diff --git a/SPECS/containerized-data-importer/CVE-2022-2879.patch b/SPECS/containerized-data-importer/CVE-2022-2879.patch index c24bd58e3ac..fad24af4df7 100644 --- a/SPECS/containerized-data-importer/CVE-2022-2879.patch +++ b/SPECS/containerized-data-importer/CVE-2022-2879.patch @@ -45,7 +45,7 @@ index af006fc..2baa0d5 100644 continue // This is a meta header affecting the next header case TypeGNULongName, TypeGNULongLink: format.mayOnlyBe(FormatGNU) -- realname, err := ioutil.ReadAll(tr) +- realname, err := io.ReadAll(tr) + realname, err := readSpecialFile(tr) if err != nil { return nil, err @@ -54,7 +54,7 @@ index af006fc..2baa0d5 100644 // parsePAX parses PAX headers. // If an extended header (type 'x') is invalid, ErrHeader is returned func parsePAX(r io.Reader) (map[string]string, error) { -- buf, err := ioutil.ReadAll(r) +- buf, err := io.ReadAll(r) + buf, err := readSpecialFile(r) if err != nil { return nil, err diff --git a/SPECS/containerized-data-importer/CVE-2023-39325.patch b/SPECS/containerized-data-importer/CVE-2023-39325.patch deleted file mode 100644 index e0085e416d6..00000000000 --- a/SPECS/containerized-data-importer/CVE-2023-39325.patch +++ /dev/null @@ -1,117 +0,0 @@ -diff --git a/vendor/golang.org/x/net/http2/server.go b/vendor/golang.org/x/net/http2/server.go -index 8cb14f3..6000140 100644 ---- a/vendor/golang.org/x/net/http2/server.go -+++ b/vendor/golang.org/x/net/http2/server.go -@@ -581,9 +581,11 @@ type serverConn struct { - advMaxStreams uint32 // our SETTINGS_MAX_CONCURRENT_STREAMS advertised the client - curClientStreams uint32 // number of open streams initiated by the client - curPushedStreams uint32 // number of open streams initiated by server push -+ curHandlers uint32 // number of running handler goroutines - maxClientStreamID uint32 // max ever seen from client (odd), or 0 if there have been no client requests - maxPushPromiseID uint32 // ID of the last push promise (even), or 0 if there have been no pushes - streams map[uint32]*stream -+ unstartedHandlers []unstartedHandler - initialStreamSendWindowSize int32 - maxFrameSize int32 - peerMaxHeaderListSize uint32 // zero means unknown (default) -@@ -981,6 +983,8 @@ func (sc *serverConn) serve() { - return - case gracefulShutdownMsg: - sc.startGracefulShutdownInternal() -+ case handlerDoneMsg: -+ sc.handlerDone() - default: - panic("unknown timer") - } -@@ -1028,6 +1032,7 @@ var ( - idleTimerMsg = new(serverMessage) - shutdownTimerMsg = new(serverMessage) - gracefulShutdownMsg = new(serverMessage) -+ handlerDoneMsg = new(serverMessage) - ) - - func (sc *serverConn) onSettingsTimer() { sc.sendServeMsg(settingsTimerMsg) } -@@ -2022,8 +2027,7 @@ func (sc *serverConn) processHeaders(f *MetaHeadersFrame) error { - } - } - -- go sc.runHandler(rw, req, handler) -- return nil -+ return sc.scheduleHandler(id, rw, req, handler) - } - - func (sc *serverConn) upgradeRequest(req *http.Request) { -@@ -2043,6 +2047,10 @@ func (sc *serverConn) upgradeRequest(req *http.Request) { - sc.conn.SetReadDeadline(time.Time{}) - } - -+ // This is the first request on the connection, -+ // so start the handler directly rather than going -+ // through scheduleHandler. -+ sc.curHandlers++ - go sc.runHandler(rw, req, sc.handler.ServeHTTP) - } - -@@ -2283,8 +2291,62 @@ func (sc *serverConn) newResponseWriter(st *stream, req *http.Request) *response - return &responseWriter{rws: rws} - } - -+type unstartedHandler struct { -+ streamID uint32 -+ rw *responseWriter -+ req *http.Request -+ handler func(http.ResponseWriter, *http.Request) -+} -+ -+// scheduleHandler starts a handler goroutine, -+// or schedules one to start as soon as an existing handler finishes. -+func (sc *serverConn) scheduleHandler(streamID uint32, rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) error { -+ sc.serveG.check() -+ maxHandlers := sc.advMaxStreams -+ if sc.curHandlers < maxHandlers { -+ sc.curHandlers++ -+ go sc.runHandler(rw, req, handler) -+ return nil -+ } -+ if len(sc.unstartedHandlers) > int(4*sc.advMaxStreams) { -+ return sc.countError("too_many_early_resets", ConnectionError(ErrCodeEnhanceYourCalm)) -+ } -+ sc.unstartedHandlers = append(sc.unstartedHandlers, unstartedHandler{ -+ streamID: streamID, -+ rw: rw, -+ req: req, -+ handler: handler, -+ }) -+ return nil -+} -+ -+func (sc *serverConn) handlerDone() { -+ sc.serveG.check() -+ sc.curHandlers-- -+ i := 0 -+ maxHandlers := sc.advMaxStreams -+ for ; i < len(sc.unstartedHandlers); i++ { -+ u := sc.unstartedHandlers[i] -+ if sc.streams[u.streamID] == nil { -+ // This stream was reset before its goroutine had a chance to start. -+ continue -+ } -+ if sc.curHandlers >= maxHandlers { -+ break -+ } -+ sc.curHandlers++ -+ go sc.runHandler(u.rw, u.req, u.handler) -+ sc.unstartedHandlers[i] = unstartedHandler{} // don't retain references -+ } -+ sc.unstartedHandlers = sc.unstartedHandlers[i:] -+ if len(sc.unstartedHandlers) == 0 { -+ sc.unstartedHandlers = nil -+ } -+} -+ - // Run on its own goroutine. - func (sc *serverConn) runHandler(rw *responseWriter, req *http.Request, handler func(http.ResponseWriter, *http.Request)) { -+ defer sc.sendServeMsg(handlerDoneMsg) - didPanic := true - defer func() { - rw.rws.stream.cancelCtx() diff --git a/SPECS/containerized-data-importer/CVE-2023-3978.patch b/SPECS/containerized-data-importer/CVE-2023-3978.patch deleted file mode 100644 index 6a3c1192b1e..00000000000 --- a/SPECS/containerized-data-importer/CVE-2023-3978.patch +++ /dev/null @@ -1,66 +0,0 @@ -From 5abbff46d6a70d0e31b41ce98cddaa08cc911e3f Mon Sep 17 00:00:00 2001 -From: Sudipta Pandit -Date: Wed, 5 Feb 2025 20:58:22 +0530 -Subject: [PATCH] Backport fix for CVE-2023-3978 - -Reference: https://go-review.googlesource.com/c/net/+/514896 ---- - vendor/golang.org/x/net/html/render.go | 28 ++++++++++++++++++++++---- - 1 file changed, 24 insertions(+), 4 deletions(-) - -diff --git a/vendor/golang.org/x/net/html/render.go b/vendor/golang.org/x/net/html/render.go -index 497e132..1da09c8 100644 ---- a/vendor/golang.org/x/net/html/render.go -+++ b/vendor/golang.org/x/net/html/render.go -@@ -194,9 +194,8 @@ func render1(w writer, n *Node) error { - } - } - -- // Render any child nodes. -- switch n.Data { -- case "iframe", "noembed", "noframes", "noscript", "plaintext", "script", "style", "xmp": -+ // Render any child nodes -+ if childTextNodesAreLiteral(n) { - for c := n.FirstChild; c != nil; c = c.NextSibling { - if c.Type == TextNode { - if _, err := w.WriteString(c.Data); err != nil { -@@ -213,7 +212,7 @@ func render1(w writer, n *Node) error { - // last element in the file, with no closing tag. - return plaintextAbort - } -- default: -+ } else { - for c := n.FirstChild; c != nil; c = c.NextSibling { - if err := render1(w, c); err != nil { - return err -@@ -231,6 +230,27 @@ func render1(w writer, n *Node) error { - return w.WriteByte('>') - } - -+func