diff --git a/SPECS/containerized-data-importer/CVE-2024-28180.patch b/SPECS/containerized-data-importer/CVE-2024-28180.patch new file mode 100644 index 00000000000..45d72463733 --- /dev/null +++ b/SPECS/containerized-data-importer/CVE-2024-28180.patch @@ -0,0 +1,88 @@ +From 886860405f81160c23e8e9e8c80694f094f0e104 Mon Sep 17 00:00:00 2001 +From: Kanishk Bansal +Date: Wed, 29 Jan 2025 14:11:18 +0000 +Subject: [PATCH] Address CVE-2024-28180 + +--- + vendor/gopkg.in/square/go-jose.v2/crypter.go | 6 ++++++ + vendor/gopkg.in/square/go-jose.v2/encoding.go | 20 +++++++++++++++---- + 2 files changed, 22 insertions(+), 4 deletions(-) + +diff --git a/vendor/gopkg.in/square/go-jose.v2/crypter.go b/vendor/gopkg.in/square/go-jose.v2/crypter.go +index d24cabf..a628386 100644 +--- a/vendor/gopkg.in/square/go-jose.v2/crypter.go ++++ b/vendor/gopkg.in/square/go-jose.v2/crypter.go +@@ -405,6 +405,9 @@ func (ctx *genericEncrypter) Options() EncrypterOptions { + // Decrypt and validate the object and return the plaintext. Note that this + // function does not support multi-recipient, if you desire multi-recipient + // decryption use DecryptMulti instead. ++// ++// Automatically decompresses plaintext, but returns an error if the decompressed ++// data would be >250kB or >10x the size of the compressed data, whichever is larger. + func (obj JSONWebEncryption) Decrypt(decryptionKey interface{}) ([]byte, error) { + headers := obj.mergedHeaders(nil) + +@@ -469,6 +472,9 @@ func (obj JSONWebEncryption) Decrypt(decryptionKey interface{}) ([]byte, error) + // with support for multiple recipients. It returns the index of the recipient + // for which the decryption was successful, the merged headers for that recipient, + // and the plaintext. ++// ++// Automatically decompresses plaintext, but returns an error if the decompressed ++// data would be >250kB or >3x the size of the compressed data, whichever is larger. + func (obj JSONWebEncryption) DecryptMulti(decryptionKey interface{}) (int, Header, []byte, error) { + globalHeaders := obj.mergedHeaders(nil) + +diff --git a/vendor/gopkg.in/square/go-jose.v2/encoding.go b/vendor/gopkg.in/square/go-jose.v2/encoding.go +index 70f7385..2b92116 100644 +--- a/vendor/gopkg.in/square/go-jose.v2/encoding.go ++++ b/vendor/gopkg.in/square/go-jose.v2/encoding.go +@@ -21,6 +21,7 @@ import ( + "compress/flate" + "encoding/base64" + "encoding/binary" ++ "fmt" + "io" + "math/big" + "strings" +@@ -85,7 +86,7 @@ func decompress(algorithm CompressionAlgorithm, input []byte) ([]byte, error) { + } + } + +-// Compress with DEFLATE ++// deflate compresses the input. + func deflate(input []byte) ([]byte, error) { + output := new(bytes.Buffer) + +@@ -97,15 +98,26 @@ func deflate(input []byte) ([]byte, error) { + return output.Bytes(), err + } + +-// Decompress with DEFLATE ++// inflate decompresses the input. ++// ++// Errors if the decompressed data would be >250kB or >10x the size of the ++// compressed data, whichever is larger. + func inflate(input []byte) ([]byte, error) { + output := new(bytes.Buffer) + reader := flate.NewReader(bytes.NewBuffer(input)) + +- _, err := io.Copy(output, reader) +- if err != nil { ++ maxCompressedSize := 10 * int64(len(input)) ++ if maxCompressedSize < 250000 { ++ maxCompressedSize = 250000 ++ } ++ limit := maxCompressedSize + 1 ++ n, err := io.CopyN(output, reader, limit) ++ if err != nil && err != io.EOF { + return nil, err + } ++ if n == limit { ++ return nil, fmt.Errorf("uncompressed data would be too large (>%d bytes)", maxCompressedSize) ++ } + + err = reader.Close() + return output.Bytes(), err +-- +2.43.0 + diff --git a/SPECS/containerized-data-importer/containerized-data-importer.spec b/SPECS/containerized-data-importer/containerized-data-importer.spec index 29b7692725a..cb3de2a79ed 100644 --- a/SPECS/containerized-data-importer/containerized-data-importer.spec +++ b/SPECS/containerized-data-importer/containerized-data-importer.spec @@ -18,7 +18,7 @@ Summary: Container native virtualization Name: containerized-data-importer Version: 1.57.0 -Release: 8%{?dist} +Release: 9%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -31,6 +31,7 @@ Patch2: CVE-2024-24786.patch Patch3: CVE-2024-45338.patch Patch4: CVE-2023-39325.patch Patch5: CVE-2023-44487.patch +Patch6: CVE-2024-28180.patch BuildRequires: golang BuildRequires: golang-packaging BuildRequires: libnbd-devel @@ -225,6 +226,9 @@ install -m 0644 _out/manifests/release/cdi-cr.yaml %{buildroot}%{_datadir}/cdi/m %{_datadir}/cdi/manifests %changelog +* Wed Jan 29 2025 Kanishk Bansal - 1.57.0-9 +- Fix CVE-2024-28180 with an upstream patch + * Fri Jan 24 2025 Henry Li - 1.57.0-8 - Add patch for CVE-2023-39325 and CVE-2023-44487