From 1f8bfdfad45c7cc2352e98a131d489243a2df370 Mon Sep 17 00:00:00 2001
From: Kanishk Bansal <103916909+Kanishk-Bansal@users.noreply.github.com>
Date: Fri, 31 Jan 2025 01:09:32 +0530
Subject: [PATCH] Patch moby-containerd for CVE-2024-28180 [Medium] (#12136)

Co-authored-by: jslobodzian <joslobo@microsoft.com>
---
 SPECS/moby-containerd/CVE-2024-28180.patch | 88 ++++++++++++++++++++++
 SPECS/moby-containerd/moby-containerd.spec |  6 +-
 2 files changed, 93 insertions(+), 1 deletion(-)
 create mode 100644 SPECS/moby-containerd/CVE-2024-28180.patch

diff --git a/SPECS/moby-containerd/CVE-2024-28180.patch b/SPECS/moby-containerd/CVE-2024-28180.patch
new file mode 100644
index 00000000000..6e47e250add
--- /dev/null
+++ b/SPECS/moby-containerd/CVE-2024-28180.patch
@@ -0,0 +1,88 @@
+From 49606141ae723d39c4a79c13f8579fcac8cbf0d0 Mon Sep 17 00:00:00 2001
+From: Kanishk Bansal <kbkanishk975@gmail.com>
+Date: Wed, 29 Jan 2025 19:29:39 +0000
+Subject: [PATCH] Address CVE-2024-28180
+
+---
+ vendor/gopkg.in/square/go-jose.v2/crypter.go  |  6 ++++++
+ vendor/gopkg.in/square/go-jose.v2/encoding.go | 20 +++++++++++++++----
+ 2 files changed, 22 insertions(+), 4 deletions(-)
+
+diff --git a/vendor/gopkg.in/square/go-jose.v2/crypter.go b/vendor/gopkg.in/square/go-jose.v2/crypter.go
+index d24cabf..a628386 100644
+--- a/vendor/gopkg.in/square/go-jose.v2/crypter.go
++++ b/vendor/gopkg.in/square/go-jose.v2/crypter.go
+@@ -405,6 +405,9 @@ func (ctx *genericEncrypter) Options() EncrypterOptions {
+ // Decrypt and validate the object and return the plaintext. Note that this
+ // function does not support multi-recipient, if you desire multi-recipient
+ // decryption use DecryptMulti instead.
++//
++// Automatically decompresses plaintext, but returns an error if the decompressed
++// data would be >250kB or >10x the size of the compressed data, whichever is larger.
+ func (obj JSONWebEncryption) Decrypt(decryptionKey interface{}) ([]byte, error) {
+ 	headers := obj.mergedHeaders(nil)
+ 
+@@ -469,6 +472,9 @@ func (obj JSONWebEncryption) Decrypt(decryptionKey interface{}) ([]byte, error)
+ // with support for multiple recipients. It returns the index of the recipient
+ // for which the decryption was successful, the merged headers for that recipient,
+ // and the plaintext.
++//
++// Automatically decompresses plaintext, but returns an error if the decompressed
++// data would be >250kB or >3x the size of the compressed data, whichever is larger.
+ func (obj JSONWebEncryption) DecryptMulti(decryptionKey interface{}) (int, Header, []byte, error) {
+ 	globalHeaders := obj.mergedHeaders(nil)
+ 
+diff --git a/vendor/gopkg.in/square/go-jose.v2/encoding.go b/vendor/gopkg.in/square/go-jose.v2/encoding.go
+index 70f7385..2b92116 100644
+--- a/vendor/gopkg.in/square/go-jose.v2/encoding.go
++++ b/vendor/gopkg.in/square/go-jose.v2/encoding.go
+@@ -21,6 +21,7 @@ import (
+ 	"compress/flate"
+ 	"encoding/base64"
+ 	"encoding/binary"
++	"fmt"
+ 	"io"
+ 	"math/big"
+ 	"strings"
+@@ -85,7 +86,7 @@ func decompress(algorithm CompressionAlgorithm, input []byte) ([]byte, error) {
+ 	}
+ }
+ 
+-// Compress with DEFLATE
++// deflate compresses the input.
+ func deflate(input []byte) ([]byte, error) {
+ 	output := new(bytes.Buffer)
+ 
+@@ -97,15 +98,26 @@ func deflate(input []byte) ([]byte, error) {
+ 	return output.Bytes(), err
+ }
+ 
+-// Decompress with DEFLATE
++// inflate decompresses the input.
++//
++// Errors if the decompressed data would be >250kB or >10x the size of the
++// compressed data, whichever is larger.
+ func inflate(input []byte) ([]byte, error) {
+ 	output := new(bytes.Buffer)
+ 	reader := flate.NewReader(bytes.NewBuffer(input))
+ 
+-	_, err := io.Copy(output, reader)
+-	if err != nil {
++	maxCompressedSize := 10 * int64(len(input))
++	if maxCompressedSize < 250000 {
++		maxCompressedSize = 250000
++	}
++	limit := maxCompressedSize + 1
++	n, err := io.CopyN(output, reader, limit)
++	if err != nil && err != io.EOF {
+ 		return nil, err
+ 	}
++	if n == limit {
++		return nil, fmt.Errorf("uncompressed data would be too large (>%d bytes)", maxCompressedSize)
++	}
+ 
+ 	err = reader.Close()
+ 	return output.Bytes(), err
+-- 
+2.43.0
+
diff --git a/SPECS/moby-containerd/moby-containerd.spec b/SPECS/moby-containerd/moby-containerd.spec
index 68af26bbc9b..76d4a13b43f 100644
--- a/SPECS/moby-containerd/moby-containerd.spec
+++ b/SPECS/moby-containerd/moby-containerd.spec
@@ -5,7 +5,7 @@
 Summary: Industry-standard container runtime
 Name: moby-%{upstream_name}
 Version: 1.6.26
-Release: 8%{?dist}
+Release: 9%{?dist}
 License: ASL 2.0
 Group: Tools/Container
 URL: https://www.containerd.io
@@ -20,6 +20,7 @@ Patch1:  add_ptrace_readby_tracedby_to_apparmor.patch
 Patch2:  fix_tests_for_golang1.21.patch
 Patch3:  CVE-2023-45288.patch
 Patch4:  CVE-2024-24786.patch
+Patch5:	 CVE-2024-28180.patch
 
 %{?systemd_requires}
 
@@ -93,6 +94,9 @@ fi
 %dir /opt/containerd/lib
 
 %changelog
+* Thu Jan 30 2025 Kanishk Bansal <kanbansal@microsoft.com> - 1.6.26-9
+- Fix CVE-2024-28180 with an upstream patch
+
 * Thu Dec 05 2024 sthelkar <sthelkar@microsoft.com> - 1.6.26-8
 - Patch CVE-2024-24786