" +@@ -47,6 +48,10 @@ type UnmarshalOptions struct { + protoregistry.MessageTypeResolver + protoregistry.ExtensionTypeResolver + } ++ ++ // RecursionLimit limits how deeply messages may be nested. ++ // If zero, a default limit is applied. ++ RecursionLimit int + } + + // Unmarshal reads the given []byte and populates the given proto.Message +@@ -67,6 +72,9 @@ func (o UnmarshalOptions) unmarshal(b []byte, m proto.Message) error { + if o.Resolver == nil { + o.Resolver = protoregistry.GlobalTypes + } ++ if o.RecursionLimit == 0 { ++ o.RecursionLimit = protowire.DefaultRecursionLimit ++ } + + dec := decoder{json.NewDecoder(b), o} + if err := dec.unmarshalMessage(m.ProtoReflect(), false); err != nil { +@@ -114,6 +122,10 @@ func (d decoder) syntaxError(pos int, f string, x ...interface{}) error { + + // unmarshalMessage unmarshals a message into the given protoreflect.Message. + func (d decoder) unmarshalMessage(m protoreflect.Message, skipTypeURL bool) error { ++ d.opts.RecursionLimit-- ++ if d.opts.RecursionLimit < 0 { ++ return errors.New("exceeded max recursion depth") ++ } + if unmarshal := wellKnownTypeUnmarshaler(m.Descriptor().FullName()); unmarshal != nil { + return unmarshal(d, m) + } +diff --git a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go +index 6c37d41..4b177c8 100644 +--- a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go ++++ b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go +@@ -176,7 +176,7 @@ func (d decoder) unmarshalAny(m protoreflect.Message) error { + // Use another decoder to parse the unread bytes for @type field. This + // avoids advancing a read from current decoder because the current JSON + // object may contain the fields of the embedded type. +- dec := decoder{d.Clone(), UnmarshalOptions{}} ++ dec := decoder{d.Clone(), UnmarshalOptions{RecursionLimit: d.opts.RecursionLimit}} + tok, err := findTypeURL(dec) + switch err { + case errEmptyObject: +@@ -308,48 +308,29 @@ Loop: + // array) in order to advance the read to the next JSON value. It relies on + // the decoder returning an error if the types are not in valid sequence. + func (d decoder) skipJSONValue() error { +- tok, err := d.Read() +- if err != nil { +- return err +- } +- // Only need to continue reading for objects and arrays. +- switch tok.Kind() { +- case json.ObjectOpen: +- for { +- tok, err := d.Read() +- if err != nil { +- return err +- } +- switch tok.Kind() { +- case json.ObjectClose: +- return nil +- case json.Name: +- // Skip object field value. +- if err := d.skipJSONValue(); err != nil { +- return err +- } +- } ++ var open int ++ for { ++ tok, err := d.Read() ++ if err != nil { ++ return err + } +- +- case json.ArrayOpen: +- for { +- tok, err := d.Peek() +- if err != nil { +- return err +- } +- switch tok.Kind() { +- case json.ArrayClose: +- d.Read() +- return nil +- default: +- // Skip array item. +- if err := d.skipJSONValue(); err != nil { +- return err +- } ++ switch tok.Kind() { ++ case json.ObjectClose, json.ArrayClose: ++ open-- ++ case json.ObjectOpen, json.ArrayOpen: ++ open++ ++ if open > d.opts.RecursionLimit { ++ return errors.New("exceeded max recursion depth") + } ++ case json.EOF: ++ // This can only happen if there's a bug in Decoder.Read. ++ // Avoid an infinite loop if this does happen. ++ return errors.New("unexpected EOF") ++ } ++ if open == 0 { ++ return nil + } + } +- return nil + } + + // unmarshalAnyValue unmarshals the given custom-type message from the JSON +diff --git a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go +index d043a6e..d2b3ac0 100644 +--- a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go ++++ b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go +@@ -121,7 +121,7 @@ func (d *Decoder) Read() (Token, error) { + + case ObjectClose: + if len(d.openStack) == 0 || +- d.lastToken.kind == comma || ++ d.lastToken.kind&(Name|comma) != 0 || + d.openStack[len(d.openStack)-1] != ObjectOpen { + return Token{}, d.newSyntaxError(tok.pos, unexpectedFmt, tok.RawString()) + } +-- +2.39.4 + diff --git a/SPECS/coredns/coredns.spec b/SPECS/coredns/coredns.spec index 33253ceb284..bb1d2d905c0 100644 --- a/SPECS/coredns/coredns.spec +++ b/SPECS/coredns/coredns.spec @@ -3,7 +3,7 @@ Summary: Fast and flexible DNS server Name: coredns Version: 1.11.1 -Release: 2%{?dist} +Release: 3%{?dist} License: Apache License 2.0 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -36,6 +36,7 @@ Patch2: CVE-2023-49295.patch Patch3: CVE-2024-22189.patch Patch4: CVE-2023-45288.patch Patch5: CVE-2024-0874.patch +Patch6: CVE-2024-24786.patch BuildRequires: golang >= 1.12 @@ -64,6 +65,9 @@ install -p -m 755 -t %{buildroot}%{_bindir} %{name} %{_bindir}/%{name} %changelog +* Mon Nov 25 2024 Bala - 1.11.1-3 +- Fix CVE-2024-24786 + * Mon Jun 24 2024 Nicolas Guibourge - 1.11.1-2 - Address CVE-2023-44487, CVE-2023-45288, CVE-2023-49295, CVE-2024-0874, CVE-2024-22189 diff --git a/SPECS/docker-cli/CVE-2024-24786.patch b/SPECS/docker-cli/CVE-2024-24786.patch new file mode 100644 index 00000000000..6c80204f5b0 --- /dev/null +++ b/SPECS/docker-cli/CVE-2024-24786.patch @@ -0,0 +1,152 @@ +From 1576982839ab9771784526720ed0a2f4a2aa2280 Mon Sep 17 00:00:00 2001 +From: bala +Date: Mon, 25 Nov 2024 16:47:53 +0000 +Subject: [PATCH] Vendor patch applied + +--- + .../protobuf/encoding/protojson/decode.go | 12 ++++ + .../encoding/protojson/well_known_types.go | 59 +++++++------------ + .../protobuf/internal/encoding/json/decode.go | 2 +- + 3 files changed, 33 insertions(+), 40 deletions(-) + +diff --git a/vendor/google.golang.org/protobuf/encoding/protojson/decode.go b/vendor/google.golang.org/protobuf/encoding/protojson/decode.go +index 5f28148..67fe4e7 100644 +--- a/vendor/google.golang.org/protobuf/encoding/protojson/decode.go ++++ b/vendor/google.golang.org/protobuf/encoding/protojson/decode.go +@@ -11,6 +11,7 @@ import ( + "strconv" + "strings" + ++ "google.golang.org/protobuf/encoding/protowire" + "google.golang.org/protobuf/internal/encoding/json" + "google.golang.org/protobuf/internal/encoding/messageset" + "google.golang.org/protobuf/internal/errors" +@@ -47,6 +48,10 @@ type UnmarshalOptions struct { + protoregistry.MessageTypeResolver + protoregistry.ExtensionTypeResolver + } ++ ++ // RecursionLimit limits how deeply messages may be nested. ++ // If zero, a default limit is applied. ++ RecursionLimit int + } + + // Unmarshal reads the given []byte and populates the given proto.Message +@@ -67,6 +72,9 @@ func (o UnmarshalOptions) unmarshal(b []byte, m proto.Message) error { + if o.Resolver == nil { + o.Resolver = protoregistry.GlobalTypes + } ++ if o.RecursionLimit == 0 { ++ o.RecursionLimit = protowire.DefaultRecursionLimit ++ } + + dec := decoder{json.NewDecoder(b), o} + if err := dec.unmarshalMessage(m.ProtoReflect(), false); err != nil { +@@ -114,6 +122,10 @@ func (d decoder) syntaxError(pos int, f string, x ...interface{}) error { + + // unmarshalMessage unmarshals a message into the given protoreflect.Message. + func (d decoder) unmarshalMessage(m protoreflect.Message, skipTypeURL bool) error { ++ d.opts.RecursionLimit-- ++ if d.opts.RecursionLimit < 0 { ++ return errors.New("exceeded max recursion depth") ++ } + if unmarshal := wellKnownTypeUnmarshaler(m.Descriptor().FullName()); unmarshal != nil { + return unmarshal(d, m) + } +diff --git a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go +index 6c37d41..4b177c8 100644 +--- a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go ++++ b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go +@@ -176,7 +176,7 @@ func (d decoder) unmarshalAny(m protoreflect.Message) error { + // Use another decoder to parse the unread bytes for @type field. This + // avoids advancing a read from current decoder because the current JSON + // object may contain the fields of the embedded type. +- dec := decoder{d.Clone(), UnmarshalOptions{}} ++ dec := decoder{d.Clone(), UnmarshalOptions{RecursionLimit: d.opts.RecursionLimit}} + tok, err := findTypeURL(dec) + switch err { + case errEmptyObject: +@@ -308,48 +308,29 @@ Loop: + // array) in order to advance the read to the next JSON value. It relies on + // the decoder returning an error if the types are not in valid sequence. + func (d decoder) skipJSONValue() error { +- tok, err := d.Read() +- if err != nil { +- return err +- } +- // Only need to continue reading for objects and arrays. +- switch tok.Kind() { +- case json.ObjectOpen: +- for { +- tok, err := d.Read() +- if err != nil { +- return err +- } +- switch tok.Kind() { +- case json.ObjectClose: +- return nil +- case json.Name: +- // Skip object field value. +- if err := d.skipJSONValue(); err != nil { +- return err +- } +- } ++ var open int ++ for { ++ tok, err := d.Read() ++ if err != nil { ++ return err + } +- +- case json.ArrayOpen: +- for { +- tok, err := d.Peek() +- if err != nil { +- return err +- } +- switch tok.Kind() { +- case json.ArrayClose: +- d.Read() +- return nil +- default: +- // Skip array item. +- if err := d.skipJSONValue(); err != nil { +- return err +- } ++ switch tok.Kind() { ++ case json.ObjectClose, json.ArrayClose: ++ open-- ++ case json.ObjectOpen, json.ArrayOpen: ++ open++ ++ if open > d.opts.RecursionLimit { ++ return errors.New("exceeded max recursion depth") + } ++ case json.EOF: ++ // This can only happen if there's a bug in Decoder.Read. ++ // Avoid an infinite loop if this does happen. ++ return errors.New("unexpected EOF") ++ } ++ if open == 0 { ++ return nil + } + } +- return nil + } + + // unmarshalAnyValue unmarshals the given custom-type message from the JSON +diff --git a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go +index d043a6e..d2b3ac0 100644 +--- a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go ++++ b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go +@@ -121,7 +121,7 @@ func (d *Decoder) Read() (Token, error) { + + case ObjectClose: + if len(d.openStack) == 0 || +- d.lastToken.kind == comma || ++ d.lastToken.kind&(Name|comma) != 0 || + d.openStack[len(d.openStack)-1] != ObjectOpen { + return Token{}, d.newSyntaxError(tok.pos, unexpectedFmt, tok.RawString()) + } +-- +2.39.4 + diff --git a/SPECS/docker-cli/docker-cli.spec b/SPECS/docker-cli/docker-cli.spec index 66ed5e3e078..c08b378b243 100644 --- a/SPECS/docker-cli/docker-cli.spec +++ b/SPECS/docker-cli/docker-cli.spec @@ -3,7 +3,7 @@ Summary: The open-source application container engine client. Name: docker-cli Version: 25.0.3 -Release: 1%{?dist} +Release: 2%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -12,6 +12,7 @@ URL: https://github.com/docker/cli Source0: https://github.com/docker/cli/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz Source1: %{name}-%{version}-govendor-v1.tar.gz Patch0: disable_manpage_vendor.patch +Patch1: CVE-2024-24786.patch BuildRequires: git BuildRequires: go-md2man BuildRequires: golang @@ -80,6 +81,9 @@ install -p -m 644 contrib/completion/fish/docker.fish %{buildroot}%{_datadir}/fi %{_datadir}/fish/vendor_completions.d/docker.fish %changelog +* Mon Nov 25 2024 Bala - 25.0.3-2 +- Fix CVE-2024-24786 + * Thu Feb 22 2024 Henry Beberman - 25.0.3-1 - Rename package to docker-cli - Bump version to 25.0.3 diff --git a/SPECS/influxdb/CVE-2024-24786.patch b/SPECS/influxdb/CVE-2024-24786.patch new file mode 100644 index 00000000000..6c80204f5b0 --- /dev/null +++ b/SPECS/influxdb/CVE-2024-24786.patch @@ -0,0 +1,152 @@ +From 1576982839ab9771784526720ed0a2f4a2aa2280 Mon Sep 17 00:00:00 2001 +From: bala +Date: Mon, 25 Nov 2024 16:47:53 +0000 +Subject: [PATCH] Vendor patch applied + +--- + .../protobuf/encoding/protojson/decode.go | 12 ++++ + .../encoding/protojson/well_known_types.go | 59 +++++++------------ + .../protobuf/internal/encoding/json/decode.go | 2 +- + 3 files changed, 33 insertions(+), 40 deletions(-) + +diff --git a/vendor/google.golang.org/protobuf/encoding/protojson/decode.go b/vendor/google.golang.org/protobuf/encoding/protojson/decode.go +index 5f28148..67fe4e7 100644 +--- a/vendor/google.golang.org/protobuf/encoding/protojson/decode.go ++++ b/vendor/google.golang.org/protobuf/encoding/protojson/decode.go +@@ -11,6 +11,7 @@ import ( + "strconv" + "strings" + ++ "google.golang.org/protobuf/encoding/protowire" + "google.golang.org/protobuf/internal/encoding/json" + "google.golang.org/protobuf/internal/encoding/messageset" + "google.golang.org/protobuf/internal/errors" +@@ -47,6 +48,10 @@ type UnmarshalOptions struct { + protoregistry.MessageTypeResolver + protoregistry.ExtensionTypeResolver + } ++ ++ // RecursionLimit limits how deeply messages may be nested. ++ // If zero, a default limit is applied. ++ RecursionLimit int + } + + // Unmarshal reads the given []byte and populates the given proto.Message +@@ -67,6 +72,9 @@ func (o UnmarshalOptions) unmarshal(b []byte, m proto.Message) error { + if o.Resolver == nil { + o.Resolver = protoregistry.GlobalTypes + } ++ if o.RecursionLimit == 0 { ++ o.RecursionLimit = protowire.DefaultRecursionLimit ++ } + + dec := decoder{json.NewDecoder(b), o} + if err := dec.unmarshalMessage(m.ProtoReflect(), false); err != nil { +@@ -114,6 +122,10 @@ func (d decoder) syntaxError(pos int, f string, x ...interface{}) error { + + // unmarshalMessage unmarshals a message into the given protoreflect.Message. + func (d decoder) unmarshalMessage(m protoreflect.Message, skipTypeURL bool) error { ++ d.opts.RecursionLimit-- ++ if d.opts.RecursionLimit < 0 { ++ return errors.New("exceeded max recursion depth") ++ } + if unmarshal := wellKnownTypeUnmarshaler(m.Descriptor().FullName()); unmarshal != nil { + return unmarshal(d, m) + } +diff --git a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go +index 6c37d41..4b177c8 100644 +--- a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go ++++ b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go +@@ -176,7 +176,7 @@ func (d decoder) unmarshalAny(m protoreflect.Message) error { + // Use another decoder to parse the unread bytes for @type field. This + // avoids advancing a read from current decoder because the current JSON + // object may contain the fields of the embedded type. +- dec := decoder{d.Clone(), UnmarshalOptions{}} ++ dec := decoder{d.Clone(), UnmarshalOptions{RecursionLimit: d.opts.RecursionLimit}} + tok, err := findTypeURL(dec) + switch err { + case errEmptyObject: +@@ -308,48 +308,29 @@ Loop: + // array) in order to advance the read to the next JSON value. It relies on + // the decoder returning an error if the types are not in valid sequence. + func (d decoder) skipJSONValue() error { +- tok, err := d.Read() +- if err != nil { +- return err +- } +- // Only need to continue reading for objects and arrays. +- switch tok.Kind() { +- case json.ObjectOpen: +- for { +- tok, err := d.Read() +- if err != nil { +- return err +- } +- switch tok.Kind() { +- case json.ObjectClose: +- return nil +- case json.Name: +- // Skip object field value. +- if err := d.skipJSONValue(); err != nil { +- return err +- } +- } ++ var open int ++ for { ++ tok, err := d.Read() ++ if err != nil { ++ return err + } +- +- case json.ArrayOpen: +- for { +- tok, err := d.Peek() +- if err != nil { +- return err +- } +- switch tok.Kind() { +- case json.ArrayClose: +- d.Read() +- return nil +- default: +- // Skip array item. +- if err := d.skipJSONValue(); err != nil { +- return err +- } ++ switch tok.Kind() { ++ case json.ObjectClose, json.ArrayClose: ++ open-- ++ case json.ObjectOpen, json.ArrayOpen: ++ open++ ++ if open > d.opts.RecursionLimit { ++ return errors.New("exceeded max recursion depth") + } ++ case json.EOF: ++ // This can only happen if there's a bug in Decoder.Read. ++ // Avoid an infinite loop if this does happen. ++ return errors.New("unexpected EOF") ++ } ++ if open == 0 { ++ return nil + } + } +- return nil + } + + // unmarshalAnyValue unmarshals the given custom-type message from the JSON +diff --git a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go +index d043a6e..d2b3ac0 100644 +--- a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go ++++ b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go +@@ -121,7 +121,7 @@ func (d *Decoder) Read() (Token, error) { + + case ObjectClose: + if len(d.openStack) == 0 || +- d.lastToken.kind == comma || ++ d.lastToken.kind&(Name|comma) != 0 || + d.openStack[len(d.openStack)-1] != ObjectOpen { + return Token{}, d.newSyntaxError(tok.pos, unexpectedFmt, tok.RawString()) + } +-- +2.39.4 + diff --git a/SPECS/influxdb/influxdb.spec b/SPECS/influxdb/influxdb.spec index f00767f959c..be889511b1d 100644 --- a/SPECS/influxdb/influxdb.spec +++ b/SPECS/influxdb/influxdb.spec @@ -18,7 +18,7 @@ Summary: Scalable datastore for metrics, events, and real-time analytics Name: influxdb Version: 2.7.3 -Release: 6%{?dist} +Release: 7%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Azure Linux @@ -59,6 +59,7 @@ Patch0: CVE-2021-4238.patch Patch1: CVE-2019-0205.patch Patch2: CVE-2024-6104.patch Patch3: CVE-2023-45288.patch +Patch4: CVE-2024-24786.patch BuildRequires: clang BuildRequires: golang BuildRequires: kernel-headers @@ -148,6 +149,9 @@ go test ./... %{_tmpfilesdir}/influxdb.conf %changelog +- Mon Nov 25 2024 Bala - 2.7.3-7 +- Fix CVE-2024-24786 + * Thu Oct 10 2024 Sumedh Sharma - 2.7.3-6 - Add patch to resolve CVE-2023-45288. diff --git a/SPECS/kubevirt/CVE-2024-24786.patch b/SPECS/kubevirt/CVE-2024-24786.patch new file mode 100644 index 00000000000..6c80204f5b0 --- /dev/null +++ b/SPECS/kubevirt/CVE-2024-24786.patch @@ -0,0 +1,152 @@ +From 1576982839ab9771784526720ed0a2f4a2aa2280 Mon Sep 17 00:00:00 2001 +From: bala +Date: Mon, 25 Nov 2024 16:47:53 +0000 +Subject: [PATCH] Vendor patch applied + +--- + .../protobuf/encoding/protojson/decode.go | 12 ++++ + .../encoding/protojson/well_known_types.go | 59 +++++++------------ + .../protobuf/internal/encoding/json/decode.go | 2 +- + 3 files changed, 33 insertions(+), 40 deletions(-) + +diff --git a/vendor/google.golang.org/protobuf/encoding/protojson/decode.go b/vendor/google.golang.org/protobuf/encoding/protojson/decode.go +index 5f28148..67fe4e7 100644 +--- a/vendor/google.golang.org/protobuf/encoding/protojson/decode.go ++++ b/vendor/google.golang.org/protobuf/encoding/protojson/decode.go +@@ -11,6 +11,7 @@ import ( + "strconv" + "strings" + ++ "google.golang.org/protobuf/encoding/protowire" + "google.golang.org/protobuf/internal/encoding/json" + "google.golang.org/protobuf/internal/encoding/messageset" + "google.golang.org/protobuf/internal/errors" +@@ -47,6 +48,10 @@ type UnmarshalOptions struct { + protoregistry.MessageTypeResolver + protoregistry.ExtensionTypeResolver + } ++ ++ // RecursionLimit limits how deeply messages may be nested. ++ // If zero, a default limit is applied. ++ RecursionLimit int + } + + // Unmarshal reads the given []byte and populates the given proto.Message +@@ -67,6 +72,9 @@ func (o UnmarshalOptions) unmarshal(b []byte, m proto.Message) error { + if o.Resolver == nil { + o.Resolver = protoregistry.GlobalTypes + } ++ if o.RecursionLimit == 0 { ++ o.RecursionLimit = protowire.DefaultRecursionLimit ++ } + + dec := decoder{json.NewDecoder(b), o} + if err := dec.unmarshalMessage(m.ProtoReflect(), false); err != nil { +@@ -114,6 +122,10 @@ func (d decoder) syntaxError(pos int, f string, x ...interface{}) error { + + // unmarshalMessage unmarshals a message into the given protoreflect.Message. + func (d decoder) unmarshalMessage(m protoreflect.Message, skipTypeURL bool) error { ++ d.opts.RecursionLimit-- ++ if d.opts.RecursionLimit < 0 { ++ return errors.New("exceeded max recursion depth") ++ } + if unmarshal := wellKnownTypeUnmarshaler(m.Descriptor().FullName()); unmarshal != nil { + return unmarshal(d, m) + } +diff --git a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go +index 6c37d41..4b177c8 100644 +--- a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go ++++ b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go +@@ -176,7 +176,7 @@ func (d decoder) unmarshalAny(m protoreflect.Message) error { + // Use another decoder to parse the unread bytes for @type field. This + // avoids advancing a read from current decoder because the current JSON + // object may contain the fields of the embedded type. +- dec := decoder{d.Clone(), UnmarshalOptions{}} ++ dec := decoder{d.Clone(), UnmarshalOptions{RecursionLimit: d.opts.RecursionLimit}} + tok, err := findTypeURL(dec) + switch err { + case errEmptyObject: +@@ -308,48 +308,29 @@ Loop: + // array) in order to advance the read to the next JSON value. It relies on + // the decoder returning an error if the types are not in valid sequence. + func (d decoder) skipJSONValue() error { +- tok, err := d.Read() +- if err != nil { +- return err +- } +- // Only need to continue reading for objects and arrays. +- switch tok.Kind() { +- case json.ObjectOpen: +- for { +- tok, err := d.Read() +- if err != nil { +- return err +- } +- switch tok.Kind() { +- case json.ObjectClose: +- return nil +- case json.Name: +- // Skip object field value. +- if err := d.skipJSONValue(); err != nil { +- return err +- } +- } ++ var open int ++ for { ++ tok, err := d.Read() ++ if err != nil { ++ return err + } +- +- case json.ArrayOpen: +- for { +- tok, err := d.Peek() +- if err != nil { +- return err +- } +- switch tok.Kind() { +- case json.ArrayClose: +- d.Read() +- return nil +- default: +- // Skip array item. +- if err := d.skipJSONValue(); err != nil { +- return err +- } ++ switch tok.Kind() { ++ case json.ObjectClose, json.ArrayClose: ++ open-- ++ case json.ObjectOpen, json.ArrayOpen: ++ open++ ++ if open > d.opts.RecursionLimit { ++ return errors.New("exceeded max recursion depth") + } ++ case json.EOF: ++ // This can only happen if there's a bug in Decoder.Read. ++ // Avoid an infinite loop if this does happen. ++ return errors.New("unexpected EOF") ++ } ++ if open == 0 { ++ return nil + } + } +- return nil + } + + // unmarshalAnyValue unmarshals the given custom-type message from the JSON +diff --git a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go +index d043a6e..d2b3ac0 100644 +--- a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go ++++ b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go +@@ -121,7 +121,7 @@ func (d *Decoder) Read() (Token, error) { + + case ObjectClose: + if len(d.openStack) == 0 || +- d.lastToken.kind == comma || ++ d.lastToken.kind&(Name|comma) != 0 || + d.openStack[len(d.openStack)-1] != ObjectOpen { + return Token{}, d.newSyntaxError(tok.pos, unexpectedFmt, tok.RawString()) + } +-- +2.39.4 + diff --git a/SPECS/kubevirt/kubevirt.spec b/SPECS/kubevirt/kubevirt.spec index 65caa8382ec..4f8a2dd3506 100644 --- a/SPECS/kubevirt/kubevirt.spec +++ b/SPECS/kubevirt/kubevirt.spec @@ -20,7 +20,7 @@ Summary: Container native virtualization Name: kubevirt Version: 1.2.0 -Release: 9%{?dist} +Release: 10%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -32,6 +32,7 @@ Source0: https://github.com/kubevirt/kubevirt/archive/refs/tags/v%{versio # correctly. Patch0: Cleanup-housekeeping-cgroup-on-vm-del.patch Patch1: CVE-2023-48795.patch +Patch2: