Compare commits
10 Commits
0fc0b6945c
...
230f4fc965
| Author | SHA1 | Date | |
|---|---|---|---|
|
230f4fc965 | ||
|
|
3875bdbcf7 | ||
|
|
2f1263c9e0 | ||
|
|
f7f95ad14e | ||
|
|
8ef2d386e8 | ||
|
|
8443a9ba43 | ||
|
|
adb9365653 | ||
|
|
bb1754e1ef | ||
|
|
21cb438006 | ||
|
|
77da0c0566 |
59
0001-fix-CVE-2024-24786.patch
Normal file
59
0001-fix-CVE-2024-24786.patch
Normal file
@ -0,0 +1,59 @@
|
||||
From f4c84f807993799702d4b7b75b59289b15c72a6f Mon Sep 17 00:00:00 2001
|
||||
From: bwzhang <zhangbowei@kylinos.cn>
|
||||
Date: Mon, 8 Apr 2024 14:19:59 +0800
|
||||
Subject: [PATCH] fix CVE-2024-24786
|
||||
|
||||
encoding/protojson, internal/encoding/json: handle missing object values
|
||||
|
||||
In internal/encoding/json, report an error when encountering a }
|
||||
when we are expecting an object field value. For example, the input
|
||||
now correctly results in an error at the closing } token.
|
||||
|
||||
In encoding/protojson, check for an unexpected EOF token in
|
||||
skipJSONValue. This is redundant with the check in internal/encoding/json,
|
||||
but adds a bit more defense against any other similar bugs that
|
||||
might exist.
|
||||
|
||||
Fixes CVE-2024-24786
|
||||
|
||||
Change-Id: I03d52512acb5091c8549e31ca74541d57e56c99d
|
||||
Reviewed-on: https://go-review.googlesource.com/c/protobuf/+/569356
|
||||
TryBot-Bypass: Damien Neil <dneil@google.com>
|
||||
Reviewed-by: Roland Shoemaker <roland@golang.org>
|
||||
Commit-Queue: Damien Neil <dneil@google.com>
|
||||
---
|
||||
.../protobuf/encoding/protojson/well_known_types.go | 4 ++++
|
||||
.../protobuf/internal/encoding/json/decode.go | 2 +-
|
||||
2 files changed, 5 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go
|
||||
index 72924a9..d3825ba 100644
|
||||
--- a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go
|
||||
+++ b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go
|
||||
@@ -328,6 +328,10 @@ func (d decoder) skipJSONValue() error {
|
||||
if err := d.skipJSONValue(); err != nil {
|
||||
return err
|
||||
}
|
||||
+ case json.EOF:
|
||||
+ // This can only happen if there's a bug in Decoder.Read.
|
||||
+ // Avoid an infinite loop if this does happen.
|
||||
+ return errors.New("unexpected EOF")
|
||||
}
|
||||
}
|
||||
|
||||
diff --git a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go
|
||||
index b13fd29..b2be4e8 100644
|
||||
--- a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go
|
||||
+++ b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go
|
||||
@@ -121,7 +121,7 @@ func (d *Decoder) Read() (Token, error) {
|
||||
|
||||
case ObjectClose:
|
||||
if len(d.openStack) == 0 ||
|
||||
- d.lastToken.kind == comma ||
|
||||
+ d.lastToken.kind&(Name|comma) != 0 ||
|
||||
d.openStack[len(d.openStack)-1] != ObjectOpen {
|
||||
return Token{}, d.newSyntaxError(tok.pos, unexpectedFmt, tok.RawString())
|
||||
}
|
||||
--
|
||||
2.20.1
|
||||
|
||||
Binary file not shown.
