-
Notifications
You must be signed in to change notification settings - Fork 569
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Patch moby-engine to fix CVE-2023-45288 [High] (#12396)
Co-authored-by: jslobodzian <[email protected]>
- Loading branch information
1 parent
dd51f9d
commit 4a5b66d
Showing
2 changed files
with
88 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,83 @@ | ||
| Author: Damien Neil <[email protected]> | ||
| AuthorDate: 2024-01-10 13:41:39 -0800 | ||
| Commit: Gopher Robot <[email protected]> | ||
| CommitDate: 2024-04-03 17:06:00 +0000 | ||
|
|
||
| [internal-branch.go1.21-vendor] http2: close connections when receiving too many headers | ||
|
|
||
| Maintaining HPACK state requires that we parse and process | ||
| all HEADERS and CONTINUATION frames on a connection. | ||
| When a request's headers exceed MaxHeaderBytes, we don't | ||
| allocate memory to store the excess headers but we do | ||
| parse them. This permits an attacker to cause an HTTP/2 | ||
| endpoint to read arbitrary amounts of data, all associated | ||
| with a request which is going to be rejected. | ||
|
|
||
| Set a limit on the amount of excess header frames we | ||
| will process before closing a connection. | ||
|
|
||
| Thanks to Bartek Nowotarski for reporting this issue. | ||
|
|
||
| Fixes CVE-2023-45288 | ||
| For golang/go#65051 | ||
|
|
||
| Change-Id: I15df097268df13bb5a9e9d3a5c04a8a141d850f6 | ||
| Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2130527 | ||
| Reviewed-by: Roland Shoemaker <[email protected]> | ||
| Reviewed-by: Tatiana Bradley <[email protected]> | ||
| Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2197243 | ||
| Run-TryBot: Damien Neil <[email protected]> | ||
| Reviewed-by: Dmitri Shuralyov <[email protected]> | ||
| Reviewed-on: https://go-review.googlesource.com/c/net/+/576057 | ||
| LUCI-TryBot-Result: Go LUCI <[email protected]> | ||
| Auto-Submit: Dmitri Shuralyov <[email protected]> | ||
|
|
||
| diff --git a/vendor/golang.org/x/net/http2/frame.go b/vendor/golang.org/x/net/http2/frame.go | ||
| index c1f6b90..175c154 100644 | ||
| --- a/vendor/golang.org/x/net/http2/frame.go | ||
| +++ b/vendor/golang.org/x/net/http2/frame.go | ||
| @@ -1565,6 +1565,7 @@ | ||
| if size > remainSize { | ||
| hdec.SetEmitEnabled(false) | ||
| mh.Truncated = true | ||
| + remainSize = 0 | ||
| return | ||
| } | ||
| remainSize -= size | ||
| @@ -1577,6 +1578,36 @@ | ||
| var hc headersOrContinuation = hf | ||
| for { | ||
| frag := hc.HeaderBlockFragment() | ||
| + | ||
| + // Avoid parsing large amounts of headers that we will then discard. | ||
| + // If the sender exceeds the max header list size by too much, | ||
| + // skip parsing the fragment and close the connection. | ||
| + // | ||
| + // "Too much" is either any CONTINUATION frame after we've already | ||
| + // exceeded the max header list size (in which case remainSize is 0), | ||
| + // or a frame whose encoded size is more than twice the remaining | ||
| + // header list bytes we're willing to accept. | ||
| + if int64(len(frag)) > int64(2*remainSize) { | ||
| + if VerboseLogs { | ||
| + log.Printf("http2: header list too large") | ||
| + } | ||
| + // It would be nice to send a RST_STREAM before sending the GOAWAY, | ||
| + // but the struture of the server's frame writer makes this difficult. | ||
| + return nil, ConnectionError(ErrCodeProtocol) | ||
| + } | ||
| + | ||
| + // Also close the connection after any CONTINUATION frame following an | ||
| + // invalid header, since we stop tracking the size of the headers after | ||
| + // an invalid one. | ||
| + if invalid != nil { | ||
| + if VerboseLogs { | ||
| + log.Printf("http2: invalid header: %v", invalid) | ||
| + } | ||
| + // It would be nice to send a RST_STREAM before sending the GOAWAY, | ||
| + // but the struture of the server's frame writer makes this difficult. | ||
| + return nil, ConnectionError(ErrCodeProtocol) | ||
| + } | ||
| + | ||
| if _, err := hdec.Write(frag); err != nil { | ||
| return nil, ConnectionError(ErrCodeCompression) | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -3,7 +3,7 @@ | |
| Summary: The open-source application container engine | ||
| Name: moby-engine | ||
| Version: 25.0.3 | ||
| Release: 9%{?dist} | ||
| Release: 10%{?dist} | ||
| License: ASL 2.0 | ||
| Group: Tools/Container | ||
| URL: https://mobyproject.org | ||
|
|
@@ -23,6 +23,7 @@ Patch5: CVE-2024-36621.patch | |
| Patch6: CVE-2024-36620.patch | ||
| Patch7: CVE-2024-36623.patch | ||
| Patch8: CVE-2024-45337.patch | ||
| Patch9: CVE-2023-45288.patch | ||
|
|
||
| %{?systemd_requires} | ||
|
|
||
|
|
@@ -118,6 +119,9 @@ fi | |
| %{_unitdir}/* | ||
|
|
||
| %changelog | ||
| * Fri Feb 14 2025 Kanishk Bansal <[email protected]> - 25.0.3-10 | ||
| - Address CVE-2023-45288 | ||
|
|
||
| * Fri Dec 20 2024 Aurelien Bombo <[email protected]> - 25.0.3-9 | ||
| - Add patch for CVE-2024-45337 | ||
|
|
||
|
|
||