CVE-2024-24786.patch %global debug_package %{nil} BuildRequires: swtpm-tools BuildRequires: glibc-devel @@ -272,6 +273,9 @@ install -p -m 0644 cmd/virt-launcher/qemu.conf %{buildroot}%{_datadir}/kube-virt %{_bindir}/virt-tests %changelog +* Mon Nov 25 2024 Bala - 1.2.0-10 +- Fix for CVE-2024-24786 + * Sun Oct 06 2024 Mandeep Plaha - 1.2.0-9 - Fix for CVE-2023-48795 diff --git a/SPECS/libcontainers-common/CVE-2024-24786.patch b/SPECS/libcontainers-common/CVE-2024-24786.patch new file mode 100644 index 00000000000..6c80204f5b0 --- /dev/null +++ b/SPECS/libcontainers-common/CVE-2024-24786.patch @@ -0,0 +1,152 @@ +From 1576982839ab9771784526720ed0a2f4a2aa2280 Mon Sep 17 00:00:00 2001 +From: bala +Date: Mon, 25 Nov 2024 16:47:53 +0000 +Subject: [PATCH] Vendor patch applied + +--- + .../protobuf/encoding/protojson/decode.go | 12 ++++ + .../encoding/protojson/well_known_types.go | 59 +++++++------------ + .../protobuf/internal/encoding/json/decode.go | 2 +- + 3 files changed, 33 insertions(+), 40 deletions(-) + +diff --git a/vendor/google.golang.org/protobuf/encoding/protojson/decode.go b/vendor/google.golang.org/protobuf/encoding/protojson/decode.go +index 5f28148..67fe4e7 100644 +--- a/vendor/google.golang.org/protobuf/encoding/protojson/decode.go ++++ b/vendor/google.golang.org/protobuf/encoding/protojson/decode.go +@@ -11,6 +11,7 @@ import ( + "strconv" + "strings" + ++ "google.golang.org/protobuf/encoding/protowire" + "google.golang.org/protobuf/internal/encoding/json" + "google.golang.org/protobuf/internal/encoding/messageset" + "google.golang.org/protobuf/internal/errors" +@@ -47,6 +48,10 @@ type UnmarshalOptions struct { + protoregistry.MessageTypeResolver + protoregistry.ExtensionTypeResolver + } ++ ++ // RecursionLimit limits how deeply messages may be nested. ++ // If zero, a default limit is applied. ++ RecursionLimit int + } + + // Unmarshal reads the given []byte and populates the given proto.Message +@@ -67,6 +72,9 @@ func (o UnmarshalOptions) unmarshal(b []byte, m proto.Message) error { + if o.Resolver == nil { + o.Resolver = protoregistry.GlobalTypes + } ++ if o.RecursionLimit == 0 { ++ o.RecursionLimit = protowire.DefaultRecursionLimit ++ } + + dec := decoder{json.NewDecoder(b), o} + if err := dec.unmarshalMessage(m.ProtoReflect(), false); err != nil { +@@ -114,6 +122,10 @@ func (d decoder) syntaxError(pos int, f string, x ...interface{}) error { + + // unmarshalMessage unmarshals a message into the given protoreflect.Message. + func (d decoder) unmarshalMessage(m protoreflect.Message, skipTypeURL bool) error { ++ d.opts.RecursionLimit-- ++ if d.opts.RecursionLimit < 0 { ++ return errors.New("exceeded max recursion depth") ++ } + if unmarshal := wellKnownTypeUnmarshaler(m.Descriptor().FullName()); unmarshal != nil { + return unmarshal(d, m) + } +diff --git a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go +index 6c37d41..4b177c8 100644 +--- a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go ++++ b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go +@@ -176,7 +176,7 @@ func (d decoder) unmarshalAny(m protoreflect.Message) error { + // Use another decoder to parse the unread bytes for @type field. This + // avoids advancing a read from current decoder because the current JSON + // object may contain the fields of the embedded type. +- dec := decoder{d.Clone(), UnmarshalOptions{}} ++ dec := decoder{d.Clone(), UnmarshalOptions{RecursionLimit: d.opts.RecursionLimit}} + tok, err := findTypeURL(dec) + switch err { + case errEmptyObject: +@@ -308,48 +308,29 @@ Loop: + // array) in order to advance the read to the next JSON value. It relies on + // the decoder returning an error if the types are not in valid sequence. + func (d decoder) skipJSONValue() error { +- tok, err := d.Read() +- if err != nil { +- return err +- } +- // Only need to continue reading for objects and arrays. +- switch tok.Kind() { +- case json.ObjectOpen: +- for { +- tok, err := d.Read() +- if err != nil { +- return err +- } +- switch tok.Kind() { +- case json.ObjectClose: +- return nil +- case json.Name: +- // Skip object field value. +- if err := d.skipJSONValue(); err != nil { +- return err +- } +- } ++ var open int ++ for { ++ tok, err := d.Read() ++ if err != nil { ++ return err + } +- +- case json.ArrayOpen: +- for { +- tok, err := d.Peek() +- if err != nil { +- return err +- } +- switch tok.Kind() { +- case json.ArrayClose: +- d.Read() +- return nil +- default: +- // Skip array item. +- if err := d.skipJSONValue(); err != nil { +- return err +- } ++ switch tok.Kind() { ++ case json.ObjectClose, json.ArrayClose: ++ open-- ++ case json.ObjectOpen, json.ArrayOpen: ++ open++ ++ if open > d.opts.RecursionLimit { ++ return errors.New("exceeded max recursion depth") + } ++ case json.EOF: ++ // This can only happen if there's a bug in Decoder.Read. ++ // Avoid an infinite loop if this does happen. ++ return errors.New("unexpected EOF") ++ } ++ if open == 0 { ++ return nil + } + } +- return nil + } + + // unmarshalAnyValue unmarshals the given custom-type message from the JSON +diff --git a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go +index d043a6e..d2b3ac0 100644 +--- a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go ++++ b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go +@@ -121,7 +121,7 @@ func (d *Decoder) Read() (Token, error) { + + case ObjectClose: + if len(d.openStack) == 0 || +- d.lastToken.kind == comma || ++ d.lastToken.kind&(Name|comma) != 0 || + d.openStack[len(d.openStack)-1] != ObjectOpen { + return Token{}, d.newSyntaxError(tok.pos, unexpectedFmt, tok.RawString()) + } +-- +2.39.4 + diff --git a/SPECS/libcontainers-common/libcontainers-common.spec b/SPECS/libcontainers-common/libcontainers-common.spec index 6f65a30c3fd..d2f14bab0de 100644 --- a/SPECS/libcontainers-common/libcontainers-common.spec +++ b/SPECS/libcontainers-common/libcontainers-common.spec @@ -26,7 +26,7 @@ Summary: Configuration files common to github.com/containers Name: libcontainers-common Version: 20240213 -Release: 2%{?dist} +Release: 3%{?dist} License: ASL 2.0 AND GPLv3 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -54,6 +54,7 @@ Patch3: CVE-2024-3727.patch #Note (mfrw): The patch for CVE-2024-37298 only applies to podman. Patch4: CVE-2024-37298.patch Patch5: CVE-2024-6104.patch +Patch6: CVE-2024-24786.patch BuildRequires: go-go-md2man Requires(post): grep @@ -72,6 +73,7 @@ github.com/containers libraries, such as Buildah, CRI-O, Podman and Skopeo. %patch 3 -p6 %setup -q -T -D -b 1 -n storage-%{storagever} +%patch 6 -p1 %setup -q -T -D -b 7 -n podman-%{podmanver} %patch 0 -p1 @@ -80,11 +82,13 @@ github.com/containers libraries, such as Buildah, CRI-O, Podman and Skopeo. %patch 3 -p1 %patch 4 -p1 %patch 5 -p1 +%patch 6 -p1 %setup -q -T -D -b 9 -n common-%{commonver} %patch 0 -p1 %patch 1 -p1 %patch 3 -p1 +%patch 6 -p1 # copy the LICENSE file in the build root cd .. @@ -181,6 +185,9 @@ fi %license LICENSE %changelog +* Mon Nov 25 2024 Bala - 20240213-3 +- Fix CVE-2024-24786 + * Tue Jul 09 2024 Muhammad Falak - 20240213-2 - Address CVE-2022-2879 by patching vendored github.com/vbatts/tar-split - Address CVE-2023-45288 by patching vendored golang.org/x/net/http2 diff --git a/SPECS/moby-containerd-cc/CVE-2024-24786.patch b/SPECS/moby-containerd-cc/CVE-2024-24786.patch new file mode 100644 index 00000000000..6c80204f5b0 --- /dev/null +++ b/SPECS/moby-containerd-cc/CVE-2024-24786.patch @@ -0,0 +1,152 @@ +From 1576982839ab9771784526720ed0a2f4a2aa2280 Mon Sep 17 00:00:00 2001 +From: bala +Date: Mon, 25 Nov 2024 16:47:53 +0000 +Subject: [PATCH] Vendor patch applied + +--- + .../protobuf/encoding/protojson/decode.go | 12 ++++ + .../encoding/protojson/well_known_types.go | 59 +++++++------------ + .../protobuf/internal/encoding/json/decode.go | 2 +- + 3 files changed, 33 insertions(+), 40 deletions(-) + +diff --git a/vendor/google.golang.org/protobuf/encoding/protojson/decode.go b/vendor/google.golang.org/protobuf/encoding/protojson/decode.go +index 5f28148..67fe4e7 100644 +--- a/vendor/google.golang.org/protobuf/encoding/protojson/decode.go ++++ b/vendor/google.golang.org/protobuf/encoding/protojson/decode.go +@@ -11,6 +11,7 @@ import ( + "strconv" + "strings" + ++ "google.golang.org/protobuf/encoding/protowire" + "google.golang.org/protobuf/internal/encoding/json" + "google.golang.org/protobuf/internal/encoding/messageset" + "google.golang.org/protobuf/internal/errors" +@@ -47,6 +48,10 @@ type UnmarshalOptions struct { + protoregistry.MessageTypeResolver + protoregistry.ExtensionTypeResolver + } ++ ++ // RecursionLimit limits how deeply messages may be nested. ++ // If zero, a default limit is applied. ++ RecursionLimit int + } + + // Unmarshal reads the given []byte and populates the given proto.Message +@@ -67,6 +72,9 @@ func (o UnmarshalOptions) unmarshal(b []byte, m proto.Message) error { + if o.Resolver == nil { + o.Resolver = protoregistry.GlobalTypes + } ++ if o.RecursionLimit == 0 { ++ o.RecursionLimit = protowire.DefaultRecursionLimit ++ } + + dec := decoder{json.NewDecoder(b), o} + if err := dec.unmarshalMessage(m.ProtoReflect(), false); err != nil { +@@ -114,6 +122,10 @@ func (d decoder) syntaxError(pos int, f string, x ...interface{}) error { + + // unmarshalMessage unmarshals a message into the given protoreflect.Message. + func (d decoder) unmarshalMessage(m protoreflect.Message, skipTypeURL bool) error { ++ d.opts.RecursionLimit-- ++ if d.opts.RecursionLimit < 0 { ++ return errors.New("exceeded max recursion depth") ++ } + if unmarshal := wellKnownTypeUnmarshaler(m.Descriptor().FullName()); unmarshal != nil { + return unmarshal(d, m) + } +diff --git a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go +index 6c37d41..4b177c8 100644 +--- a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go ++++ b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go +@@ -176,7 +176,7 @@ func (d decoder) unmarshalAny(m protoreflect.Message) error { + // Use another decoder to parse the unread bytes for @type field. This + // avoids advancing a read from current decoder because the current JSON + // object may contain the fields of the embedded type. +- dec := decoder{d.Clone(), UnmarshalOptions{}} ++ dec := decoder{d.Clone(), UnmarshalOptions{RecursionLimit: d.opts.RecursionLimit}} + tok, err := findTypeURL(dec) + switch err { + case errEmptyObject: +@@ -308,48 +308,29 @@ Loop: + // array) in order to advance the read to the next JSON value. It relies on + // the decoder returning an error if the types are not in valid sequence. + func (d decoder) skipJSONValue() error { +- tok, err := d.Read() +- if err != nil { +- return err +- } +- // Only need to continue reading for objects and arrays. +- switch tok.Kind() { +- case json.ObjectOpen: +- for { +- tok, err := d.Read() +- if err != nil { +- return err +- } +- switch tok.Kind() { +- case json.ObjectClose: +- return nil +- case json.Name: +- // Skip object field value. +- if err := d.skipJSONValue(); err != nil { +- return err +- } +- } ++ var open int ++ for { ++ tok, err := d.Read() ++ if err != nil { ++ return err + } +- +- case json.ArrayOpen: +- for { +- tok, err := d.Peek() +- if err != nil { +- return err +- } +- switch tok.Kind() { +- case json.ArrayClose: +- d.Read() +- return nil +- default: +- // Skip array item. +- if err := d.skipJSONValue(); err != nil { +- return err +- } ++ switch tok.Kind() { ++ case json.ObjectClose, json.ArrayClose: ++ open-- ++ case json.ObjectOpen, json.ArrayOpen: ++ open++ ++ if open > d.opts.RecursionLimit { ++ return errors.New("exceeded max recursion depth") + } ++ case json.EOF: ++ // This can only happen if there's a bug in Decoder.Read. ++ // Avoid an infinite loop if this does happen. ++ return errors.New("unexpected EOF") ++ } ++ if open == 0 { ++ return nil + } + } +- return nil + } + + // unmarshalAnyValue unmarshals the given custom-type message from the JSON +diff --git a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go +index d043a6e..d2b3ac0 100644 +--- a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go ++++ b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go +@@ -121,7 +121,7 @@ func (d *Decoder) Read() (Token, error) { + + case ObjectClose: + if len(d.openStack) == 0 || +- d.lastToken.kind == comma || ++ d.lastToken.kind&(Name|comma) != 0 || + d.openStack[len(d.openStack)-1] != ObjectOpen { + return Token{}, d.newSyntaxError(tok.pos, unexpectedFmt, tok.RawString()) + } +-- +2.39.4 + diff --git a/SPECS/moby-containerd-cc/moby-containerd-cc.spec b/SPECS/moby-containerd-cc/moby-containerd-cc.spec index 429530122b0..667e0cd9fac 100644 --- a/SPECS/moby-containerd-cc/moby-containerd-cc.spec +++ b/SPECS/moby-containerd-cc/moby-containerd-cc.spec @@ -6,7 +6,7 @@ Summary: Industry-standard container runtime for confidential containers Name: moby-%{upstream_name} Version: 1.7.7 -Release: 4%{?dist} +Release: 5%{?dist} License: ASL 2.0 Group: Tools/Container URL: https://www.containerd.io @@ -19,6 +19,7 @@ Source2: containerd.toml Patch0: CVE-2023-47108.patch Patch1: CVE-2023-44487.patch Patch2: fix_cc_tests_for_golang1.21.patch +Patch3: CVE-2024-24786.patch %{?systemd_requires} @@ -76,6 +77,9 @@ fi %config(noreplace) %{_sysconfdir}/containerd/config.toml %changelog +* Mon Nov 25 2024 Bala - 1.7.7-5 +- Fix CVE-2024-24786 by patching + * Tue Oct 15 2024 Muhammad Falak - 1.7.7-4 - Pin golang version to <= 1.22 diff --git a/SPECS/moby-engine/CVE-2024-24786.patch b/SPECS/moby-engine/CVE-2024-24786.patch new file mode 100644 index 00000000000..6c80204f5b0 --- /dev/null +++ b/SPECS/moby-engine/CVE-2024-24786.patch @@ -0,0 +1,152 @@ +From 1576982839ab9771784526720ed0a2f4a2aa2280 Mon Sep 17 00:00:00 2001 +From: bala +Date: Mon, 25 Nov 2024 16:47:53 +0000 +Subject: [PATCH] Vendor patch applied + +--- + .../protobuf/encoding/protojson/decode.go | 12 ++++ + .../encoding/protojson/well_known_types.go | 59 +++++++------------ + .../protobuf/internal/encoding/json/decode.go | 2 +- + 3 files changed, 33 insertions(+), 40 deletions(-) + +diff --git a/vendor/google.golang.org/protobuf/encoding/protojson/decode.go b/vendor/google.golang.org/protobuf/encoding/protojson/decode.go +index 5f28148..67fe4e7 100644 +--- a/vendor/google.golang.org/protobuf/encoding/protojson/decode.go ++++ b/vendor/google.golang.org/protobuf/encoding/protojson/decode.go +@@ -11,6 +11,7 @@ import ( + "strconv" + "strings" + ++ "google.golang.org/protobuf/encoding/protowire" + "google.golang.org/protobuf/internal/encoding/json" + "google.golang.org/protobuf/internal/encoding/messageset" + "google.golang.org/protobuf/internal/errors" +@@ -47,6 +48,10 @@ type UnmarshalOptions struct { + protoregistry.MessageTypeResolver + protoregistry.ExtensionTypeResolver + } ++ ++ // RecursionLimit limits how deeply messages may be nested. ++ // If zero, a default limit is applied. ++ RecursionLimit int + } + + // Unmarshal reads the given []byte and populates the given proto.Message +@@ -67,6 +72,9 @@ func (o UnmarshalOptions) unmarshal(b []byte, m proto.Message) error { + if o.Resolver == nil { + o.Resolver = protoregistry.GlobalTypes + } ++ if o.RecursionLimit == 0 { ++ o.RecursionLimit = protowire.DefaultRecursionLimit ++ } + + dec := decoder{json.NewDecoder(b), o} + if err := dec.unmarshalMessage(m.ProtoReflect(), false); err != nil { +@@ -114,6 +122,10 @@ func (d