From 575f6d4f751a53ae7bb622e1767f60902fcd0c76 Mon Sep 17 00:00:00 2001 From: Daniel McIlvaney Date: Wed, 20 Nov 2024 11:01:27 -0800 Subject: [PATCH] Enable lua support for fluent-bit (#11009) Co-authored-by: Paul Meyer --- SPECS/fluent-bit/CVE-2024-25629.patch | 19 ----- SPECS/fluent-bit/CVE-2024-28182.patch | 91 --------------------- SPECS/fluent-bit/fluent-bit.signatures.json | 2 +- SPECS/fluent-bit/fluent-bit.spec | 15 ++-- cgmanifest.json | 4 +- 5 files changed, 12 insertions(+), 119 deletions(-) delete mode 100644 SPECS/fluent-bit/CVE-2024-25629.patch delete mode 100644 SPECS/fluent-bit/CVE-2024-28182.patch diff --git a/SPECS/fluent-bit/CVE-2024-25629.patch b/SPECS/fluent-bit/CVE-2024-25629.patch deleted file mode 100644 index 86758d5fd74..00000000000 --- a/SPECS/fluent-bit/CVE-2024-25629.patch +++ /dev/null @@ -1,19 +0,0 @@ -diff --git a/lib/c-ares-1.24.0/src/lib/ares__read_line.c b/lib/c-ares-1.24.0/src/lib/ares__read_line.c -index d65ac1fcf..018f55e8b 100644 ---- a/lib/c-ares-1.24.0/src/lib/ares__read_line.c -+++ b/lib/c-ares-1.24.0/src/lib/ares__read_line.c -@@ -59,6 +59,14 @@ ares_status_t ares__read_line(FILE *fp, char **buf, size_t *bufsize) - return (offset != 0) ? 0 : (ferror(fp)) ? ARES_EFILE : ARES_EOF; - } - len = offset + ares_strlen(*buf + offset); -+ -+ /* Probably means there was an embedded NULL as the first character in -+ * the line, throw away line */ -+ if (len == 0) { -+ offset = 0; -+ continue; -+ } -+ - if ((*buf)[len - 1] == '\n') { - (*buf)[len - 1] = 0; - break; diff --git a/SPECS/fluent-bit/CVE-2024-28182.patch b/SPECS/fluent-bit/CVE-2024-28182.patch deleted file mode 100644 index e75a5551b68..00000000000 --- a/SPECS/fluent-bit/CVE-2024-28182.patch +++ /dev/null @@ -1,91 +0,0 @@ -diff --git a/lib/nghttp2/lib/includes/nghttp2/nghttp2.h b/lib/nghttp2/lib/includes/nghttp2/nghttp2.h -index 66ea3c63c..5378daf43 100644 ---- a/lib/nghttp2/lib/includes/nghttp2/nghttp2.h -+++ b/lib/nghttp2/lib/includes/nghttp2/nghttp2.h -@@ -440,7 +440,12 @@ typedef enum { - * exhaustion on server side to send these frames forever and does - * not read network. - */ -- NGHTTP2_ERR_FLOODED = -904 -+ NGHTTP2_ERR_FLOODED = -904, -+ /** -+ * When a local endpoint receives too many CONTINUATION frames -+ * following a HEADER frame. -+ */ -+ NGHTTP2_ERR_TOO_MANY_CONTINUATIONS = -905, - } nghttp2_error; - - /** -diff --git a/lib/nghttp2/lib/nghttp2_helper.c b/lib/nghttp2/lib/nghttp2_helper.c -index 93dd4754b..b3563d98e 100644 ---- a/lib/nghttp2/lib/nghttp2_helper.c -+++ b/lib/nghttp2/lib/nghttp2_helper.c -@@ -336,6 +336,8 @@ const char *nghttp2_strerror(int error_code) { - "closed"; - case NGHTTP2_ERR_TOO_MANY_SETTINGS: - return "SETTINGS frame contained more than the maximum allowed entries"; -+ case NGHTTP2_ERR_TOO_MANY_CONTINUATIONS: -+ return "Too many CONTINUATION frames following a HEADER frame"; - default: - return "Unknown error code"; - } -diff --git a/lib/nghttp2/lib/nghttp2_session.c b/lib/nghttp2/lib/nghttp2_session.c -index c0d86026a..51ed4494e 100644 ---- a/lib/nghttp2/lib/nghttp2_session.c -+++ b/lib/nghttp2/lib/nghttp2_session.c -@@ -496,6 +496,7 @@ static int session_new(nghttp2_session **session_ptr, - (*session_ptr)->max_send_header_block_length = NGHTTP2_MAX_HEADERSLEN; - (*session_ptr)->max_outbound_ack = NGHTTP2_DEFAULT_MAX_OBQ_FLOOD_ITEM; - (*session_ptr)->max_settings = NGHTTP2_DEFAULT_MAX_SETTINGS; -+ (*session_ptr)->max_continuations = NGHTTP2_DEFAULT_MAX_CONTINUATIONS; - - if (option) { - if ((option->opt_set_mask & NGHTTP2_OPT_NO_AUTO_WINDOW_UPDATE) && -@@ -6778,6 +6779,8 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in, - } - } - session_inbound_frame_reset(session); -+ -+ session->num_continuations = 0; - } - break; - } -@@ -6899,6 +6902,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in, - } - #endif /* DEBUGBUILD */ - -+ if (++session->num_continuations > session->max_continuations) { -+ return NGHTTP2_ERR_TOO_MANY_CONTINUATIONS; -+ } -+ - readlen = inbound_frame_buf_read(iframe, in, last); - in += readlen; - -diff --git a/lib/nghttp2/lib/nghttp2_session.h b/lib/nghttp2/lib/nghttp2_session.h -index b119329a0..ef8f7b27d 100644 ---- a/lib/nghttp2/lib/nghttp2_session.h -+++ b/lib/nghttp2/lib/nghttp2_session.h -@@ -110,6 +110,10 @@ typedef struct { - #define NGHTTP2_DEFAULT_STREAM_RESET_BURST 1000 - #define NGHTTP2_DEFAULT_STREAM_RESET_RATE 33 - -+/* The default max number of CONTINUATION frames following an incoming -+ HEADER frame. */ -+#define NGHTTP2_DEFAULT_MAX_CONTINUATIONS 8 -+ - /* Internal state when receiving incoming frame */ - typedef enum { - /* Receiving frame header */ -@@ -290,6 +294,12 @@ struct nghttp2_session { - size_t max_send_header_block_length; - /* The maximum number of settings accepted per SETTINGS frame. */ - size_t max_settings; -+ /* The maximum number of CONTINUATION frames following an incoming -+ HEADER frame. */ -+ size_t max_continuations; -+ /* The number of CONTINUATION frames following an incoming HEADER -+ frame. This variable is reset when END_HEADERS flag is seen. */ -+ size_t num_continuations; - /* Next Stream ID. Made unsigned int to detect >= (1 << 31). */ - uint32_t next_stream_id; - /* The last stream ID this session initiated. For client session, diff --git a/SPECS/fluent-bit/fluent-bit.signatures.json b/SPECS/fluent-bit/fluent-bit.signatures.json index 15168d78cea..698bfe786fc 100644 --- a/SPECS/fluent-bit/fluent-bit.signatures.json +++ b/SPECS/fluent-bit/fluent-bit.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "fluent-bit-3.0.6.tar.gz": "2cad0ac1e04646bc084b7bb3d5552589fa1997eaa5ba3fe2137a65ecf101cd9f" + "fluent-bit-3.1.9.tar.gz": "ac3a3e235e7f8a92d35f10c99f400f0b0571417a92e3c4caa467073733d42547" } } diff --git a/SPECS/fluent-bit/fluent-bit.spec b/SPECS/fluent-bit/fluent-bit.spec index bf31be314b4..d53d88689a4 100644 --- a/SPECS/fluent-bit/fluent-bit.spec +++ b/SPECS/fluent-bit/fluent-bit.spec @@ -1,15 +1,13 @@ Summary: Fast and Lightweight Log processor and forwarder for Linux, BSD and OSX Name: fluent-bit -Version: 3.0.6 -Release: 2%{?dist} +Version: 3.1.9 +Release: 1%{?dist} License: Apache-2.0 Vendor: Microsoft Corporation Distribution: Azure Linux URL: https://fluentbit.io Source0: https://github.com/fluent/%{name}/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz Patch0: CVE-2024-34250.patch -Patch1: CVE-2024-25629.patch -Patch2: CVE-2024-28182.patch BuildRequires: bison BuildRequires: cmake BuildRequires: cyrus-sasl-devel @@ -20,6 +18,7 @@ BuildRequires: gnutls-devel BuildRequires: graphviz BuildRequires: libpq-devel BuildRequires: libyaml-devel +BuildRequires: luajit-devel BuildRequires: make BuildRequires: openssl-devel BuildRequires: pkgconfig @@ -60,7 +59,7 @@ Development files for %{name} -DFLB_DEBUG=Off \ -DFLB_TLS=On \ -DFLB_JEMALLOC=On \ - -DFLB_LUAJIT=Off \ + -DFLB_PREFER_SYSTEM_LIBS=On %cmake_build @@ -68,7 +67,7 @@ Development files for %{name} %cmake_install %check -%ctest --exclude-regex "flb-rt-in_podman_metrics|flb-rt-filter_lua|.*\\.sh" +%ctest --exclude-regex "flb-rt-in_podman_metrics|.*\\.sh" %files %license LICENSE @@ -83,6 +82,10 @@ Development files for %{name} %{_libdir}/fluent-bit/*.so %changelog +* Tue Nov 05 2024 Paul Meyer - 3.1.9-1 +- Update to 3.1.9 to enable Lua filter plugin using system luajit library. +- Remove patches for CVE-2024-25629 and CVE-2024-28182 as they are fixed in 3.1.9. + * Tue Oct 15 2024 Chris Gunn - 3.0.6-2 - CVE-2024-34250 - CVE-2024-25629 diff --git a/cgmanifest.json b/cgmanifest.json index 1c9dcdfa491..45856801b19 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -3678,8 +3678,8 @@ "type": "other", "other": { "name": "fluent-bit", - "version": "3.0.6", - "downloadUrl": "https://github.com/fluent/fluent-bit/archive/refs/tags/v3.0.6.tar.gz" + "version": "3.1.9", + "downloadUrl": "https://github.com/fluent/fluent-bit/archive/refs/tags/v3.1.9.tar.gz" } } },