sync patch from openEuler-24.03-LTS

2024-11-13 12:21:37 +08:00 · 2024-11-13 12:21:37 +08:00 · 225e48ba87
commit 225e48ba87
parent 28084e30fb
3 changed files with 215 additions and 1 deletions
--- a/0010-fix-CVE-2021-44716.patch
+++ b/0010-fix-CVE-2021-44716.patch
@ -0,0 +1,57 @@
+From 6b06b626969f252e520b1b8f8c3cd1f515835484 Mon Sep 17 00:00:00 2001
+From: bwzhang <zhangbowei@kylinos.cn>
+Date: Tue, 7 May 2024 09:29:47 +0800
+Subject: [PATCH] fix CVE-2021-44716
+
+http2: cap the size of the server's canonical header cache
+
+The HTTP/2 server keeps a per-connection cache mapping header keys
+to their canonicalized form (e.g., foo-bar => Foo-Bar). Cap the
+maximum size of this cache to prevent a peer sending many unique
+header keys from causing unbounded memory growth.
+
+Cap chosen arbitrarily at 32 entries. Since this cache does not
+include common headers (e.g., content-type), 32 seems like more
+than enough for almost all normal uses.
+
+Fixes #50058
+Fixes CVE-2021-44716
+
+Change-Id: Ia83696dc23253c12af8f26d502557c2cc9841105
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1290827
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/net/+/369794
+Trust: Filippo Valsorda <filippo@golang.org>
+Run-TryBot: Filippo Valsorda <filippo@golang.org>
+Trust: Damien Neil <dneil@google.com>
+Reviewed-by: Russ Cox <rsc@golang.org>
+Reviewed-by: Filippo Valsorda <filippo@golang.org>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+---
+ vendor/golang.org/x/net/http2/server.go | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/vendor/golang.org/x/net/http2/server.go b/vendor/golang.org/x/net/http2/server.go
+index 5e01ce9..5253650 100644
+--- a/vendor/golang.org/x/net/http2/server.go
+++ b/vendor/golang.org/x/net/http2/server.go
+@@ -723,7 +723,15 @@ func (sc *serverConn) canonicalHeader(v string) string {
+ 		sc.canonHeader = make(map[string]string)
+ 	}
+ 	cv = http.CanonicalHeaderKey(v)
+-	sc.canonHeader[v] = cv
+	// maxCachedCanonicalHeaders is an arbitrarily-chosen limit on the number of
+	// entries in the canonHeader cache. This should be larger than the number
+	// of unique, uncommon header keys likely to be sent by the peer, while not
+	// so high as to permit unreaasonable memory usage if the peer sends an unbounded
+	// number of unique header keys.
+	const maxCachedCanonicalHeaders = 32
+	if len(sc.canonHeader) < maxCachedCanonicalHeaders {
+		sc.canonHeader[v] = cv
+	}
+ 	return cv
+ }
+ 
+-- 
+2.20.1
+
--- a/0011-fix-CVE-2022-3064.patch
+++ b/0011-fix-CVE-2022-3064.patch
@ -0,0 +1,141 @@
+From 429f477455b84ede9651f79eb15e78a129a660e9 Mon Sep 17 00:00:00 2001
+From: bwzhang <zhangbowei@kylinos.cn>
+Date: Thu, 9 May 2024 19:25:53 +0800
+Subject: [PATCH] fix CVE-2022-3064
+
+Improve heuristics preventing CPU/memory abuse (#515)
+This addresses the following items:
+
+==== Parse time of excessively deep nested or indented documents
+
+Parsing these documents is non-linear; limiting stack depth to 10,000 keeps parse times of pathological documents sub-second (~.25 seconds in benchmarks)
+
+==== Alias node expansion limits
+
+The current limit allows 10,000% expansion, which is too permissive for large documents.
+
+Limiting to 10% expansion for larger documents allows callers to use input size as an effective way to limit resource usage. Continuing to allow larger expansion rates (up to the current 10,000% limit) for smaller documents does not unduly affect memory use.
+
+This change bounds decode operations from alias expansion to ~400,000 operations for small documents (worst-case ~100-150MB) or 10% of the input document for large documents, whichever is greater.
+liggitt authored and niemeyer committed on Oct 3, 2019
+---
+ vendor/gopkg.in/yaml.v2/decode.go   | 38 +++++++++++++++++++++++++++++
+ vendor/gopkg.in/yaml.v2/scannerc.go | 16 ++++++++++++
+ 2 files changed, 54 insertions(+)
+
+diff --git a/vendor/gopkg.in/yaml.v2/decode.go b/vendor/gopkg.in/yaml.v2/decode.go
+index e4e56e2..5310876 100644
+--- a/vendor/gopkg.in/yaml.v2/decode.go
+++ b/vendor/gopkg.in/yaml.v2/decode.go
+@@ -229,6 +229,10 @@ type decoder struct {
+ 	mapType reflect.Type
+ 	terrors []string