decoder) syntaxError(pos int, f string, x ...interface{}) error { + + // unmarshalMessage unmarshals a message into the given protoreflect.Message. + func (d decoder) unmarshalMessage(m protoreflect.Message, skipTypeURL bool) error { ++ d.opts.RecursionLimit-- ++ if d.opts.RecursionLimit < 0 { ++ return errors.New("exceeded max recursion depth") ++ } + if unmarshal := wellKnownTypeUnmarshaler(m.Descriptor().FullName()); unmarshal != nil { + return unmarshal(d, m) + } +diff --git a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go +index 6c37d41..4b177c8 100644 +--- a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go ++++ b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go +@@ -176,7 +176,7 @@ func (d decoder) unmarshalAny(m protoreflect.Message) error { + // Use another decoder to parse the unread bytes for @type field. This + // avoids advancing a read from current decoder because the current JSON + // object may contain the fields of the embedded type. +- dec := decoder{d.Clone(), UnmarshalOptions{}} ++ dec := decoder{d.Clone(), UnmarshalOptions{RecursionLimit: d.opts.RecursionLimit}} + tok, err := findTypeURL(dec) + switch err { + case errEmptyObject: +@@ -308,48 +308,29 @@ Loop: + // array) in order to advance the read to the next JSON value. It relies on + // the decoder returning an error if the types are not in valid sequence. + func (d decoder) skipJSONValue() error { +- tok, err := d.Read() +- if err != nil { +- return err +- } +- // Only need to continue reading for objects and arrays. +- switch tok.Kind() { +- case json.ObjectOpen: +- for { +- tok, err := d.Read() +- if err != nil { +- return err +- } +- switch tok.Kind() { +- case json.ObjectClose: +- return nil +- case json.Name: +- // Skip object field value. +- if err := d.skipJSONValue(); err != nil { +- return err +- } +- } ++ var open int ++ for { ++ tok, err := d.Read() ++ if err != nil { ++ return err + } +- +- case json.ArrayOpen: +- for { +- tok, err := d.Peek() +- if err != nil { +- return err +- } +- switch tok.Kind() { +- case json.ArrayClose: +- d.Read() +- return nil +- default: +- // Skip array item. +- if err := d.skipJSONValue(); err != nil { +- return err +- } ++ switch tok.Kind() { ++ case json.ObjectClose, json.ArrayClose: ++ open-- ++ case json.ObjectOpen, json.ArrayOpen: ++ open++ ++ if open > d.opts.RecursionLimit { ++ return errors.New("exceeded max recursion depth") + } ++ case json.EOF: ++ // This can only happen if there's a bug in Decoder.Read. ++ // Avoid an infinite loop if this does happen. ++ return errors.New("unexpected EOF") ++ } ++ if open == 0 { ++ return nil + } + } +- return nil + } + + // unmarshalAnyValue unmarshals the given custom-type message from the JSON +diff --git a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go +index d043a6e..d2b3ac0 100644 +--- a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go ++++ b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go +@@ -121,7 +121,7 @@ func (d *Decoder) Read() (Token, error) { + + case ObjectClose: + if len(d.openStack) == 0 || +- d.lastToken.kind == comma || ++ d.lastToken.kind&(Name|comma) != 0 || + d.openStack[len(d.openStack)-1] != ObjectOpen { + return Token{}, d.newSyntaxError(tok.pos, unexpectedFmt, tok.RawString()) + } +-- +2.39.4 + diff --git a/SPECS/moby-engine/moby-engine.spec b/SPECS/moby-engine/moby-engine.spec index 31b03d8ce53..dc57d983520 100644 --- a/SPECS/moby-engine/moby-engine.spec +++ b/SPECS/moby-engine/moby-engine.spec @@ -3,7 +3,7 @@ Summary: The open-source application container engine Name: moby-engine Version: 25.0.3 -Release: 6%{?dist} +Release: 7%{?dist} License: ASL 2.0 Group: Tools/Container URL: https://mobyproject.org @@ -18,6 +18,7 @@ Patch0: CVE-2022-2879.patch Patch1: enable-docker-proxy-libexec-search.patch Patch2: CVE-2024-41110.patch Patch3: CVE-2024-29018.patch +Patch4: CVE-2024-24786.patch %{?systemd_requires} @@ -113,6 +114,9 @@ fi %{_unitdir}/* %changelog +* Mon Nov 25 2024 Bala - 25.0.3-7 +- Fix CVE-2024-24786 by patching + * Mon Aug 19 2024 Suresh Thelkar - 25.0.3-6 - Patch CVE-2024-29018 diff --git a/SPECS/node-problem-detector/CVE-2024-24786.patch b/SPECS/node-problem-detector/CVE-2024-24786.patch new file mode 100644 index 00000000000..6c80204f5b0 --- /dev/null +++ b/SPECS/node-problem-detector/CVE-2024-24786.patch @@ -0,0 +1,152 @@ +From 1576982839ab9771784526720ed0a2f4a2aa2280 Mon Sep 17 00:00:00 2001 +From: bala +Date: Mon, 25 Nov 2024 16:47:53 +0000 +Subject: [PATCH] Vendor patch applied + +--- + .../protobuf/encoding/protojson/decode.go | 12 ++++ + .../encoding/protojson/well_known_types.go | 59 +++++++------------ + .../protobuf/internal/encoding/json/decode.go | 2 +- + 3 files changed, 33 insertions(+), 40 deletions(-) + +diff --git a/vendor/google.golang.org/protobuf/encoding/protojson/decode.go b/vendor/google.golang.org/protobuf/encoding/protojson/decode.go +index 5f28148..67fe4e7 100644 +--- a/vendor/google.golang.org/protobuf/encoding/protojson/decode.go ++++ b/vendor/google.golang.org/protobuf/encoding/protojson/decode.go +@@ -11,6 +11,7 @@ import ( + "strconv" + "strings" + ++ "google.golang.org/protobuf/encoding/protowire" + "google.golang.org/protobuf/internal/encoding/json" + "google.golang.org/protobuf/internal/encoding/messageset" + "google.golang.org/protobuf/internal/errors" +@@ -47,6 +48,10 @@ type UnmarshalOptions struct { + protoregistry.MessageTypeResolver + protoregistry.ExtensionTypeResolver + } ++ ++ // RecursionLimit limits how deeply messages may be nested. ++ // If zero, a default limit is applied. ++ RecursionLimit int + } + + // Unmarshal reads the given []byte and populates the given proto.Message +@@ -67,6 +72,9 @@ func (o UnmarshalOptions) unmarshal(b []byte, m proto.Message) error { + if o.Resolver == nil { + o.Resolver = protoregistry.GlobalTypes + } ++ if o.RecursionLimit == 0 { ++ o.RecursionLimit = protowire.DefaultRecursionLimit ++ } + + dec := decoder{json.NewDecoder(b), o} + if err := dec.unmarshalMessage(m.ProtoReflect(), false); err != nil { +@@ -114,6 +122,10 @@ func (d decoder) syntaxError(pos int, f string, x ...interface{}) error { + + // unmarshalMessage unmarshals a message into the given protoreflect.Message. + func (d decoder) unmarshalMessage(m protoreflect.Message, skipTypeURL bool) error { ++ d.opts.RecursionLimit-- ++ if d.opts.RecursionLimit < 0 { ++ return errors.New("exceeded max recursion depth") ++ } + if unmarshal := wellKnownTypeUnmarshaler(m.Descriptor().FullName()); unmarshal != nil { + return unmarshal(d, m) + } +diff --git a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go +index 6c37d41..4b177c8 100644 +--- a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go ++++ b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go +@@ -176,7 +176,7 @@ func (d decoder) unmarshalAny(m protoreflect.Message) error { + // Use another decoder to parse the unread bytes for @type field. This + // avoids advancing a read from current decoder because the current JSON + // object may contain the fields of the embedded type. +- dec := decoder{d.Clone(), UnmarshalOptions{}} ++ dec := decoder{d.Clone(), UnmarshalOptions{RecursionLimit: d.opts.RecursionLimit}} + tok, err := findTypeURL(dec) + switch err { + case errEmptyObject: +@@ -308,48 +308,29 @@ Loop: + // array) in order to advance the read to the next JSON value. It relies on + // the decoder returning an error if the types are not in valid sequence. + func (d decoder) skipJSONValue() error { +- tok, err := d.Read() +- if err != nil { +- return err +- } +- // Only need to continue reading for objects and arrays. +- switch tok.Kind() { +- case json.ObjectOpen: +- for { +- tok, err := d.Read() +- if err != nil { +- return err +- } +- switch tok.Kind() { +- case json.ObjectClose: +- return nil +- case json.Name: +- // Skip object field value. +- if err := d.skipJSONValue(); err != nil { +- return err +- } +- } ++ var open int ++ for { ++ tok, err := d.Read() ++ if err != nil { ++ return err + } +- +- case json.ArrayOpen: +- for { +- tok, err := d.Peek() +- if err != nil { +- return err +- } +- switch tok.Kind() { +- case json.ArrayClose: +- d.Read() +- return nil +- default: +- // Skip array item. +- if err := d.skipJSONValue(); err != nil { +- return err +- } ++ switch tok.Kind() { ++ case json.ObjectClose, json.ArrayClose: ++ open-- ++ case json.ObjectOpen, json.ArrayOpen: ++ open++ ++ if open > d.opts.RecursionLimit { ++ return errors.New("exceeded max recursion depth") + } ++ case json.EOF: ++ // This can only happen if there's a bug in Decoder.Read. ++ // Avoid an infinite loop if this does happen. ++ return errors.New("unexpected EOF") ++ } ++ if open == 0 { ++ return nil + } + } +- return nil + } + + // unmarshalAnyValue unmarshals the given custom-type message from the JSON +diff --git a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go +index d043a6e..d2b3ac0 100644 +--- a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go ++++ b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go +@@ -121,7 +121,7 @@ func (d *Decoder) Read() (Token, error) { + + case ObjectClose: + if len(d.openStack) == 0 || +- d.lastToken.kind == comma || ++ d.lastToken.kind&(Name|comma) != 0 || + d.openStack[len(d.openStack)-1] != ObjectOpen { + return Token{}, d.newSyntaxError(tok.pos, unexpectedFmt, tok.RawString()) + } +-- +2.39.4 + diff --git a/SPECS/node-problem-detector/node-problem-detector.spec b/SPECS/node-problem-detector/node-problem-detector.spec index a0085e8230a..2f903814512 100644 --- a/SPECS/node-problem-detector/node-problem-detector.spec +++ b/SPECS/node-problem-detector/node-problem-detector.spec @@ -1,7 +1,7 @@ Summary: Kubernetes daemon to detect and report node issues Name: node-problem-detector Version: 0.8.15 -Release: 1%{?dist} +Release: 2%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -39,6 +39,7 @@ Source1: %{name}-%{version}-vendor.tar.gz Source2: %{name}-%{version}-test-vendor.tar.gz Patch0: 0001-remove-arch-specific-logic-from-makefile.patch Patch1: 0001-add-Mariner-and-Azure-Linux-OS-Versions.patch +Patch2: CVE-2024-24786.patch BuildRequires: golang BuildRequires: systemd-devel Requires: azurelinux-release @@ -59,15 +60,17 @@ Requires: node-problem-detector Default configuration files for node-problem-detector %prep -%autosetup -p1 +%autosetup -p1 -%build # create vendor folder from the vendor tarball tar -xf %{SOURCE1} --no-same-owner +%patch 2 -p1 pushd test tar -xf %{SOURCE2} --no-same-owner +%patch 2 -p1 popd +%build %make_build build-binaries VERSION=%{version} %install @@ -99,6 +102,9 @@ make test %config(noreplace) %{_sysconfdir}/node-problem-detector.d/* %changelog +* Mon Nov 25 2024 Bala - 0.8.15-2 +- Fix CVE-2024-24786 by patching + * Fri Feb 16 2024 Sean Dougherty - 0.8.15-1 - Upgrade to 0.8.15 for Azure Linux 3.0 diff --git a/SPECS/packer/CVE-2024-24786.patch b/SPECS/packer/CVE-2024-24786.patch new file mode 100644 index 00000000000..6c80204f5b0 --- /dev/null +++ b/SPECS/packer/CVE-2024-24786.patch @@ -0,0 +1,152 @@ +From 1576982839ab9771784526720ed0a2f4a2aa2280 Mon Sep 17 00:00:00 2001 +From: bala +Date: Mon, 25 Nov 2024 16:47:53 +0000 +Subject: [PATCH] Vendor patch applied + +--- + .../protobuf/encoding/protojson/decode.go | 12 ++++ + .../encoding/protojson/well_known_types.go | 59 +++++++------------ + .../protobuf/internal/encoding/json/decode.go | 2 +- + 3 files changed, 33 insertions(+), 40 deletions(-) + +diff --git a/vendor/google.golang.org/protobuf/encoding/protojson/decode.go b/vendor/google.golang.org/protobuf/encoding/protojson/decode.go +index 5f28148..67fe4e7 100644 +--- a/vendor/google.golang.org/protobuf/encoding/protojson/decode.go ++++ b/vendor/google.golang.org/protobuf/encoding/protojson/decode.go +@@ -11,6 +11,7 @@ import ( + "strconv" + "strings" + ++ "google.golang.org/protobuf/encoding/protowire" + "google.golang.org/protobuf/internal/encoding/json" + "google.golang.org/protobuf/internal/encoding/messageset" + "google.golang.org/protobuf/internal/errors" +@@ -47,6 +48,10 @@ type UnmarshalOptions struct { + protoregistry.MessageTypeResolver + protoregistry.ExtensionTypeResolver + } ++ ++ // RecursionLimit limits how deeply messages may be nested. ++ // If zero, a default limit is applied. ++ RecursionLimit int + } + + // Unmarshal reads the given []byte and populates the given proto.Message +@@ -67,6 +72,9 @@ func (o UnmarshalOptions) unmarshal(b []byte, m proto.Message) error { + if o.Resolver == nil { + o.Resolver = protoregistry.GlobalTypes + } ++ if o.RecursionLimit == 0 { ++ o.RecursionLimit = protowire.DefaultRecursionLimit ++ } + + dec := decoder{json.NewDecoder(b), o} + if err := dec.unmarshalMessage(m.ProtoReflect(), false); err != nil { +@@ -114,6 +122,10 @@ func (d decoder) syntaxError(pos int, f string, x ...interface{}) error { + + // unmarshalMessage unmarshals a message into the given protoreflect.Message. + func (d decoder) unmarshalMessage(m protoreflect.Message, skipTypeURL bool) error { ++ d.opts.RecursionLimit-- ++ if d.opts.RecursionLimit < 0 { ++ return errors.New("exceeded max recursion depth") ++ } + if unmarshal := wellKnownTypeUnmarshaler(m.Descriptor().FullName()); unmarshal != nil { + return unmarshal(d, m) + } +diff --git a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go +index 6c37d41..4b177c8 100644 +--- a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go ++++ b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go +@@ -176,7 +176,7 @@ func (d decoder) unmarshalAny(m protoreflect.Message) error { + // Use another decoder to parse the unread bytes for @type field. This + // avoids advancing a read from current decoder because the current JSON + // object may contain the fields of the embedded type. +- dec := decoder{d.Clone(), UnmarshalOptions{}} ++ dec := decoder{d.Clone(), UnmarshalOptions{RecursionLimit: d.opts.RecursionLimit}} + tok, err := findTypeURL(dec) + switch err { + case errEmptyObject: +@@ -308,48 +308,29 @@ Loop: + // array) in order to advance the read to the next JSON value. It relies on + // the decoder returning an error if the types are not in valid sequence. + func (d decoder) skipJSONValue() error { +- tok, err := d.Read() +- if err != nil { +- return err +- } +- // Only need to continue reading for objects and arrays. +- switch tok.Kind() { +- case json.ObjectOpen: +- for { +- tok, err := d.Read() +- if err != nil { +- return err +- } +- switch tok.Kind() { +- case json.ObjectClose: +- return nil +- case json.Name: +- // Skip object field value. +- if err := d.skipJSONValue(); err != nil { +- return err +- } +- } ++ var open int ++ for { ++ tok, err := d.Read() ++ if err != nil { ++ return err + } +- +- case json.ArrayOpen: +- for { +- tok, err := d.Peek() +- if err != nil { +- return err +- } +- switch tok.Kind() { +- case json.ArrayClose: +- d.Read() +- return nil +- default: +- // Skip array item. +- if err := d.skipJSONValue(); err != nil { +- return err +- } ++ switch tok.Kind() { ++ case json.ObjectClose, json.ArrayClose: ++ open-- ++ case json.ObjectOpen, json.ArrayOpen: ++ open++ ++ if open > d.opts.RecursionLimit { ++ return errors.New("exceeded max recursion depth") + } ++ case json.EOF: ++ // This can only happen if there's a bug in Decoder.Read. ++ // Avoid an infinite loop if this does happen. ++ return errors.New("unexpected EOF") ++ } ++ if open == 0 { ++ return nil + } + } +- return nil + } + + // unmarshalAnyValue unmarshals the given custom-type message from the JSON +diff --git a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go +index d043a6e..d2b3ac0 100644 +--- a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go ++++ b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go +@@ -121,7 +121,7 @@ func (d *Decoder) Read() (Token, error) { + + case ObjectClose: + if len(d.openStack) == 0 || +- d.lastToken.kind == comma || ++ d.lastToken.kind&(Name|comma) != 0 || + d.openStack[len(d.openStack)-1] != ObjectOpen { + return Token{}, d.newSyntaxError(tok.pos, unexpectedFmt, tok.RawString()) + } +-- +2.39.4 + diff --git a/SPECS/packer/packer.spec b/SPECS/packer/packer.spec index 216a3051df2..e2f50e20492 100644 --- a/SPECS/packer/packer.spec +++ b/SPECS/packer/packer.spec @@ -4,7 +4,7 @@ Summary: Tool for creating identical machine images for multiple platforms from a single source configuration. Name: packer Version: 1.9.5 -Release: 2%{?dist} +Release: 3%{?dist} License: MPLv2.0 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -35,6 +35,7 @@ Patch0: CVE-2023-45288.patch Patch1: CVE-2022-3064.patch Patch2: CVE-2023-49569.patch Patch3: CVE-2024-6104.patch +Patch4: CVE-2024-24786.patch BuildRequires: golang >= 1.17.1 BuildRequires: kernel-headers BuildRequires: glibc-devel @@ -68,6 +69,9 @@ go test -mod=vendor %{_bindir}/packer %changelog +* Mon Nov 25 2024 Bala - 1.9.5-3 +- Patched CVE-2024-24786 + * Mon Aug 05 2024 Bala - 1.9.5-2 - Patched CVE-2024-6104. diff --git a/SPECS/prometheus/CVE-2024-24786.patch b/SPECS/prometheus/CVE-2024-24786.patch new file mode 100644 index 00000000000..6c80204f5b0 --- /dev/null +++ b/SPECS/prometheus/CVE-2024-24786.patch @@ -0,0 +1,152 @@ +From 1576982839ab9771784526720ed0a2f4a2aa2280 Mon Sep 17 00:00:00 2001 +From: bala +Date: Mon, 25 Nov 2024 16:47:53 +0000 +Subject: [PATCH] Vendor patch applied + +--- + .../protobuf/encoding/protojson/decode.go | 12 ++++ + .../encoding/protojson/well_known_types.go | 59 +++++++------------ + .../protobuf/internal/encoding/json/decode.go | 2 +- + 3 files changed, 33 insertions(+), 40 deletions(-) + +diff --git a/vendor/google.golang.org/protobuf/encoding/protojson/decode.go b/vendor/google.golang.org/protobuf/encoding/protojson/decode.go +index 5f28148..67fe4e7 100644 +--- a/vendor/google.golang.org/protobuf/encoding/protojson/decode.go ++++ b/vendor/google.golang.org/protobuf/encoding/protojson/decode.go +@@ -11,6 +11,7 @@ import ( + "strconv" + "strings" + ++ "google.golang.org/protobuf/encoding/protowire" + "google.golang.org/protobuf/internal/encoding/json" + "google.golang.org/protobuf/internal/encoding/messageset" + "google.golang.org/protobuf/internal/errors" +@@ -47,6 +48,10 @@ type UnmarshalOptions struct { + protoregistry.MessageTypeResolver + protoregistry.ExtensionTypeResolver + } ++ ++ // RecursionLimit limits how deeply messages may be nested. ++ // If zero, a default limit is applied. ++ RecursionLimit int + } + + // Unmarshal reads the given []byte and populates the given proto.Message +@@ -67,6 +72,9 @@ func (o UnmarshalOptions) unmarshal(b []byte, m proto.Message) error { + if o.Resolver == nil { + o.Resolver = protoregistry.GlobalTypes + } ++ if o.RecursionLimit == 0 { ++ o.RecursionLimit = protowire.DefaultRecursionLimit ++ } + + dec := decoder{json.NewDecoder(b), o} + if err := dec.unmarshalMessage(m.ProtoReflect(), false); err != nil { +@@ -114,6 +122,10 @@ func (d decoder) syntaxError(pos int, f string, x ...interface{}) error { + + // unmarshalMessage unmarshals a message into the given protoreflect.Message. + func (d decoder) unmarshalMessage(m protoreflect.Message, skipTypeURL bool) error { ++ d.opts.RecursionLimit-- ++ if d.opts.RecursionLimit < 0 { ++ return errors.New("exceeded max recursion depth") ++ } + if unmarshal := wellKnownTypeUnmarshaler(m.Descriptor().FullName()); unmarshal != nil { + return unmarshal(d, m) + } +diff --git a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go +index 6c37d41..4b177c8 100644 +--- a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go ++++ b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go +@@ -176,7 +176,7 @@ func (d decoder) unmarshalAny(m protoreflect.Message) error { + // Use another decoder to parse the unread bytes for @type field. This + // avoids advancing a read from current decoder because the current JSON + // object may contain the fields of the embedded type. +- dec := decoder{d.Clone(), UnmarshalOptions{}} ++ dec := decoder{d.Clone(), UnmarshalOptions{RecursionLimit: d.opts.RecursionLimit}} + tok, err := findTypeURL(dec) + switch err { + case errEmptyObject: +@@ -308,48 +308,29 @@ Loop: + // array) in order to advance the read to the next JSON value. It relies on + // the decoder returning an error if the types are not in valid sequence. + func (d decoder) skipJSONValue() error { +- tok, err := d.Read() +- if err != nil { +- return err +- } +- // Only need to continue reading for objects and arrays. +- switch tok.Kind() { +- case json.ObjectOpen: +- for { +- tok, err := d.Read() +- if err != nil { +- return err +- } +- switch tok.Kind() { +- case json.ObjectClose: +- return nil +- case json.Name: +- // Skip object field value. +- if err := d.skipJSONValue(); err != nil { +- return err +- } +- } ++ var open int ++ for { ++ tok, err := d.Read() ++ if err != nil { ++ return err + } +- +- case json.ArrayOpen: +- for { +- tok, err := d.Peek() +- if err != nil { +- return err +- } +- switch tok.Kind() { +- case json.ArrayClose: +- d.Read() +- return nil +- default: +- // Skip array item. +- if err := d.skipJSONValue(); err != nil { +- return err +- } ++ switch tok.Kind() { ++ case json.ObjectClose, json.ArrayClose: ++ open-- ++ case json.ObjectOpen, json.ArrayOpen: ++ open++ ++ if open > d.opts.RecursionLimit { ++ return errors.New("exceeded max recursion depth") + } ++ case json.EOF: ++ // This can only happen if there's a bug in Decoder.Read. ++ // Avoid an infinite loop if this does happen. ++ return errors.New("unexpected EOF") ++ } ++ if open == 0 { ++ return nil + } + } +- return nil + } + + // unmarshalAnyValue unmarshals the given custom-type message from the JSON +diff --git a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go +index d043a6e..d2b3ac0 100644 +--- a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go ++++ b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go +@@ -121,7 +121,7 @@ func (d *Decoder) Read() (Token, error) { + + case ObjectClose: + if len(d.openStack) == 0 || +- d.lastToken.kind == comma || ++ d.lastToken.kind&(Name|comma) != 0 || + d.openStack[len(d.openStack)-1] != ObjectOpen { + return Token{}, d.newSyntaxError(tok.pos, unexpectedFmt, tok.RawString()) + } +-- +2.39.4 + diff --git a/SPECS/prometheus/prometheus.spec b/SPECS/prometheus/prometheus.spec index c9707573e09..ce7689cf20d 100644 --- a/SPECS/prometheus/prometheus.spec +++ b/SPECS/prometheus/prometheus.spec @@ -4,7 +4,7 @@ Summary: Prometheus monitoring system and time series database Name: prometheus Version: 2.45.4 -Release: 4%{?dist} +Release: 6%{?dist} License: Apache-2.0 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -20,6 +20,7 @@ Source6: promu-%{promu_version}.tar.gz Patch0: 02-Default_settings.patch Patch1: CVE-2023-45288.patch Patch2: CVE-2024-6104.patch +Patch3: CVE-2024-24786.patch BuildRequires: golang BuildRequires: nodejs BuildRequires: nodejs-npm @@ -136,6 +137,9 @@ fi %doc README.md RELEASE.md documentation %changelog +* Mon Nov 25 2024 Bala - 2.45.4-6 +- Fix CVE-2024-24786 by patching + * Wed Nov 06 2024 Nicolas Guibourge - 2.45.4-4 - Fix CVE-2023-45288