packages/etcd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:5ff831d1b4fea061e931454982e443ae518de0c2
Branches Tags
packages:main
...
compare: packages:8d882e14b9bd4e39eee0e0e4efbbc36691af53cd
Branches Tags
packages:main

10 Commits
5ff831d1b4 ... 8d882e14b9

Author SHA1 Message Date
openeuler-ci-bot
8d882e14b9
!85 sync patch from openEuler-24.03-LTS 
From: @li_ning_jie 
Reviewed-by: @jxy_git 
Signed-off-by: @jxy_git
 2024-11-13 09:17:46 +00:00
liningjie
225e48ba87 sync patch from openEuler-24.03-LTS 2024-11-13 12:21:37 +08:00
openeuler-ci-bot
28084e30fb
!65 [sync] PR-62: Fix CVE-2021-28235 
From: @openeuler-sync-bot 
Reviewed-by: @jxy_git 
Signed-off-by: @jxy_git
 2024-04-24 12:00:33 +00:00
bwzhang
5a2c173ce2 fix CVE-2021-28235 
(cherry picked from commit 6565b905da6d1cc50ba0d0b7d8ee092f1f77a1d5)
 2024-04-24 13:34:40 +08:00
openeuler-ci-bot
f760122c93
!64 [sync] PR-58: 将riscv64加入支持的架构补丁中 
From: @openeuler-sync-bot 
Reviewed-by: @jxy_git 
Signed-off-by: @jxy_git
 2024-04-24 05:33:28 +00:00
laokz
140db40db1 add riscv64 to supported arch 
(cherry picked from commit 8d4dd42c0998e6fd26306d7fbe233e930027ff7f)
 2024-04-24 11:30:52 +08:00
openeuler-ci-bot
6addcb2ae8
!63 [sync] PR-57: Fix CVE-2023-32082 
From: @openeuler-sync-bot 
Reviewed-by: @jxy_git 
Signed-off-by: @jxy_git
 2024-04-24 03:28:47 +00:00
bwzhang
740eb1571f fix CVE-2023-32082 
(cherry picked from commit 4c39e804f9dec9967da689cd7bef6aad76c81db7)
 2024-04-24 10:11:30 +08:00
openeuler-ci-bot
4a7b4a45cc
!61 [sync] PR-55: Fix CVE-2022-34038 
From: @openeuler-sync-bot 
Reviewed-by: @jxy_git 
Signed-off-by: @jxy_git
 2024-04-24 02:10:37 +00:00
bwzhang
62011d6243 fix CVE-2022-34038 
(cherry picked from commit fe04da5523435fa93fd8399fafdf81c34ba5f580)
 2024-04-24 09:14:28 +08:00
7 changed files with 678 additions and 5 deletions
Show Stats Expand all files Collapse all files

2
0002-Etcd-on-unsupported-platform-without-ETCD_UNSUPPORTED_ARCH=arm64-set.patch
View File

@ -19,7 +19,7 @@ index 73328a7..1907f99 100644
func checkSupportArch() { func checkSupportArch() {
// TODO qualify arm64 // TODO qualify arm64
- if runtime.GOARCH == "amd64" || runtime.GOARCH == "ppc64le" { - if runtime.GOARCH == "amd64" || runtime.GOARCH == "ppc64le" {
+ if runtime.GOARCH == "amd64" || runtime.GOARCH == "ppc64le" || runtime.GOARCH == "arm64" { + if runtime.GOARCH == "amd64" || runtime.GOARCH == "ppc64le" || runtime.GOARCH == "arm64" || runtime.GOARCH == "riscv64" {
return return
} }
// unsupported arch only configured via environment variable // unsupported arch only configured via environment variable