@ -12,14 +12,17 @@
|
||||
%global built_tag v%{version}
|
||||
|
||||
Name: cri-tools
|
||||
Version: 1.22.0
|
||||
Release: 2
|
||||
Version: 1.29.0
|
||||
Release: 3
|
||||
Summary: CLI and validation tools for Container Runtime Interface
|
||||
License: ASL 2.0
|
||||
URL: https://%{goipath}
|
||||
Source0: %{url}/archive/v%{version}/%{name}-%{version}.tar.gz
|
||||
Source1: https://github.com/cpuguy83/go-md2man/archive/v1.0.10.tar.gz
|
||||
ExclusiveArch: %{?go_arches:%{go_arches}}%{!?go_arches:%{ix86} x86_64 aarch64 %{arm} ppc64le s390x}
|
||||
Source0: https://github.com/kubernetes-sigs/cri-tools/archive/refs/tags/v%{version}.tar.gz
|
||||
Source1: https://github.com/cpuguy83/go-md2man/archive/refs/tags/v2.0.3.tar.gz
|
||||
|
||||
Patch0001: 0001-fix-CVE-2024-24786.patch
|
||||
|
||||
ExclusiveArch: %{?go_arches:%{go_arches}}%{!?go_arches:%{ix86} x86_64 aarch64 %{arm} ppc64le s390x riscv64}
|
||||
BuildRequires: golang, glibc-static, git
|
||||
Provides: crictl = %{version}-%{release}
|
||||
|
||||
@ -27,7 +30,7 @@ Provides: crictl = %{version}-%{release}
|
||||
%{summary}
|
||||
|
||||
%prep
|
||||
%setup -q
|
||||
%autosetup -p1 -n %{name}-%{version}
|
||||
tar -xf %SOURCE1
|
||||
|
||||
%build
|
||||
@ -39,6 +42,7 @@ cp ../_build/bin/go-md2man $GO_MD2MAN_PATH/go-md2man
|
||||
export PATH=$GO_MD2MAN_PATH:$PATH
|
||||
cd -
|
||||
|
||||
export LDFLAGS='-X %{goipath}/pkg/version.Version=v%{version}'
|
||||
%gobuild -o bin/crictl %{goipath}/cmd/crictl
|
||||
go-md2man -in docs/crictl.md -out docs/crictl.1
|
||||
|
||||
@ -59,6 +63,27 @@ install -p -m 644 docs/crictl.1 %{buildroot}%{_mandir}/man1
|
||||
%{_mandir}/man1/crictl*
|
||||
|
||||
%changelog
|
||||
* Fri May 24 2024 Jingwiw <wangjingwei@iscas.ac.cn> - 1.29.0-3
|
||||
- Type:enhancement
|
||||
- CVE:NA
|
||||
- SUG:NA
|
||||
- DESC: enable riscv64
|
||||
|
||||
* Mon Apr 08 2024 zhangbowei <zhangbowei@kylinos.cn> - 1.29.0-2
|
||||
- Type:bugfix
|
||||
- CVE:NA
|
||||
- SUG:NA
|
||||
- DESC: fix CVE-2024-24786
|
||||
|
||||
* Wed Feb 28 2024 lijian <lijian2@kylinos.cn> - 1.29.0-1
|
||||
- update to 1.29.0
|
||||
|
||||
* Tue Nov 21 2023 suoxiaocong <suoxiaocong@kylinos.cn> - 1.24.2-2
|
||||
- fix bug unknown version
|
||||
|
||||
* Sat Jul 30 2022 tianlijing <tianlijing@kylinos.cn> - 1.24.2-1
|
||||
- update to 1.24.2
|
||||
|
||||
* Tue Jun 07 2022 fushanqing <fushanqing@kylinos.cn> - 1.22.0-2
|
||||
- update Source0
|
||||
|
||||
|
||||
BIN
v1.0.10.tar.gz
BIN
v1.0.10.tar.gz
Binary file not shown.
BIN
v1.29.0.tar.gz
Normal file
BIN
v1.29.0.tar.gz
Normal file
Binary file not shown.
BIN
v2.0.3.tar.gz
Normal file
BIN
v2.0.3.tar.gz
Normal file
Binary file not shown.
Loading…
x
Reference in New Issue
Block a user