Skip to content

Commit

Permalink
[AUTO-CHERRYPICK] Patch CVE-2024-24786 in cri-tools - branch main (#1…
Browse files Browse the repository at this point in the history 
…1419)

Co-authored-by: suresh-thelkar <[email protected]>
  • Loading branch information
@CBL-Mariner-Bot @suresh-thelkar
CBL-Mariner-Bot and suresh-thelkar authored Dec 18, 2024
1 parent 7b7ff79 commit 3f1a0e9
Show file tree
Hide file tree
Showing 2 changed files with 48 additions and 1 deletion.
43 changes: 43 additions & 0 deletions SPECS/cri-tools/CVE-2024-24786.patch
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
From c86c40f1c4b2627bde2af7ca0f407a42feae79b8 Mon Sep 17 00:00:00 2001
From: Suresh Thelkar <[email protected]>
Date: Wed, 4 Dec 2024 16:48:18 +0530
Subject: [PATCH] Patch for CVE-2024-24786

Upstream patch details are given below.
https://github.com/protocolbuffers/protobuf-go/commit/f01a588
---
.../protobuf/encoding/protojson/well_known_types.go | 4 ++++
.../protobuf/internal/encoding/json/decode.go | 2 +-
2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go
index 6c37d41..a03e928 100644
--- a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go
+++ b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go
@@ -348,6 +348,10 @@ func (d decoder) skipJSONValue() error {
}
}
}
+ case json.EOF:
+ // This can only happen if there's a bug in Decoder.Read.
+ // Avoid an infinite loop if this does happen.
+ return errors.New("unexpected EOF")
}
return nil
}
diff --git a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go
index d043a6e..d2b3ac0 100644
--- a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go
+++ b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go
@@ -121,7 +121,7 @@ func (d *Decoder) Read() (Token, error) {

case ObjectClose:
if len(d.openStack) == 0 ||
- d.lastToken.kind == comma ||
+ d.lastToken.kind&(Name|comma) != 0 ||
d.openStack[len(d.openStack)-1] != ObjectOpen {
return Token{}, d.newSyntaxError(tok.pos, unexpectedFmt, tok.RawString())
}
--
2.34.1

6 changes: 5 additions & 1 deletion SPECS/cri-tools/cri-tools.spec
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
Summary: CRI tools
Name: cri-tools
Version: 1.29.0
Release: 4%{?dist}
Release: 5%{?dist}
License: Apache-2.0
Vendor: Microsoft Corporation
Distribution: Mariner
Expand All @@ -16,6 +16,7 @@ URL: https://github.com/kubernetes-sigs/cri-tools
Source0: https://github.com/kubernetes-sigs/cri-tools/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
Patch0: CVE-2024-21626.patch
Patch1: CVE-2023-45288.patch
Patch2: CVE-2024-24786.patch
BuildRequires: glib-devel
BuildRequires: glibc-devel
BuildRequires: golang
Expand Down Expand Up @@ -46,6 +47,9 @@ install -p -m 755 -t %{buildroot}%{_bindir} "${BUILD_FOLDER}/critest"
%{_bindir}/critest

%changelog
* Wed Dec 04 2024 Suresh Thelkar <[email protected]> - 1.29.0-5
- Patch CVE-2024-24786

* Mon Sep 09 2024 CBL-Mariner Servicing Account <[email protected]> - 1.29.0-4
- Bump release to rebuild with go 1.22.7

Expand Down

0 comments on commit 3f1a0e9

Please sign in to comment.