+ 	strict  bool
+
+	decodeCount int
+	aliasCount  int
+	aliasDepth  int
+ }
+ 
+ var (
+@@ -314,7 +318,39 @@ func (d *decoder) prepare(n *node, out reflect.Value) (newout reflect.Value, unm
+ 	return out, false, false
+ }
+ 
+const (
+	// 400,000 decode operations is ~500kb of dense object declarations, or ~5kb of dense object declarations with 10000% alias expansion
+	alias_ratio_range_low = 400000
+	// 4,000,000 decode operations is ~5MB of dense object declarations, or ~4.5MB of dense object declarations with 10% alias expansion
+	alias_ratio_range_high = 4000000
+	// alias_ratio_range is the range over which we scale allowed alias ratios
+	alias_ratio_range = float64(alias_ratio_range_high - alias_ratio_range_low)
+)
+
+func allowedAliasRatio(decodeCount int) float64 {
+	switch {
+	case decodeCount <= alias_ratio_range_low:
+		// allow 99% to come from alias expansion for small-to-medium documents
+		return 0.99
+	case decodeCount >= alias_ratio_range_high:
+		// allow 10% to come from alias expansion for very large documents
+		return 0.10
+	default:
+		// scale smoothly from 99% down to 10% over the range.
+		// this maps to 396,000 - 400,000 allowed alias-driven decodes over the range.
+		// 400,000 decode operations is ~100MB of allocations in worst-case scenarios (single-item maps).
+		return 0.99 - 0.89*(float64(decodeCount-alias_ratio_range_low)/alias_ratio_range)
+	}
+}
+
+ func (d *decoder) unmarshal(n *node, out reflect.Value) (good bool) {
+	d.decodeCount++
+	if d.aliasDepth > 0 {
+		d.aliasCount++
+	}
+	if d.aliasCount > 100 && d.decodeCount > 1000 && float64(d.aliasCount)/float64(d.decodeCount) > allowedAliasRatio(d.decodeCount) {
+		failf("document contains excessive aliasing")
+	}
+ 	switch n.kind {
+ 	case documentNode:
+ 		return d.document(n, out)
+@@ -353,7 +389,9 @@ func (d *decoder) alias(n *node, out reflect.Value) (good bool) {
+ 		failf("anchor '%s' value contains itself", n.value)
+ 	}
+ 	d.aliases[n] = true
+	d.aliasDepth++
+ 	good = d.unmarshal(n.alias, out)
+	d.aliasDepth--
+ 	delete(d.aliases, n)
+ 	return good
+ }
+diff --git a/vendor/gopkg.in/yaml.v2/scannerc.go b/vendor/gopkg.in/yaml.v2/scannerc.go
+index 077fd1d..570b8ec 100644
+--- a/vendor/gopkg.in/yaml.v2/scannerc.go
+++ b/vendor/gopkg.in/yaml.v2/scannerc.go
+@@ -906,6 +906,9 @@ func yaml_parser_remove_simple_key(parser *yaml_parser_t) bool {
+ 	return true
+ }
+ 
+// max_flow_level limits the flow_level
+const max_flow_level = 10000
+
+ // Increase the flow level and resize the simple key list if needed.
+ func yaml_parser_increase_flow_level(parser *yaml_parser_t) bool {
+ 	// Reset the simple key on the next level.
+@@ -913,6 +916,11 @@ func yaml_parser_increase_flow_level(parser *yaml_parser_t) bool {
+ 
+ 	// Increase the flow level.
+ 	parser.flow_level++
+	if parser.flow_level > max_flow_level {
+		return yaml_parser_set_scanner_error(parser,
+			"while increasing flow level", parser.simple_keys[len(parser.simple_keys)-1].mark,
+			fmt.Sprintf("exceeded max depth of %d", max_flow_level))
+	}
+ 	return true
+ }
+ 
+@@ -925,6 +933,9 @@ func yaml_parser_decrease_flow_level(parser *yaml_parser_t) bool {
+ 	return true
+ }
+ 
+// max_indents limits the indents stack size
+const max_indents = 10000
+
+ // Push the current indentation level to the stack and set the new level
+ // the current column is greater than the indentation level.  In this case,
+ // append or insert the specified token into the token queue.
+@@ -939,6 +950,11 @@ func yaml_parser_roll_indent(parser *yaml_parser_t, column, number int, typ yaml
+ 		// indentation level.
+ 		parser.indents = append(parser.indents, parser.indent)
+ 		parser.indent = column
+		if len(parser.indents) > max_indents {
+			return yaml_parser_set_scanner_error(parser,
+				"while increasing indent level", parser.simple_keys[len(parser.simple_keys)-1].mark,
+				fmt.Sprintf("exceeded max depth of %d", max_indents))
+		}
+ 
+ 		// Create a token and insert it into the queue.
+ 		token := yaml_token_t{
+-- 
+2.20.1
+
--- a/etcd.spec
+++ b/etcd.spec
@ -31,7 +31,7 @@ system.}
 %global gosupfiles      integration/fixtures/* etcdserver/api/v2http/testdata/*

