-
Notifications
You must be signed in to change notification settings - Fork 565
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Apply security fix for CVE-2024-28180 by patching vendored go-jose (#…
- Loading branch information
1 parent
a5aa5e3
commit b7e903a
Showing
2 changed files
with
96 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,91 @@ | ||
| From 1970c450067bcd4862a4674d30036d35c4e24e33 Mon Sep 17 00:00:00 2001 | ||
| From: Jacob Hoffman-Andrews <[email protected]> | ||
| Date: Thu, 7 Mar 2024 14:25:21 -0800 | ||
| Subject: [PATCH] v2: backport decompression limit fix (#109) | ||
|
|
||
| Backport from #107. | ||
|
|
||
| Modified to apply to vendored code by: Ahmed Badawi <[email protected]> | ||
| --- | ||
| vendor/gopkg.in/square/go-jose.v2/crypter.go | 6 ++++++ | ||
| vendor/gopkg.in/square/go-jose.v2/encoding.go | 21 +++++++++++++++---- | ||
| 2 files changed, 23 insertions(+), 4 deletions(-) | ||
|
|
||
| diff --git a/vendor/gopkg.in/square/go-jose.v2/crypter.go b/vendor/gopkg.in/square/go-jose.v2/crypter.go | ||
| index c45c712..d364dcc 100644 | ||
| --- a/vendor/gopkg.in/square/go-jose.v2/crypter.go | ||
| +++ b/vendor/gopkg.in/square/go-jose.v2/crypter.go | ||
| @@ -399,6 +399,9 @@ func (ctx *genericEncrypter) Options() EncrypterOptions { | ||
| // Decrypt and validate the object and return the plaintext. Note that this | ||
| // function does not support multi-recipient, if you desire multi-recipient | ||
| // decryption use DecryptMulti instead. | ||
| +// | ||
| +// Automatically decompresses plaintext, but returns an error if the decompressed | ||
| +// data would be >250kB or >10x the size of the compressed data, whichever is larger. | ||
| func (obj JSONWebEncryption) Decrypt(decryptionKey interface{}) ([]byte, error) { | ||
| headers := obj.mergedHeaders(nil) | ||
|
|
||
| @@ -463,6 +466,9 @@ func (obj JSONWebEncryption) Decrypt(decryptionKey interface{}) ([]byte, error) | ||
| // with support for multiple recipients. It returns the index of the recipient | ||
| // for which the decryption was successful, the merged headers for that recipient, | ||
| // and the plaintext. | ||
| +// | ||
| +// Automatically decompresses plaintext, but returns an error if the decompressed | ||
| +// data would be >250kB or >3x the size of the compressed data, whichever is larger. | ||
| func (obj JSONWebEncryption) DecryptMulti(decryptionKey interface{}) (int, Header, []byte, error) { | ||
| globalHeaders := obj.mergedHeaders(nil) | ||
|
|
||
| diff --git a/vendor/gopkg.in/square/go-jose.v2/encoding.go b/vendor/gopkg.in/square/go-jose.v2/encoding.go | ||
| index b9687c6..ac4a44e 100644 | ||
| --- a/vendor/gopkg.in/square/go-jose.v2/encoding.go | ||
| +++ b/vendor/gopkg.in/square/go-jose.v2/encoding.go | ||
| @@ -21,6 +21,7 @@ import ( | ||
| "compress/flate" | ||
| "encoding/base64" | ||
| "encoding/binary" | ||
| + "fmt" | ||
| "io" | ||
| "math/big" | ||
| "regexp" | ||
| @@ -79,7 +80,7 @@ func decompress(algorithm CompressionAlgorithm, input []byte) ([]byte, error) { | ||
| } | ||
| } | ||
|
|
||
| -// Compress with DEFLATE | ||
| +// deflate compresses the input. | ||
| func deflate(input []byte) ([]byte, error) { | ||
| output := new(bytes.Buffer) | ||
|
|
||
| @@ -91,15 +92,27 @@ func deflate(input []byte) ([]byte, error) { | ||
| return output.Bytes(), err | ||
| } | ||
|
|
||
| -// Decompress with DEFLATE | ||
| +// inflate decompresses the input. | ||
| +// | ||
| +// Errors if the decompressed data would be >250kB or >10x the size of the | ||
| +// compressed data, whichever is larger. | ||
| func inflate(input []byte) ([]byte, error) { | ||
| output := new(bytes.Buffer) | ||
| reader := flate.NewReader(bytes.NewBuffer(input)) | ||
|
|
||
| - _, err := io.Copy(output, reader) | ||
| - if err != nil { | ||
| + maxCompressedSize := 10 * int64(len(input)) | ||
| + if maxCompressedSize < 250000 { | ||
| + maxCompressedSize = 250000 | ||
| + } | ||
| + | ||
| + limit := maxCompressedSize + 1 | ||
| + n, err := io.CopyN(output, reader, limit) | ||
| + if err != nil && err != io.EOF { | ||
| return nil, err | ||
| } | ||
| + if n == limit { | ||
| + return nil, fmt.Errorf("uncompressed data would be too large (>%d bytes)", maxCompressedSize) | ||
| + } | ||
|
|
||
| err = reader.Close() | ||
| return output.Bytes(), err | ||
| -- | ||
| 2.39.4 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,7 +1,7 @@ | ||
| Summary: The Kube-Vip cloud provider functions as a general-purpose cloud provider for on-premises bare-metal or virtualized setups | ||
| Name: kube-vip-cloud-provider | ||
| Version: 0.0.2 | ||
| Release: 18%{?dist} | ||
| Release: 19%{?dist} | ||
| License: ASL 2.0 | ||
| URL: https://github.com/kube-vip/kube-vip-cloud-provider | ||
| Group: Applications/Text | ||
|
|
@@ -24,6 +24,7 @@ Source1: %{name}-%{version}-vendor.tar.gz | |
| Patch0: CVE-2022-21698.patch | ||
| Patch1: CVE-2021-44716.patch | ||
| Patch2: CVE-2023-44487.patch | ||
| Patch3: CVE-2024-28180.patch | ||
| BuildRequires: golang | ||
|
|
||
| %description | ||
|
|
@@ -49,6 +50,9 @@ go test -mod=vendor ./... | |
| %{_bindir}/kube-vip-cloud-provider | ||
|
|
||
| %changelog | ||
| * Mon Oct 07 2024 Ahmed Badawi <[email protected]> - 0.0.2-19 | ||
| - Apply security fix for CVE-2024-28180 by patching vendored go-jose | ||
|
|
||
| * Mon Sep 09 2024 CBL-Mariner Servicing Account <[email protected]> - 0.0.2-18 | ||
| - Bump release to rebuild with go 1.22.7 | ||
|
|
||
|
|
||