43
0007-fix-CVE-2022-34038.patch Normal file
View File

@ -0,0 +1,43 @@
From 10fdd367a2095806b025c1c54d30886369b3d586 Mon Sep 17 00:00:00 2001
From: bwzhang <zhangbowei@kylinos.cn>
Date: Fri, 19 Apr 2024 11:11:10 +0800
Subject: [PATCH] fix CVE-2022-34038
---
pkg/ioutil/pagewriter.go | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/pkg/ioutil/pagewriter.go b/pkg/ioutil/pagewriter.go
index cf9a8dc..4daaa9d 100644
--- a/pkg/ioutil/pagewriter.go
+++ b/pkg/ioutil/pagewriter.go
@@ -16,6 +16,7 @@ package ioutil
import (
"io"
+ "fmt"
)
var defaultBufferBytes = 128 * 1024
@@ -38,9 +39,18 @@ type PageWriter struct {
bufWatermarkBytes int
}
+// Assert will panic with a given formatted message if the given condition is false.
+func Assert(condition bool, msg string, v int) {
+ if !condition {
+ panic(fmt.Sprintf("assertion failed: "+msg, v))
+ }
+}
+
// NewPageWriter creates a new PageWriter. pageBytes is the number of bytes
// to write per page. pageOffset is the starting offset of io.Writer.
func NewPageWriter(w io.Writer, pageBytes, pageOffset int) *PageWriter {
+ // If pageBytes is 0 or less, it will trigger a panic directly
+ Assert(pageBytes > 0, "pageBytes %d is an invalid value, it must be greater than 0", pageBytes)
return &PageWriter{
w: w,
pageOffset: pageOffset,
--
2.20.1