 Name:           etcd
-Release:        12
+Release:        14
 Summary:        Distributed reliable key-value store for the most critical data of a distributed system

 # Upstream license specification: Apache-2.0
@ -53,6 +53,8 @@ Patch6:         0006-fix-CVE-2023-39325.patch
 Patch7:         0007-fix-CVE-2022-34038.patch
 Patch8:         0008-fix-CVE-2023-32082.patch
 Patch9:         0009-fix-CVE-2021-28235.patch
+Patch10:        0010-fix-CVE-2021-44716.patch
+Patch11:        0011-fix-CVE-2022-3064.patch

 BuildRequires:  golang
 BuildRequires:  python3-devel
@ -76,6 +78,8 @@ Requires(pre):  shadow-utils
 %patch7 -p1
 %patch8 -p1
 %patch9 -p1
+%patch10 -p1
+%patch11 -p1
 %ifarch sw_64
 %patch3 -p1
 %endif
@ -164,6 +168,18 @@ getent passwd %{name} >/dev/null || useradd -r -g %{name} -d %{_sharedstatedir}/
 %endif

 %changelog
+* Thu May 09 2024 zhangbowei <zhangbowei@kylinos.cn> - 3.4.14-14
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC: fix CVE-2022-3064
+
+* Tue May 07 2024 zhangbowei <zhangbowei@kylinos.cn> - 3.4.14-13
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC: fix CVE-2021-44716
+
 * Wed Apr 24 2024 zhangbowei <zhangbowei@kylinos.cn> - 3.4.14-12
 - Type:bugfix
 - CVE:NA