childTextNodesAreLiteral(n *Node) bool { -+ // Per WHATWG HTML 13.3, if the parent of the current node is a style, -+ // script, xmp, iframe, noembed, noframes, or plaintext element, and the -+ // current node is a text node, append the value of the node's data -+ // literally. The specification is not explicit about it, but we only -+ // enforce this if we are in the HTML namespace (i.e. when the namespace is -+ // ""). -+ // NOTE: we also always include noscript elements, although the -+ // specification states that they should only be rendered as such if -+ // scripting is enabled for the node (which is not something we track). -+ if n.Namespace != "" { -+ return false -+ } -+ switch n.Data { -+ case "iframe", "noembed", "noframes", "noscript", "plaintext", "script", "style", "xmp": -+ return true -+ default: -+ return false -+ } -+} -+ - // writeQuoted writes s to w surrounded by quotes. Normally it will use double - // quotes, but if s contains a double quote, it will use single quotes. - // It is used for writing the identifiers in a doctype declaration. --- -2.34.1 - diff --git a/SPECS/containerized-data-importer/CVE-2023-44487.patch b/SPECS/containerized-data-importer/CVE-2023-44487.patch deleted file mode 100644 index ee2a818f281..00000000000 --- a/SPECS/containerized-data-importer/CVE-2023-44487.patch +++ /dev/null @@ -1,258 +0,0 @@ -diff --git a/vendor/google.golang.org/grpc/internal/transport/http2_server.go b/vendor/google.golang.org/grpc/internal/transport/http2_server.go -index 3dd1564..9d9a3fd 100644 ---- a/vendor/google.golang.org/grpc/internal/transport/http2_server.go -+++ b/vendor/google.golang.org/grpc/internal/transport/http2_server.go -@@ -165,15 +165,10 @@ func NewServerTransport(conn net.Conn, config *ServerConfig) (_ ServerTransport, - ID: http2.SettingMaxFrameSize, - Val: http2MaxFrameLen, - }} -- // TODO(zhaoq): Have a better way to signal "no limit" because 0 is -- // permitted in the HTTP2 spec. -- maxStreams := config.MaxStreams -- if maxStreams == 0 { -- maxStreams = math.MaxUint32 -- } else { -+ if config.MaxStreams != math.MaxUint32 { - isettings = append(isettings, http2.Setting{ - ID: http2.SettingMaxConcurrentStreams, -- Val: maxStreams, -+ Val: config.MaxStreams, - }) - } - dynamicWindow := true -@@ -252,7 +247,7 @@ func NewServerTransport(conn net.Conn, config *ServerConfig) (_ ServerTransport, - framer: framer, - readerDone: make(chan struct{}), - writerDone: make(chan struct{}), -- maxStreams: maxStreams, -+ maxStreams: config.MaxStreams, - inTapHandle: config.InTapHandle, - fc: &trInFlow{limit: uint32(icwz)}, - state: reachable, -diff --git a/vendor/google.golang.org/grpc/server.go b/vendor/google.golang.org/grpc/server.go -index f4dde72..98839ad 100644 ---- a/vendor/google.golang.org/grpc/server.go -+++ b/vendor/google.golang.org/grpc/server.go -@@ -43,7 +43,6 @@ import ( - "google.golang.org/grpc/internal" - "google.golang.org/grpc/internal/binarylog" - "google.golang.org/grpc/internal/channelz" -- "google.golang.org/grpc/internal/grpcrand" - "google.golang.org/grpc/internal/grpcsync" - "google.golang.org/grpc/internal/transport" - "google.golang.org/grpc/keepalive" -@@ -74,10 +73,10 @@ func init() { - srv.drainServerTransports(addr) - } - internal.AddGlobalServerOptions = func(opt ...ServerOption) { -- extraServerOptions = append(extraServerOptions, opt...) -+ globalServerOptions = append(globalServerOptions, opt...) - } - internal.ClearGlobalServerOptions = func() { -- extraServerOptions = nil -+ globalServerOptions = nil - } - internal.BinaryLogger = binaryLogger - internal.JoinServerOptions = newJoinServerOption -@@ -115,12 +114,6 @@ type serviceInfo struct { - mdata interface{} - } - --type serverWorkerData struct { -- st transport.ServerTransport -- wg *sync.WaitGroup -- stream *transport.Stream --} -- - // Server is a gRPC server to serve RPC requests. - type Server struct { - opts serverOptions -@@ -145,7 +138,7 @@ type Server struct { - channelzID *channelz.Identifier - czData *channelzData - -- serverWorkerChannels []chan *serverWorkerData -+ serverWorkerChannel chan func() - } - - type serverOptions struct { -@@ -177,13 +170,14 @@ type serverOptions struct { - } - - var defaultServerOptions = serverOptions{ -+ maxConcurrentStreams: math.MaxUint32, - maxReceiveMessageSize: defaultServerMaxReceiveMessageSize, - maxSendMessageSize: defaultServerMaxSendMessageSize, - connectionTimeout: 120 * time.Second, - writeBufferSize: defaultWriteBufSize, - readBufferSize: defaultReadBufSize, - } --var extraServerOptions []ServerOption -+var globalServerOptions []ServerOption - - // A ServerOption sets options such as credentials, codec and keepalive parameters, etc. - type ServerOption interface { -@@ -387,6 +381,9 @@ func MaxSendMsgSize(m int) ServerOption { - // MaxConcurrentStreams returns a ServerOption that will apply a limit on the number - // of concurrent streams to each ServerTransport. - func MaxConcurrentStreams(n uint32) ServerOption { -+ if n == 0 { -+ n = math.MaxUint32 -+ } - return newFuncServerOption(func(o *serverOptions) { - o.maxConcurrentStreams = n - }) -@@ -565,42 +562,35 @@ const serverWorkerResetThreshold = 1 << 16 - // re-allocations (see the runtime.morestack problem [1]). - // - // [1] https://github.com/golang/go/issues/18138 --func (s *Server) serverWorker(ch chan *serverWorkerData) { -- // To make sure all server workers don't reset at the same time, choose a -- // random number of iterations before resetting. -- threshold := serverWorkerResetThreshold + grpcrand.Intn(serverWorkerResetThreshold) -- for completed := 0; completed < threshold; completed++ { -- data, ok := <-ch -+func (s *Server) serverWorker() { -+ for completed := 0; completed < serverWorkerResetThreshold; completed++ { -+ f, ok := <-s.serverWorkerChannel - if !ok { - return - } -- s.handleStream(data.st, data.stream, s.traceInfo(data.st, data.stream)) -- data.wg.Done() -+ f() - } -- go s.serverWorker(ch) -+ go s.serverWorker() - } - - // initServerWorkers creates worker goroutines and channels to process incoming - // connections to reduce the time spent overall on runtime.morestack. - func (s *Server) initServerWorkers() { -- s.serverWorkerChannels = make([]chan *serverWorkerData, s.opts.numServerWorkers) -+ s.serverWorkerChannel = make(chan func()) - for i := uint32(0); i < s.opts.numServerWorkers; i++ { -- s.serverWorkerChannels[i] = make(chan *serverWorkerData) -- go s.serverWorker(s.serverWorkerChannels[i]) -+ go s.serverWorker() - } - } - - func (s *Server) stopServerWorkers() { -- for i := uint32(0); i < s.opts.numServerWorkers; i++ { -- close(s.serverWorkerChannels[i]) -- } -+ close(s.serverWorkerChannel) - } - - // NewServer creates a gRPC server which has no service registered and has not - // started to accept requests yet. - func NewServer(opt ...ServerOption) *Server { - opts := defaultServerOptions -- for _, o := range extraServerOptions { -+ for _, o := range globalServerOptions { - o.apply(&opts) - } - for _, o := range opt { -@@ -945,25 +935,26 @@ func (s *Server) serveStreams(st transport.ServerTransport) { - defer st.Close() - var wg sync.WaitGroup - -- var roundRobinCounter uint32 -+ streamQuota := newHandlerQuota(s.opts.maxConcurrentStreams) - st.HandleStreams(func(stream *transport.Stream) { - wg.Add(1) -+ -+ streamQuota.acquire() -+ f := func() { -+ defer streamQuota.release() -+ defer wg.Done() -+ s.handleStream(st, stream, s.traceInfo(st, stream)) -+ } -+ - if s.opts.numServerWorkers > 0 { -- data := &serverWorkerData{st: st, wg: &wg, stream: stream} - select { -- case s.serverWorkerChannels[atomic.AddUint32(&roundRobinCounter, 1)%s.opts.numServerWorkers] <- data: -+ case s.serverWorkerChannel <- f: -+ return - default: - // If all stream workers are busy, fallback to the default code path. -- go func() { -- s.handleStream(st, stream, s.traceInfo(st, stream)) -- wg.Done() -- }() - } - } else { -- go func() { -- defer wg.Done() -- s.handleStream(st, stream, s.traceInfo(st, stream)) -- }() -+ go f() - } - }, func(ctx context.Context, method string) context.Context { - if !EnableTracing { -@@ -1978,3 +1969,34 @@ type channelzServer struct { - func (c *channelzServer) ChannelzMetric() *channelz.ServerInternalMetric { - return c.s.channelzMetric() - } -+ -+// atomicSemaphore implements a blocking, counting semaphore. acquire should be -+// called synchronously; release may be called asynchronously. -+type atomicSemaphore struct { -+ n atomic.Int64 -+ wait chan struct{} -+} -+ -+func (q *atomicSemaphore) acquire() { -+ if q.n.Add(-1) < 0 { -+ // We ran out of quota. Block until a release happens. -+ <-q.wait -+ } -+} -+ -+func (q *atomicSemaphore) release() { -+ // N.B. the "<= 0" check below should allow for this to work with multiple -+ // concurrent calls to acquire, but also note that with synchronous calls to -+ // acquire, as our system does, n will never be less than -1. There are -+ // fairness issues (queuing) to consider if this was to be generalized. -+ if q.n.Add(1) <= 0 { -+ // An acquire was waiting on us. Unblock it. -+ q.wait <- struct{}{} -+ } -+} -+ -+func newHandlerQuota(n uint32) *atomicSemaphore { -+ a := &atomicSemaphore{wait: make(chan struct{}, 1)} -+ a.n.Store(int64(n)) -+ return a -+} -\ No newline at end of file -diff --git a/vendor/k8s.io/apimachinery/pkg/util/runtime/runtime.go b/vendor/k8s.io/apimachinery/pkg/util/runtime/runtime.go -index d738725..3674914 100644 ---- a/vendor/k8s.io/apimachinery/pkg/util/runtime/runtime.go -+++ b/vendor/k8s.io/apimachinery/pkg/util/runtime/runtime.go -@@ -126,14 +126,17 @@ type rudimentaryErrorBackoff struct { - // OnError will block if it is called more often than the embedded period time. - // This will prevent overly tight hot error loops. - func (r *rudimentaryErrorBackoff) OnError(error) { -+ now := time.Now() // start the timer before acquiring the lock - r.lastErrorTimeLock.Lock() -- defer r.lastErrorTimeLock.Unlock() -- d := time.Since(r.lastErrorTime) -- if d < r.minPeriod { -- // If the time moves backwards for any reason, do nothing -- time.Sleep(r.minPeriod - d) -- } -+ d := now.Sub(r.lastErrorTime) - r.lastErrorTime = time.Now() -+ r.lastErrorTimeLock.Unlock() -+ -+ // Do not sleep with the lock held because that causes all callers of HandleError to block. -+ // We only want the current goroutine to block. -+ // A negative or zero duration causes time.Sleep to return immediately. -+ // If the time moves backwards for any reason, do nothing. -+ time.Sleep(r.minPeriod - d) - } - - // GetCaller returns the caller of the function that calls it. diff --git a/SPECS/containerized-data-importer/CVE-2023-45288.patch b/SPECS/containerized-data-importer/CVE-2023-45288.patch deleted file mode 100644 index 80eaa40216a..00000000000 --- a/SPECS/containerized-data-importer/CVE-2023-45288.patch +++ /dev/null @@ -1,83 +0,0 @@ -Author: Damien Neil -AuthorDate: 2024-01-10 13:41:39 -0800 -Commit: Gopher Robot -CommitDate: 2024-04-03 17:06:00 +0000 - -[internal-branch.go1.21-vendor] http2: close connections when receiving too many headers - -Maintaining HPACK state requires that we parse and process -all HEADERS and CONTINUATION frames on a connection. -When a request's headers exceed MaxHeaderBytes, we don't -allocate memory to store the excess headers but we do -parse them. This permits an attacker to cause an HTTP/2 -endpoint to read arbitrary amounts of data, all associated -with a request which is going to be rejected. - -Set a limit on the amount of excess header frames we -will process before closing a connection. - -Thanks to Bartek Nowotarski for reporting this issue. - -Fixes CVE-2023-45288 -For golang/go#65051 - -Change-Id: I15df097268df13bb5a9e9d3a5c04a8a141d850f6 -Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2130527 -Reviewed-by: Roland Shoemaker -Reviewed-by: Tatiana Bradley -Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2197243 -Run-TryBot: Damien Neil -Reviewed-by: Dmitri Shuralyov -Reviewed-on: https://go-review.googlesource.com/c/net/+/576057 -LUCI-TryBot-Result: Go LUCI -Auto-Submit: Dmitri Shuralyov - -diff --git a/vendor/golang.org/x/net/http2/frame.go b/vendor/golang.org/x/net/http2/frame.go -index c1f6b90..175c154 100644 ---- a/vendor/golang.org/x/net/http2/frame.go -+++ b/vendor/golang.org/x/net/http2/frame.go -@@ -1565,6 +1565,7 @@ - if size > remainSize { - hdec.SetEmitEnabled(false) - mh.Truncated = true -+ remainSize = 0 - return - } - remainSize -= size -@@ -1577,6 +1578,36 @@ - var hc headersOrContinuation = hf - for { - frag := hc.HeaderBlockFragment() -+ -+ // Avoid parsing large amounts of headers that we will then discard. -+ // If the sender exceeds the max header list size by too much, -+ // skip parsing the fragment and close the connection. -+ // -+ // "Too much" is either any CONTINUATION frame after we've already -+ // exceeded the max header list size (in which case remainSize is 0), -+ // or a frame whose encoded size is more than twice the remaining -+ // header list bytes we're willing to accept. -+ if int64(len(frag)) > int64(2*remainSize) { -+ if VerboseLogs { -+ log.Printf("http2: header list too large") -+ } -+ // It would be nice to send a RST_STREAM before sending the GOAWAY, -+ // but the struture of the server's frame writer makes this difficult. -+ return nil, ConnectionError(ErrCodeProtocol) -+ } -+ -+ // Also close the connection after any CONTINUATION frame following an -+ // invalid header, since we stop tracking the size of the headers after -+ // an invalid one. -+ if invalid != nil { -+ if VerboseLogs { -+ log.Printf("http2: invalid header: %v", invalid) -+ } -+ // It would be nice to send a RST_STREAM before sending the GOAWAY, -+ // but the struture of the server's frame writer makes this difficult. -+ return nil, ConnectionError(ErrCodeProtocol) -+ } -+ - if _, err := hdec.Write(frag); err != nil { - return nil, ConnectionError(ErrCodeCompression) - } diff --git a/SPECS/containerized-data-importer/CVE-2024-24786.patch b/SPECS/containerized-data-importer/CVE-2024-24786.patch deleted file mode 100644 index 6c80204f5b0..00000000000 --- a/SPECS/containerized-data-importer/CVE-2024-24786.patch +++ /dev/null @@ -1,152 +0,0 @@ -From 1576982839ab9771784526720ed0a2f4a2aa2280 Mon Sep 17 00:00:00 2001 -From: bala -Date: Mon, 25 Nov 2024 16:47:53 +0000 -Subject: [PATCH] Vendor patch applied - ---- - .../protobuf/encoding/protojson/decode.go | 12 ++++ - .../encoding/protojson/well_known_types.go | 59 +++++++------------ - .../protobuf/internal/encoding/json/decode.go | 2 +- - 3 files changed, 33 insertions(+), 40 deletions(-) - -diff --git a/vendor/google.golang.org/protobuf/encoding/protojson/decode.go b/vendor/google.golang.org/protobuf/encoding/protojson/decode.go -index 5f28148..67fe4e7 100644 ---- a/vendor/google.golang.org/protobuf/encoding/protojson/decode.go -+++ b/vendor/google.golang.org/protobuf/encoding/protojson/decode.go -@@ -11,6 +11,7 @@ import ( - "strconv" - "strings" - -+ "google.golang.org/protobuf/encoding/protowire" - "google.golang.org/protobuf/internal/encoding/json" - "google.golang.org/protobuf/internal/encoding/messageset" - "google.golang.org/protobuf/internal/errors" -@@ -47,6 +48,10 @@ type UnmarshalOptions struct { - protoregistry.MessageTypeResolver - protoregistry.ExtensionTypeResolver - } -+ -+ // RecursionLimit limits how deeply messages may be nested. -+ // If zero, a default limit is applied. -+ RecursionLimit int - } - - // Unmarshal reads the given []byte and populates the given proto.Message -@@ -67,6 +72,9 @@ func (o UnmarshalOptions) unmarshal(b []byte, m proto.Message) error { - if o.Resolver == nil { - o.Resolver = protoregistry.GlobalTypes - } -+ if o.RecursionLimit == 0 { -+ o.RecursionLimit = protowire.DefaultRecursionLimit -+ } - - dec := decoder{json.NewDecoder(b), o} - if err := dec.unmarshalMessage(m.ProtoReflect(), false); err != nil { -@@ -114,6 +122,10 @@ func (d decoder) syntaxError(pos int, f string, x ...interface{}) error { - - // unmarshalMessage unmarshals a message into the given protoreflect.Message. - func (d decoder) unmarshalMessage(m protoreflect.Message, skipTypeURL bool) error { -+ d.opts.RecursionLimit-- -+ if d.opts.RecursionLimit < 0 { -+ return errors.New("exceeded max recursion depth") -+ } - if unmarshal := wellKnownTypeUnmarshaler(m.Descriptor().FullName()); unmarshal != nil { - return unmarshal(d, m) - } -diff --git a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go -index 6c37d41..4b177c8 100644 ---- a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go -+++ b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go -@@ -176,7 +176,7 @@ func (d decoder) unmarshalAny(m protoreflect.Message) error { - // Use another decoder to parse the unread bytes for @type field. This - // avoids advancing a read from current decoder because the current JSON - // object may contain the fields of the embedded type. -- dec := decoder{d.Clone(), UnmarshalOptions{}} -+ dec := decoder{d.Clone(), UnmarshalOptions{RecursionLimit: d.opts.RecursionLimit}} - tok, err := findTypeURL(dec) - switch err { - case errEmptyObject: -@@ -308,48 +308,29 @@ Loop: - // array) in order to advance the read to the next JSON value. It relies on - // the decoder returning an error if the types are not in valid sequence. - func (d decoder) skipJSONValue() error { -- tok, err := d.Read() -- if err != nil { -- return err -- } -- // Only need to continue reading for objects and arrays. -- switch tok.Kind() { -- case json.ObjectOpen: -- for { -- tok, err := d.Read() -- if err != nil { -- return err -- } -- switch tok.Kind() { -- case json.ObjectClose: -- return nil -- case json.Name: -- // Skip object field value. -- if err := d.skipJSONValue(); err != nil { -- return err -- } -- } -+ var open int -+ for { -+ tok, err := d.Read() -+ if err != nil { -+ return err - } -- -- case json.ArrayOpen: -- for { -- tok, err := d.Peek() -- if err != nil { -- return err -- } -- switch tok.Kind() { -- case json.ArrayClose: -- d.Read() -- return nil -- default: -- // Skip array item. -- if err := d.skipJSONValue(); err != nil { -- return err -- } -+ switch tok.Kind() { -+ case json.ObjectClose, json.ArrayClose: -+ open-- -+ case json.ObjectOpen, json.ArrayOpen: -+ open++ -+ if open > d.opts.RecursionLimit { -+ return errors.New("exceeded max recursion depth") - } -+ case json.EOF: -+ // This can only happen if there's a bug in Decoder.Read. -+ // Avoid an infinite loop if this does happen. -+ return errors.New("unexpected EOF") -+ } -+ if open == 0 { -+ return nil - } - } -- return nil - } - - // unmarshalAnyValue unmarshals the given custom-type message from the JSON -diff --git a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go -index d043a6e..d2b3ac0 100644 ---- a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go -+++ b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go -@@ -121,7 +121,7 @@ func (d *Decoder) Read() (Token, error) { - - case ObjectClose: - if len(d.openStack) == 0 || -- d.lastToken.kind == comma || -+ d.lastToken.kind&(Name|comma) != 0 || - d.openStack[len(d.openStack)-1] != ObjectOpen { - return Token{}, d.newSyntaxError(tok.pos, unexpectedFmt, tok.RawString()) - } --- -2.39.4 - diff --git a/SPECS/containerized-data-importer/CVE-2024-28180.patch b/SPECS/containerized-data-importer/CVE-2024-28180.patch deleted file mode 100644 index 45d72463733..00000000000 --- a/SPECS/containerized-data-importer/CVE-2024-28180.patch +++ /dev/null @@ -1,88 +0,0 @@ -From 886860405f81160c23e8e9e8c80694f094f0e104 Mon Sep 17 00:00:00 2001 -From: Kanishk Bansal -Date: Wed, 29 Jan 2025 14:11:18 +0000 -Subject: [PATCH] Address CVE-2024-28180 - ---- - vendor/gopkg.in/square/go-jose.v2/crypter.go | 6 ++++++ - vendor/gopkg.in/square/go-jose.v2/encoding.go | 20 +++++++++++++++---- - 2 files changed, 22 insertions(+), 4 deletions(-) - -diff --git a/vendor/gopkg.in/square/go-jose.v2/crypter.go b/vendor/gopkg.in/square/go-jose.v2/crypter.go -index d24cabf..a628386 100644 ---- a/vendor/gopkg.in/square/go-jose.v2/crypter.go -+++ b/vendor/gopkg.in/square/go-jose.v2/crypter.go -@@ -405,6 +405,9 @@ func (ctx *genericEncrypter) Options() EncrypterOptions { - // Decrypt and validate the object and return the plaintext. Note that this - // function does not support multi-recipient, if you desire multi-recipient - // decryption use DecryptMulti instead. -+// -+// Automatically decompresses plaintext, but returns an error if the decompressed -+// data would be >250kB or >10x the size of the compressed data, whichever is larger. - func (obj JSONWebEncryption) Decrypt(decryptionKey interface{}) ([]byte, error) { - headers := obj.mergedHeaders(nil) - -@@ -469,6 +472,9 @@ func (obj JSONWebEncryption) Decrypt(decryptionKey interface{}) ([]byte, error) - // with support for multiple recipients. It returns the index of the recipient - // for which the decryption was successful, the merged headers for that recipient, - // and the plaintext. -+// -+// Automatically decompresses plaintext, but returns an error if the decompressed -+// data would be >250kB or >3x the size of the compressed data, whichever is larger. - func (obj JSONWebEncryption) DecryptMulti(decryptionKey interface{}) (int, Header, []byte, error) { - globalHeaders := obj.mergedHeaders(nil) - -diff --git a/vendor/gopkg.in/square/go-jose.v2/encoding.go b/vendor/gopkg.in/square/go-jose.v2/encoding.go -index 70f7385..2b92116 100644 ---- a/vendor/gopkg.in/square/go-jose.v2/encoding.go -+++ b/vendor/gopkg.in/square/go-jose.v2/encoding.go -@@ -21,6 +21,7 @@ import ( - "compress/flate" - "encoding/base64" - "encoding/binary" -+ "fmt" - "io" - "math/big" - "strings" -@@ -85,7 +86,7 @@ func decompress(algorithm CompressionAlgorithm, input []byte) ([]byte, error) { - } - } - --// Compress with DEFLATE -+// deflate compresses the input. - func deflate(input []byte) ([]byte, error) { - output := new(bytes.Buffer) - -@@ -97,15 +98,26 @@ func deflate(input []byte) ([]byte, error) { - return output.Bytes(), err - } - --// Decompress with DEFLATE -+// inflate decompresses the input. -+// -+// Errors if the decompressed data would be >250kB or >10x the size of the -+// compressed data, whichever is larger. - func inflate(input []byte) ([]byte, error) { - output := new(bytes.Buffer) - reader := flate.NewReader(bytes.NewBuffer(input)) - -- _, err := io.Copy(output, reader) -- if err != nil { -+ maxCompressedSize := 10 * int64(len(input)) -+ if maxCompressedSize < 250000 { -+ maxCompressedSize = 250000 -+ } -+ limit := maxCompressedSize + 1 -+ n, err := io.CopyN(output, reader, limit) -+ if err != nil && err != io.EOF { - return nil, err - } -+ if n == limit { -+ return nil, fmt.Errorf("uncompressed data would be too large (>%d bytes)", maxCompressedSize) -+ } - - err = reader.Close() - return output.Bytes(), err --- -2.43.0 - diff --git a/SPECS/containerized-data-importer/CVE-2024-3727.patch b/SPECS/containerized-data-importer/CVE-2024-3727.patch deleted file mode 100644 index 92f882851e9..00000000000 --- a/SPECS/containerized-data-importer/CVE-2024-3727.patch +++ /dev/null @@ -1,165 +0,0 @@ -From ea14d57b98cc37decad0c39ccbafb27994274b47 Mon Sep 17 00:00:00 2001 -From: Brian Fjeldstad -Date: Thu, 6 Jun 2024 21:13:36 +0000 -Subject: [PATCH] apply CVE-2024-3727 fix to v5.19.1 - ---- - vendor/github.com/containers/image/v5/docker/docker_client.go | 3 +++ - vendor/github.com/containers/image/v5/docker/docker_image.go | 8 ++++++-- - vendor/github.com/containers/image/v5/docker/docker_image_dest.go | 15 ++++++++++++--- - vendor/github.com/containers/image/v5/docker/docker_image_src.go | 19 +++++++++++++++++-- - vendor/github.com/containers/image/v5/docker/lookaside.go | 7 +++++-- - 5 files changed, 43 insertions(+), 9 deletions(-) - -diff --git a/vendor/github.com/containers/image/v5/docker/docker_client.go b/vendor/github.com/containers/image/v5/docker/docker_client.go -index 833323b4..99bde923 100644 ---- a/vendor/github.com/containers/image/v5/docker/docker_client.go -+++ b/vendor/github.com/containers/image/v5/docker/docker_client.go -@@ -796,6 +796,9 @@ func (c *dockerClient) detectProperties(ctx context.Context) error { - // getExtensionsSignatures returns signatures from the X-Registry-Supports-Signatures API extension, - // using the original data structures. - func (c *dockerClient) getExtensionsSignatures(ctx context.Context, ref dockerReference, manifestDigest digest.Digest) (*extensionSignatureList, error) { -+ if err := manifestDigest.Validate(); err != nil { // Make sure manifestDigest.String() does not contain any unexpected characters -+ return nil, err -+ } - path := fmt.Sprintf(extensionsSignaturePath, reference.Path(ref.ref), manifestDigest) - res, err := c.makeRequest(ctx, http.MethodGet, path, nil, nil, v2Auth, nil) - if err != nil { -diff --git a/vendor/github.com/containers/image/v5/docker/docker_image.go b/vendor/github.com/containers/image/v5/docker/docker_image.go -index c84bb37d..0076d229 100644 ---- a/vendor/github.com/containers/image/v5/docker/docker_image.go -+++ b/vendor/github.com/containers/image/v5/docker/docker_image.go -@@ -83,8 +83,12 @@ func GetRepositoryTags(ctx context.Context, sys *types.SystemContext, ref types. - if err = json.NewDecoder(res.Body).Decode(&tagsHolder); err != nil { - return nil, err - } -- tags = append(tags, tagsHolder.Tags...) -- -+ for _, tag := range tagsHolder.Tags { -+ if _, err := reference.WithTag(dr.ref, tag); err != nil { // Ensure the tag does not contain unexpected values -+ return nil, fmt.Errorf("registry returned invalid tag %q: %w", tag, err) -+ } -+ tags = append(tags, tag) -+ } - link := res.Header.Get("Link") - if link == "" { - break -diff --git a/vendor/github.com/containers/image/v5/docker/docker_image_dest.go b/vendor/github.com/containers/image/v5/docker/docker_image_dest.go -index e7af8f93..1096c56f 100644 ---- a/vendor/github.com/containers/image/v5/docker/docker_image_dest.go -+++ b/vendor/github.com/containers/image/v5/docker/docker_image_dest.go -@@ -226,6 +226,9 @@ func (d *dockerImageDestination) PutBlob(ctx context.Context, stream io.Reader, - // If the destination does not contain the blob, or it is unknown, blobExists ordinarily returns (false, -1, nil); - // it returns a non-nil error only on an unexpected failure. - func (d *dockerImageDestination) blobExists(ctx context.Context, repo reference.Named, digest digest.Digest, extraScope *authScope) (bool, int64, error) { -+ if err := digest.Validate(); err != nil { // Make sure digest.String() does not contain any unexpected characters -+ return false, -1, err -+ } - checkPath := fmt.Sprintf(blobsPath, reference.Path(repo), digest.String()) - logrus.Debugf("Checking %s", checkPath) - res, err := d.c.makeRequest(ctx, http.MethodHead, checkPath, nil, nil, v2Auth, extraScope) -@@ -558,8 +561,11 @@ func (d *dockerImageDestination) putSignaturesToLookaside(signatures [][]byte, m - - // NOTE: Keep this in sync with docs/signature-protocols.md! - for i, signature := range signatures { -- url := signatureStorageURL(d.c.signatureBase, manifestDigest, i) -- err := d.putOneSignature(url, signature) -+ url, err := signatureStorageURL(d.c.signatureBase, manifestDigest, i) -+ if err != nil { -+ return err -+ } -+ err = d.putOneSignature(url, signature) - if err != nil { - return err - } -@@ -570,7 +576,10 @@ func (d *dockerImageDestination) putSignaturesToLookaside(signatures [][]byte, m - // is enough for dockerImageSource to stop looking for other signatures, so that - // is sufficient. - for i := len(signatures); ; i++ { -- url := signatureStorageURL(d.c.signatureBase, manifestDigest, i) -+ url, err := signatureStorageURL(d.c.signatureBase, manifestDigest, i) -+ if err != nil { -+ return err -+ } - missing, err := d.c.deleteOneSignature(url) - if err != nil { - return err -diff --git a/vendor/github.com/containers/image/v5/docker/docker_image_src.go b/vendor/github.com/containers/image/v5/docker/docker_image_src.go -index 314e9b39..43ca0c4f 100644 ---- a/vendor/github.com/containers/image/v5/docker/docker_image_src.go -+++ b/vendor/github.com/containers/image/v5/docker/docker_image_src.go -@@ -178,6 +178,9 @@ func simplifyContentType(contentType string) string { - // this never happens if the primary manifest is not a manifest list (e.g. if the source never returns manifest lists). - func (s *dockerImageSource) GetManifest(ctx context.Context, instanceDigest *digest.Digest) ([]byte, string, error) { - if instanceDigest != nil { -+ if err := instanceDigest.Validate(); err != nil { // Make sure instanceDigest.String() does not contain any unexpected characters -+ return nil, "", err -+ } - return s.fetchManifest(ctx, instanceDigest.String()) - } - err := s.ensureManifestIsLoaded(ctx) -@@ -373,6 +376,9 @@ func (s *dockerImageSource) GetBlobAt(ctx context.Context, info types.BlobInfo, - return nil, nil, fmt.Errorf("external URLs not supported with GetBlobAt") - } - -+ if err := info.Digest.Validate(); err != nil { // Make sure info.Digest.String() does not contain any unexpected characters -+ return nil, nil, err -+ } - path := fmt.Sprintf(blobsPath, reference.Path(s.physicalRef.ref), info.Digest.String()) - logrus.Debugf("Downloading %s", path) - res, err := s.c.makeRequest(ctx, http.MethodGet, path, headers, nil, v2Auth, nil) -@@ -425,6 +431,9 @@ func (s *dockerImageSource) GetBlob(ctx context.Context, info types.BlobInfo, ca - } - } - -+ if err := info.Digest.Validate(); err != nil { // Make sure info.Digest.String() does not contain any unexpected characters -+ return nil, 0, err -+ } - path := fmt.Sprintf(blobsPath, reference.Path(s.physicalRef.ref), info.Digest.String()) - logrus.Debugf("Downloading %s", path) - res, err := s.c.makeRequest(ctx, http.MethodGet, path, nil, nil, v2Auth, nil) -@@ -486,7 +495,10 @@ func (s *dockerImageSource) getSignaturesFromLookaside(ctx context.Context, inst - // NOTE: Keep this in sync with docs/signature-protocols.md! - signatures := [][]byte{} - for i := 0; ; i++ { -- url := signatureStorageURL(s.c.signatureBase, manifestDigest, i) -+ url, err := signatureStorageURL(s.c.signatureBase, manifestDigest, i) -+ if err != nil { -+ return nil, err -+ } - signature, missing, err := s.getOneSignature(ctx, url) - if err != nil { - return nil, err -@@ -627,7 +639,10 @@ func deleteImage(ctx context.Context, sys *types.SystemContext, ref dockerRefere - } - - for i := 0; ; i++ { -- url := signatureStorageURL(c.signatureBase, manifestDigest, i) -+ url, err := signatureStorageURL(c.signatureBase, manifestDigest, i) -+ if err != nil { -+ return err -+ } - missing, err := c.deleteOneSignature(url) - if err != nil { - return err -diff --git a/vendor/github.com/containers/image/v5/docker/lookaside.go b/vendor/github.com/containers/image/v5/docker/lookaside.go -index 515e5932..2e400c09 100644 ---- a/vendor/github.com/containers/image/v5/docker/lookaside.go -+++ b/vendor/github.com/containers/image/v5/docker/lookaside.go -@@ -229,8 +229,11 @@ func (ns registryNamespace) signatureTopLevel(write bool) string { - // signatureStorageURL returns an URL usable for accessing signature index in base with known manifestDigest. - // base is not nil from the caller - // NOTE: Keep this in sync with docs/signature-protocols.md! --func signatureStorageURL(base signatureStorageBase, manifestDigest digest.Digest, index int) *url.URL { -+func signatureStorageURL(base signatureStorageBase, manifestDigest digest.Digest, index int) (*url.URL, error) { -+ if err := manifestDigest.Validate(); err != nil { // digest.Digest.Hex() panics on failure, and could possibly result in a path with ../, so validate explicitly. -+ return nil, err -+ } - url := *base - url.Path = fmt.Sprintf("%s@%s=%s/signature-%d", url.Path, manifestDigest.Algorithm(), manifestDigest.Hex(), index+1) -- return &url -+ return &url, nil - } --- -2.34.1 - diff --git a/SPECS/containerized-data-importer/CVE-2024-45338.patch b/SPECS/containerized-data-importer/CVE-2024-45338.patch deleted file mode 100644 index b1a7b333044..00000000000 --- a/SPECS/containerized-data-importer/CVE-2024-45338.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 0c0cb82a7671b2aa12c5136ab9368245e3803985 Mon Sep 17 00:00:00 2001 -From: Rohit Rawat -Date: Thu, 2 Jan 2025 10:22:13 +0000 -Subject: [PATCH] Fix CVE CVE-2024-45338 in containerized-data-importer - ---- - .../vendor/golang.org/x/net/html/doctype.go | 2 +- - .../vendor/golang.org/x/net/html/foreign.go | 3 +-- - .../vendor/golang.org/x/net/html/parse.go | 4 ++-- - 3 files changed, 4 insertions(+), 5 deletions(-) - -diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go -index c484e5a..bca3ae9 100644 ---- a/vendor/golang.org/x/net/html/doctype.go -+++ b/vendor/golang.org/x/net/html/doctype.go -@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) { - } - } - if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" && -- strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" { -+ strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") { - quirks = true - } - } -diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go -index 9da9e9d..e8515d8 100644 ---- a/vendor/golang.org/x/net/html/foreign.go -+++ b/vendor/golang.org/x/net/html/foreign.go -@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool { - if n.Data == "annotation-xml" { - for _, a := range n.Attr { - if a.Key == "encoding" { -- val := strings.ToLower(a.Val) -- if val == "text/html" || val == "application/xhtml+xml" { -+ if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") { - return true - } - } -diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go -index 46a89ed..5b8374b 100644 ---- a/vendor/golang.org/x/net/html/parse.go -+++ b/vendor/golang.org/x/net/html/parse.go -@@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool { - if p.tok.DataAtom == a.Input { - for _, t := range p.tok.Attr { - if t.Key == "type" { -- if strings.ToLower(t.Val) == "hidden" { -+ if strings.EqualFold(t.Val, "hidden") { - // Skip setting framesetOK = false - return true - } -@@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool { - return inHeadIM(p) - case a.Input: - for _, t := range p.tok.Attr { -- if t.Key == "type" && strings.ToLower(t.Val) == "hidden" { -+ if t.Key == "type" && strings.EqualFold(t.Val, "hidden") { - p.addElement() - p.oe.pop() - return true --- -2.39.4 - diff --git a/SPECS/containerized-data-importer/CVE-2025-22868.patch b/SPECS/containerized-data-importer/CVE-2025-22868.patch deleted file mode 100644 index c4f136f3ca1..00000000000 --- a/SPECS/containerized-data-importer/CVE-2025-22868.