255
0008-fix-CVE-2023-32082.patch Normal file
View File

@ -0,0 +1,255 @@
From 99f3aac02a570b11bac83fcdf9b92501b25dce5c Mon Sep 17 00:00:00 2001
From: bwzhang <zhangbowei@kylinos.cn>
Date: Tue, 23 Apr 2024 16:15:29 +0800
Subject: [PATCH] fix CVE-2023-32082
---
etcdserver/v3_server.go | 28 ++++++++++-
integration/v3_auth_test.go | 91 ++++++++++++++++++++++++++++++++--
pkg/ioutil/pagewriter_test.go | 2 +-
tests/e2e/ctl_v3_auth_test.go | 49 ++++++++++++++++++
tests/e2e/ctl_v3_lease_test.go | 8 +++
5 files changed, 171 insertions(+), 7 deletions(-)
diff --git a/etcdserver/v3_server.go b/etcdserver/v3_server.go
index 1fa8e4e..dee5c20 100644
--- a/etcdserver/v3_server.go
+++ b/etcdserver/v3_server.go
@@ -298,7 +298,33 @@ func (s *EtcdServer) LeaseRenew(ctx context.Context, id lease.LeaseID) (int64, e
return -1, ErrCanceled
}
-func (s *EtcdServer) LeaseTimeToLive(ctx context.Context, r *pb.LeaseTimeToLiveRequest) (*pb.LeaseTimeToLiveResponse, error) {
+func (s *EtcdServer) checkLeaseTimeToLive(ctx context.Context, leaseID lease.LeaseID) (error, uint64) {
+ rev := s.AuthStore().Revision()
+ if !s.AuthStore().IsAuthEnabled() {
+ return nil, rev
+ }
+ authInfo, err := s.AuthInfoFromCtx(ctx)
+ if err != nil {
+ return err, rev
+ }
+ if authInfo == nil {
+ return auth.ErrUserEmpty, rev
+ }
+
+ l := s.lessor.Lookup(leaseID)
+ if l != nil {
+ for _, key := range l.Keys() {
+ if err := s.AuthStore().IsRangePermitted(authInfo, []byte(key), []byte{}); err != nil {
+ return err, 0
+ }
+ }
+ }
+
+
+ return nil, rev
+}
+
+func (s *EtcdServer) LeaseTimeToLive(ctx context.Context, r *pb.LeaseTimeToLiveRequest) (*pb.LeaseTimeToLiveResponse, error) {
if s.Leader() == s.ID() {
// primary; timetolive directly from leader
le := s.lessor.Lookup(lease.LeaseID(r.ID))
diff --git a/integration/v3_auth_test.go b/integration/v3_auth_test.go
index ee386ff..b473053 100644
--- a/integration/v3_auth_test.go
+++ b/integration/v3_auth_test.go
@@ -150,12 +150,10 @@ func testV3AuthWithLeaseRevokeWithRoot(t *testing.T, ccfg ClusterConfig) {
// wait for lease expire
time.Sleep(3 * time.Second)
- tresp, terr := api.Lease.LeaseTimeToLive(
+ tresp, terr := rootc.TimeToLive(
context.TODO(),
- &pb.LeaseTimeToLiveRequest{
- ID: int64(leaseID),
- Keys: true,
- },
+ leaseID,
+ clientv3.WithAttachedKeys(),
)
if terr != nil {
t.Error(terr)
@@ -394,3 +392,86 @@ func TestV3AuthOldRevConcurrent(t *testing.T) {
}
wg.Wait()
}
+
+func TestV3AuthWithLeaseTimeToLive(t *testing.T) {
+ integration.BeforeTest(t)
+ clus := integration.NewCluster(t, &integration.ClusterConfig{Size: 1})
+ defer clus.Terminate(t)
+
+ users := []user{
+ {
+ name: "user1",
+ password: "user1-123",
+ role: "role1",
+ key: "k1",
+ end: "k3",
+ },
+ {
+ name: "user2",
+ password: "user2-123",
+ role: "role2",
+ key: "k2",
+ end: "k4",
+ },
+ }
+ authSetupUsers(t, integration.ToGRPC(clus.Client(0)).Auth, users)
+
+ authSetupRoot(t, integration.ToGRPC(clus.Client(0)).Auth)
+
+ user1c, cerr := integration.NewClient(t, clientv3.Config{Endpoints: clus.Client(0).Endpoints(), Username: "user1", Password: "user1-123"})
+ if cerr != nil {
+ t.Fatal(cerr)
+ }
+ defer user1c.Close()
+
+ user2c, cerr := integration.NewClient(t, clientv3.Config{Endpoints: clus.Client(0).Endpoints(), Username: "user2", Password: "user2-123"})
+ if cerr != nil {
+ t.Fatal(cerr)
+ }
+ defer user2c.Close()
+
+ leaseResp, err := user1c.Grant(context.TODO(), 90)
+ if err != nil {
+ t.Fatal(err)
+ }
+ leaseID := leaseResp.ID
+ _, err = user1c.Put(context.TODO(), "k1", "val", clientv3.WithLease(leaseID))
+ if err != nil {
+ t.Fatal(err)
+ }
+ // k2 can be accessed from both user1 and user2
+ _, err = user1c.Put(context.TODO(), "k2", "val", clientv3.WithLease(leaseID))
+ if err != nil {
+ t.Fatal(err)
+ }
+
+ _, err = user1c.TimeToLive(context.TODO(), leaseID)
+ if err != nil {
+ t.Fatal(err)
+ }
+
+ _, err = user2c.TimeToLive(context.TODO(), leaseID)
+ if err != nil {
+ t.Fatal(err)
+ }
+
+ _, err = user2c.TimeToLive(context.TODO(), leaseID, clientv3.WithAttachedKeys())
+ if err == nil {
+ t.Fatal("timetolive from user2 should be failed with permission denied")
+ }
+
+ rootc, cerr := integration.NewClient(t, clientv3.Config{Endpoints: clus.Client(0).Endpoints(), Username: "root", Password: "123"})
+ if cerr != nil {
+ t.Fatal(cerr)
+ }
+ defer rootc.Close()
+
+ if _, err := rootc.RoleRevokePermission(context.TODO(), "role1", "k1", "k3"); err != nil {
+ t.Fatal(err)
+ }
+
+ _, err = user1c.TimeToLive(context.TODO(), leaseID, clientv3.WithAttachedKeys())
+ if err == nil {
+ t.Fatal("timetolive from user2 should be failed with permission denied")
+ }
+}
diff --git a/pkg/ioutil/pagewriter_test.go b/pkg/ioutil/pagewriter_test.go
index 1061069..ee2fa0d 100644
--- a/pkg/ioutil/pagewriter_test.go
+++ b/pkg/ioutil/pagewriter_test.go
@@ -37,7 +37,7 @@ func TestPageWriterRandom(t *testing.T) {
if cw.writeBytes > n {
t.Fatalf("wrote %d bytes to io.Writer, but only wrote %d bytes", cw.writeBytes, n)
}
- if n-cw.writeBytes > pageBytes {
+ if maxPendingBytes := pageBytes + defaultBufferBytes; n-cw.writeBytes > maxPendingBytes {
t.Fatalf("got %d bytes pending, expected less than %d bytes", n-cw.writeBytes, pageBytes)
}
t.Logf("total writes: %d", cw.writes)
diff --git a/tests/e2e/ctl_v3_auth_test.go b/tests/e2e/ctl_v3_auth_test.go
index 2142394..ca2524b 100644
--- a/tests/e2e/ctl_v3_auth_test.go
+++ b/tests/e2e/ctl_v3_auth_test.go
@@ -69,6 +69,7 @@ func TestCtlV3AuthJWTExpire(t *testing.T) { testCtl(t, authTestJWTExpire, withCf
func TestCtlV3AuthCertCNAndUsernameNoPassword(t *testing.T) {
testCtl(t, authTestCertCNAndUsernameNoPassword, withCfg(configClientTLSCertAuth))
}
+func TestCtlV3AuthLeaseTimeToLive(t *testing.T) { testCtl(t, authTestLeaseTimeToLive) }
func authEnableTest(cx ctlCtx) {
if err := authEnable(cx); err != nil {
@@ -1130,3 +1131,51 @@ func authTestJWTExpire(cx ctlCtx) {
cx.t.Error(err)
}
}
+
+func authTestLeaseTimeToLive(cx ctlCtx) {
+ if err := authEnable(cx); err != nil {
+ cx.t.Fatal(err)
+ }
+ cx.user, cx.pass = "root", "root"
+
+ authSetupTestUser(cx)
+
+ cx.user = "test-user"
+ cx.pass = "pass"
+
+ leaseID, err := ctlV3LeaseGrant(cx, 10)
+ if err != nil {
+ cx.t.Fatal(err)
+ }
+
+ err = ctlV3Put(cx, "foo", "val", leaseID)
+ if err != nil {
+ cx.t.Fatal(err)
+ }
+
+ err = ctlV3LeaseTimeToLive(cx, leaseID, true)
+ if err != nil {
+ cx.t.Fatal(err)
+ }
+
+ cx.user = "root"
+ cx.pass = "root"
+ err = ctlV3Put(cx, "bar", "val", leaseID)
+ if err != nil {
+ cx.t.Fatal(err)
+ }
+
+ cx.user = "test-user"
+ cx.pass = "pass"
+ // the lease is attached to bar, which test-user cannot access
+ err = ctlV3LeaseTimeToLive(cx, leaseID, true)
+ if err == nil {
+ cx.t.Fatal("test-user must not be able to access to the lease, because it's attached to the key bar")
+ }
+
+ // without --keys, access should be allowed
+ err = ctlV3LeaseTimeToLive(cx, leaseID, false)
+ if err != nil {
+ cx.t.Fatal(err)
+ }
+}
diff --git a/tests/e2e/ctl_v3_lease_test.go b/tests/e2e/ctl_v3_lease_test.go
index 608b8ca..64d2579 100644
--- a/tests/e2e/ctl_v3_lease_test.go
+++ b/tests/e2e/ctl_v3_lease_test.go
@@ -294,3 +294,11 @@ func ctlV3LeaseRevoke(cx ctlCtx, leaseID string) error {
cmdArgs := append(cx.PrefixArgs(), "lease", "revoke", leaseID)
return spawnWithExpect(cmdArgs, fmt.Sprintf("lease %s revoked", leaseID))
}
+
+func ctlV3LeaseTimeToLive(cx ctlCtx, leaseID string, withKeys bool) error {
+ cmdArgs := append(cx.PrefixArgs(), "lease", "timetolive", leaseID)
+ if withKeys {
+ cmdArgs = append(cmdArgs, "--keys")
+ }
+ return e2e.SpawnWithExpectWithEnv(cmdArgs, cx.envMap, fmt.Sprintf("lease %s granted with", leaseID))
+}
--
2.20.1

