Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Patch moby-containerd for CVE-2024-28180 [Medium] #12136

Merged
merged 2 commits into from
Jan 30, 2025
+93 −1
Merged

Patch moby-containerd for CVE-2024-28180 [Medium] #12136

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
861c954
Fix CVE-2024-28180 in moby-containerd
Kanishk-Bansal Jan 29, 2025
aae233b
Merge branch 'fasttrack/2.0' into kanbansal/CVE-2024-28180/moby-conta…
jslobodzian Jan 30, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
88 changes: 88 additions & 0 deletions SPECS/moby-containerd/CVE-2024-28180.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,88 @@
From 49606141ae723d39c4a79c13f8579fcac8cbf0d0 Mon Sep 17 00:00:00 2001
From: Kanishk Bansal <[email protected]>
Date: Wed, 29 Jan 2025 19:29:39 +0000
Subject: [PATCH] Address CVE-2024-28180

---
vendor/gopkg.in/square/go-jose.v2/crypter.go | 6 ++++++
vendor/gopkg.in/square/go-jose.v2/encoding.go | 20 +++++++++++++++----
2 files changed, 22 insertions(+), 4 deletions(-)

diff --git a/vendor/gopkg.in/square/go-jose.v2/crypter.go b/vendor/gopkg.in/square/go-jose.v2/crypter.go
index d24cabf..a628386 100644
--- a/vendor/gopkg.in/square/go-jose.v2/crypter.go
+++ b/vendor/gopkg.in/square/go-jose.v2/crypter.go
@@ -405,6 +405,9 @@ func (ctx *genericEncrypter) Options() EncrypterOptions {
// Decrypt and validate the object and return the plaintext. Note that this
// function does not support multi-recipient, if you desire multi-recipient
// decryption use DecryptMulti instead.
+//
+// Automatically decompresses plaintext, but returns an error if the decompressed
+// data would be >250kB or >10x the size of the compressed data, whichever is larger.
func (obj JSONWebEncryption) Decrypt(decryptionKey interface{}) ([]byte, error) {
headers := obj.mergedHeaders(nil)

@@ -469,6 +472,9 @@ func (obj JSONWebEncryption) Decrypt(decryptionKey interface{}) ([]byte, error)
// with support for multiple recipients. It returns the index of the recipient
// for which the decryption was successful, the merged headers for that recipient,
// and the plaintext.
+//
+// Automatically decompresses plaintext, but returns an error if the decompressed
+// data would be >250kB or >3x the size of the compressed data, whichever is larger.
func (obj JSONWebEncryption) DecryptMulti(decryptionKey interface{}) (int, Header, []byte, error) {
globalHeaders := obj.mergedHeaders(nil)

diff --git a/vendor/gopkg.in/square/go-jose.v2/encoding.go b/vendor/gopkg.in/square/go-jose.v2/encoding.go
index 70f7385..2b92116 100644
--- a/vendor/gopkg.in/square/go-jose.v2/encoding.go
+++ b/vendor/gopkg.in/square/go-jose.v2/encoding.go
@@ -21,6 +21,7 @@ import (
"compress/flate"
"encoding/base64"
"encoding/binary"
+ "fmt"
"io"
"math/big"
"strings"
@@ -85,7 +86,7 @@ func decompress(algorithm CompressionAlgorithm, input []byte) ([]byte, error) {
}
}

-// Compress with DEFLATE
+// deflate compresses the input.
func deflate(input []byte) ([]byte, error) {
output := new(bytes.Buffer)

@@ -97,15 +98,26 @@ func deflate(input []byte) ([]byte, error) {
return output.Bytes(), err
}

-// Decompress with DEFLATE
+// inflate decompresses the input.
+//
+// Errors if the decompressed data would be >250kB or >10x the size of the
+// compressed data, whichever is larger.
func inflate(input []byte) ([]byte, error) {
output := new(bytes.Buffer)
reader := flate.NewReader(bytes.NewBuffer(input))

- _, err := io.Copy(output, reader)
- if err != nil {
+ maxCompressedSize := 10 * int64(len(input))
+ if maxCompressedSize < 250000 {
+ maxCompressedSize = 250000
+ }
+ limit := maxCompressedSize + 1
+ n, err := io.CopyN(output, reader, limit)
+ if err != nil && err != io.EOF {
return nil, err
}
+ if n == limit {
+ return nil, fmt.Errorf("uncompressed data would be too large (>%d bytes)", maxCompressedSize)
+ }

err = reader.Close()
return output.Bytes(), err
--
2.43.0

6 changes: 5 additions & 1 deletion SPECS/moby-containerd/moby-containerd.spec
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
Summary: Industry-standard container runtime
Name: moby-%{upstream_name}
Version: 1.6.26
Release: 8%{?dist}
Release: 9%{?dist}
License: ASL 2.0
Group: Tools/Container
URL: https://www.containerd.io
Expand All @@ -20,6 +20,7 @@ Patch1: add_ptrace_readby_tracedby_to_apparmor.patch
Patch2: fix_tests_for_golang1.21.patch
Patch3: CVE-2023-45288.patch
Patch4: CVE-2024-24786.patch
Patch5: CVE-2024-28180.patch

%{?systemd_requires}

Expand Down Expand Up @@ -93,6 +94,9 @@ fi
%dir /opt/containerd/lib

%changelog
* Thu Jan 30 2025 Kanishk Bansal <[email protected]> - 1.6.26-9
- Fix CVE-2024-28180 with an upstream patch

* Thu Dec 05 2024 sthelkar <[email protected]> - 1.6.26-8
- Patch CVE-2024-24786

Expand Down
Loading