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 681b4d8edca1bcfea5bce685d77ea7b82ed3e7b3 Mon Sep 17 00:00:00 2001 -From: Neal Patel -Date: Thu, 30 Jan 2025 14:10:09 -0500 -Subject: [PATCH] jws: split token into fixed number of parts - -Thanks to 'jub0bs' for reporting this issue. - -Fixes #71490 -Fixes CVE-2025-22868 - -Change-Id: I2552731f46d4907f29aafe7863c558387b6bd6e2 -Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/652155 -Auto-Submit: Gopher Robot -Reviewed-by: Damien Neil -Reviewed-by: Roland Shoemaker -LUCI-TryBot-Result: Go LUCI ---- - vendor/golang.org/x/oauth2/jws/jws.go | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/vendor/golang.org/x/oauth2/jws/jws.go b/vendor/golang.org/x/oauth2/jws/jws.go -index 95015648b..6f03a49d3 100644 ---- a/vendor/golang.org/x/oauth2/jws/jws.go -+++ b/vendor/golang.org/x/oauth2/jws/jws.go -@@ -165,11 +165,11 @@ func Encode(header *Header, c *ClaimSet, key *rsa.PrivateKey) (string, error) { - // Verify tests whether the provided JWT token's signature was produced by the private key - // associated with the supplied public key. - func Verify(token string, key *rsa.PublicKey) error { -- parts := strings.Split(token, ".") -- if len(parts) != 3 { -+ if strings.Count(token, ".") != 2 { - return errors.New("jws: invalid token received, token must have 3 parts") - } - -+ parts := strings.SplitN(token, ".", 3) - signedContent := parts[0] + "." + parts[1] - signatureString, err := base64.RawURLEncoding.DecodeString(parts[2]) - if err != nil { diff --git a/SPECS/containerized-data-importer/CVE-2025-27144.patch b/SPECS/containerized-data-importer/CVE-2025-27144.patch deleted file mode 100644 index 6015ed48ca9..00000000000 --- a/SPECS/containerized-data-importer/CVE-2025-27144.patch +++ /dev/null @@ -1,50 +0,0 @@ -From fa324fa38481f9d2da9109cb5983326f62ff7507 Mon Sep 17 00:00:00 2001 -From: Kanishk-Bansal -Date: Fri, 28 Feb 2025 07:45:53 +0000 -Subject: [PATCH] CVE-2025-27144 -Upstream Ref: https://github.com/go-jose/go-jose/commit/c9ed84d8f0cfadcfad817150158caca6fcbc518b - ---- - vendor/gopkg.in/square/go-jose.v2/jwe.go | 5 +++-- - vendor/gopkg.in/square/go-jose.v2/jws.go | 5 +++-- - 2 files changed, 6 insertions(+), 4 deletions(-) - -diff --git a/vendor/gopkg.in/square/go-jose.v2/jwe.go b/vendor/gopkg.in/square/go-jose.v2/jwe.go -index b5a6dcd..cd1de9e 100644 ---- a/vendor/gopkg.in/square/go-jose.v2/jwe.go -+++ b/vendor/gopkg.in/square/go-jose.v2/jwe.go -@@ -201,10 +201,11 @@ func (parsed *rawJSONWebEncryption) sanitized() (*JSONWebEncryption, error) { - - // parseEncryptedCompact parses a message in compact format. - func parseEncryptedCompact(input string) (*JSONWebEncryption, error) { -- parts := strings.Split(input, ".") -- if len(parts) != 5 { -+ // Five parts is four separators -+ if strings.Count(input, ".") != 4 { - return nil, fmt.Errorf("square/go-jose: compact JWE format must have five parts") - } -+ parts := strings.SplitN(input, ".", 5) - - rawProtected, err := base64.RawURLEncoding.DecodeString(parts[0]) - if err != nil { -diff --git a/vendor/gopkg.in/square/go-jose.v2/jws.go b/vendor/gopkg.in/square/go-jose.v2/jws.go -index 7e261f9..a8d55fb 100644 ---- a/vendor/gopkg.in/square/go-jose.v2/jws.go -+++ b/vendor/gopkg.in/square/go-jose.v2/jws.go -@@ -275,10 +275,11 @@ func (parsed *rawJSONWebSignature) sanitized() (*JSONWebSignature, error) { - - // parseSignedCompact parses a message in compact format. - func parseSignedCompact(input string, payload []byte) (*JSONWebSignature, error) { -- parts := strings.Split(input, ".") -- if len(parts) != 3 { -+ // Three parts is two separators -+ if strings.Count(input, ".") != 2 { - return nil, fmt.Errorf("square/go-jose: compact JWS format must have three parts") - } -+ parts := strings.SplitN(input, ".", 3) - - if parts[1] != "" && payload != nil { - return nil, fmt.Errorf("square/go-jose: payload is not detached") --- -2.45.2 - diff --git a/SPECS/containerized-data-importer/CVE-2025-58058.patch b/SPECS/containerized-data-importer/CVE-2025-58058.patch index 3ab53122faf..f6ed74aa7e7 100644 --- a/SPECS/containerized-data-importer/CVE-2025-58058.patch +++ b/SPECS/containerized-data-importer/CVE-2025-58058.patch @@ -1,38 +1,3 @@ -From bef47b0f46c4200c1efe37fc10122cf462979eb2 Mon Sep 17 00:00:00 2001 -From: Ulrich Kunitz -Date: Mon, 12 Dec 2022 20:41:07 +0100 -Subject: [PATCH 1/3] lzma: fix handling of small dictionary sizes - -As Matt Dainty (@bodgit) reported there is an issue if the header of the -LZMA stream is less than the minimum dictionary size of 4096 byte. The -specification of the LZMA format says that in that case a dictionary -size of 4096 byte should be used, our code returns an error. - -This commit changes the behavior and adds a simple test case to test for -the right behavior. - -Fixes [#52](https://github.com/ulikunitz/xz/pull/52) ---- - vendor/github.com/ulikunitz/xz/lzma/reader.go | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/vendor/github.com/ulikunitz/xz/lzma/reader.go b/vendor/github.com/ulikunitz/xz/lzma/reader.go -index 2ed13c8..8d675a3 100644 ---- a/vendor/github.com/ulikunitz/xz/lzma/reader.go -+++ b/vendor/github.com/ulikunitz/xz/lzma/reader.go -@@ -70,7 +70,7 @@ func (c ReaderConfig) NewReader(lzma io.Reader) (r *Reader, err error) { - return nil, err - } - if r.h.dictCap < MinDictCap { -- return nil, errors.New("lzma: dictionary capacity too small") -+ r.h.dictCap = MinDictCap - } - dictCap := r.h.dictCap - if c.DictCap > dictCap { --- -2.45.4 - - From 497594b7b0e995ea8187c16ed1942f8005fc23d3 Mon Sep 17 00:00:00 2001 From: Ulrich Kunitz Date: Thu, 21 Aug 2025 17:57:47 +0200 diff --git a/SPECS/containerized-data-importer/CVE-2025-65637.patch b/SPECS/containerized-data-importer/CVE-2025-65637.patch deleted file mode 100644 index 1f6fd0c2555..00000000000 --- a/SPECS/containerized-data-importer/CVE-2025-65637.patch +++ /dev/null @@ -1,136 +0,0 @@ -From 6e50d3762132e58f6d430700cf03bfc20b077c84 Mon Sep 17 00:00:00 2001 -From: Chris -Date: Fri, 10 Mar 2023 13:45:41 -0800 -Subject: [PATCH 1/2] This commit fixes a potential denial of service - vulnerability in logrus.Writer() that could be triggered by logging text - longer than 64kb without newlines. Previously, the bufio.Scanner used by - Writer() would hang indefinitely when reading such text without newlines, - causing the application to become unresponsive. - ---- - vendor/github.com/sirupsen/logrus/writer.go | 33 ++++++++++++++++++++- - 1 file changed, 32 insertions(+), 1 deletion(-) - -diff --git a/vendor/github.com/sirupsen/logrus/writer.go b/vendor/github.com/sirupsen/logrus/writer.go -index 72e8e3a..36032d0 100644 ---- a/vendor/github.com/sirupsen/logrus/writer.go -+++ b/vendor/github.com/sirupsen/logrus/writer.go -@@ -4,6 +4,7 @@ import ( - "bufio" - "io" - "runtime" -+ "strings" - ) - - // Writer at INFO level. See WriterLevel for details. -@@ -20,15 +21,18 @@ func (logger *Logger) WriterLevel(level Level) *io.PipeWriter { - return NewEntry(logger).WriterLevel(level) - } - -+// Writer returns an io.Writer that writes to the logger at the info log level - func (entry *Entry) Writer() *io.PipeWriter { - return entry.WriterLevel(InfoLevel) - } - -+// WriterLevel returns an io.Writer that writes to the logger at the given log level - func (entry *Entry) WriterLevel(level Level) *io.PipeWriter { - reader, writer := io.Pipe() - - var printFunc func(args ...interface{}) - -+ // Determine which log function to use based on the specified log level - switch level { - case TraceLevel: - printFunc = entry.Trace -@@ -48,23 +52,50 @@ func (entry *Entry) WriterLevel(level Level) *io.PipeWriter { - printFunc = entry.Print - } - -+ // Start a new goroutine to scan the input and write it to the logger using the specified print function. -+ // It splits the input into chunks of up to 64KB to avoid buffer overflows. - go entry.writerScanner(reader, printFunc) -+ -+ // Set a finalizer function to close the writer when it is garbage collected - runtime.SetFinalizer(writer, writerFinalizer) - - return writer - } - -+// writerScanner scans the input from the reader and writes it to the logger - func (entry *Entry) writerScanner(reader *io.PipeReader, printFunc func(args ...interface{})) { - scanner := bufio.NewScanner(reader) -+ -+ // Set the buffer size to the maximum token size to avoid buffer overflows -+ scanner.Buffer(make([]byte, bufio.MaxScanTokenSize), bufio.MaxScanTokenSize) -+ -+ // Define a split function to split the input into chunks of up to 64KB -+ chunkSize := 64 * 1024 // 64KB -+ splitFunc := func(data []byte, atEOF bool) (int, []byte, error) { -+ if len(data) > chunkSize { -+ return chunkSize, data[:chunkSize], nil -+ } -+ return 0, nil, nil -+ } -+ -+ //Use the custom split function to split the input -+ scanner.Split(splitFunc) -+ -+ // Scan the input and write it to the logger using the specified print function - for scanner.Scan() { -- printFunc(scanner.Text()) -+ printFunc(strings.TrimRight(scanner.Text(), "\r\n")) - } -+ -+ // If there was an error while scanning the input, log an error - if err := scanner.Err(); err != nil { - entry.Errorf("Error while reading from Writer: %s", err) - } -+ -+ // Close the reader when we are done - reader.Close() - } - -+// WriterFinalizer is a finalizer function that closes then given writer when it is garbage collected - func writerFinalizer(writer *io.PipeWriter) { - writer.Close() - } --- -2.45.4 - - -From d639b2f8d9be18ce347f956d5b6f7b557fcd66cd Mon Sep 17 00:00:00 2001 -From: Chris -Date: Fri, 10 Mar 2023 13:45:41 -0800 -Subject: [PATCH 2/2] Scan text in 64KB chunks - -This commit fixes a potential denial of service -vulnerability in logrus.Writer() that could be -triggered by logging text longer than 64KB -without newlines. Previously, the bufio.Scanner -used by Writer() would hang indefinitely when -reading such text without newlines, causing the -application to become unresponsive. - -Signed-off-by: Azure Linux Security Servicing Account -Upstream-reference: https://github.com/sirupsen/logrus/pull/1376.patch ---- - vendor/github.com/sirupsen/logrus/writer.go | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/vendor/github.com/sirupsen/logrus/writer.go b/vendor/github.com/sirupsen/logrus/writer.go -index 36032d0..7e7703c 100644 ---- a/vendor/github.com/sirupsen/logrus/writer.go -+++ b/vendor/github.com/sirupsen/logrus/writer.go -@@ -75,7 +75,8 @@ func (entry *Entry) writerScanner(reader *io.PipeReader, printFunc func(args ... - if len(data) > chunkSize { - return chunkSize, data[:chunkSize], nil - } -- return 0, nil, nil -+ -+ return len(data), data, nil - } - - //Use the custom split function to split the input --- -2.45.4 - diff --git a/SPECS/containerized-data-importer/containerized-data-importer.signatures.json b/SPECS/containerized-data-importer/containerized-data-importer.signatures.json index d5ded8e7035..27bd9437093 100644 --- a/SPECS/containerized-data-importer/containerized-data-importer.signatures.json +++ b/SPECS/containerized-data-importer/containerized-data-importer.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "containerized-data-importer-1.57.0.tar.gz": "71191e9e98df6d73490ae2bb74fa069bd2967a439f9a76d6bba1822fccc134ce" + "containerized-data-importer-1.62.0.tar.gz": "cdf830f40c1133214bf0567d385032b1ab9418d19b29f199fe836f88d35f4efd" } } diff --git a/SPECS/containerized-data-importer/containerized-data-importer.spec b/SPECS/containerized-data-importer/containerized-data-importer.spec index c52f0d9a42a..b3213c97007 100644 --- a/SPECS/containerized-data-importer/containerized-data-importer.spec +++ b/SPECS/containerized-data-importer/containerized-data-importer.spec @@ -17,29 +17,18 @@ Summary: Container native virtualization Name: containerized-data-importer -Version: 1.57.0 -Release: 18%{?dist} +Version: 1.62.0 +Release: 1%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Azure Linux Group: System/Packages URL: https://github.com/kubevirt/containerized-data-importer Source0: https://github.com/kubevirt/containerized-data-importer/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz -Patch0: CVE-2024-3727.patch -Patch1: CVE-2022-2879.patch -Patch2: CVE-2024-24786.patch -Patch3: CVE-2024-45338.patch -Patch4: CVE-2023-39325.patch -Patch5: CVE-2023-44487.patch -Patch6: CVE-2024-28180.patch -Patch7: CVE-2023-45288.patch -Patch8: CVE-2023-3978.patch -Patch9: CVE-2025-27144.patch -Patch10: CVE-2025-22868.patch -Patch11: CVE-2025-22872.patch -Patch12: CVE-2025-58058.patch -Patch13: CVE-2025-58183.patch -Patch14: CVE-2025-65637.patch +Patch0: CVE-2022-2879.patch +Patch1: CVE-2025-22872.patch +Patch2: CVE-2025-58058.patch +Patch3: CVE-2025-58183.patch BuildRequires: golang < 1.25 BuildRequires: golang-packaging BuildRequires: libnbd-devel @@ -234,6 +223,11 @@ install -m 0644 _out/manifests/release/cdi-cr.yaml %{buildroot}%{_datadir}/cdi/m %{_datadir}/cdi/manifests %changelog +* Tue Dec 09 2025 Harshit Gupta - 1.62.0-1 +- Upgrade to 1.62.0-1 +- Update patches CVE-2025-58058.patch, CVE-2022-2879.patch +- Remove old CVE patches + * Mon Dec 08 2025 Azure Linux Security Servicing Account - 1.57.0-18 - Patch for CVE-2025-65637 diff --git a/cgmanifest.json b/cgmanifest.json index cb25d0e3d91..e1040df3dac 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -2057,8 +2057,8 @@ "type": "other", "other": { "name": "containerized-data-importer", - "version": "1.57.0", - "downloadUrl": "https://github.com/kubevirt/containerized-data-importer/archive/refs/tags/v1.57.0.tar.gz" + "version": "1.62.0", + "downloadUrl": "https://github.com/kubevirt/containerized-data-importer/archive/refs/tags/v1.62.0.tar.gz" } } },