131
0009-fix-CVE-2021-28235.patch Normal file
View File

@ -0,0 +1,131 @@
From 3b6de877f048f3875b48f36a66d10a7156106236 Mon Sep 17 00:00:00 2001
From: bwzhang <zhangbowei@kylinos.cn>
Date: Wed, 24 Apr 2024 09:28:16 +0800
Subject: [PATCH] fix CVE-2021-28235
---
etcdserver/v3_server.go | 7 ++++
tests/e2e/ctl_v3_auth_security_test.go | 57 ++++++++++++++++++++++++++
tests/e2e/ctl_v3_test.go | 6 +++
tests/e2e/util.go | 9 ++++
4 files changed, 79 insertions(+)
create mode 100644 tests/e2e/ctl_v3_auth_security_test.go
diff --git a/etcdserver/v3_server.go b/etcdserver/v3_server.go
index dee5c20..6ef9e61 100644
--- a/etcdserver/v3_server.go
+++ b/etcdserver/v3_server.go
@@ -431,6 +431,13 @@ func (s *EtcdServer) Authenticate(ctx context.Context, r *pb.AuthenticateRequest
lg := s.getLogger()
+ // fix https://nvd.nist.gov/vuln/detail/CVE-2021-28235
+ defer func() {
+ if r != nil {
+ r.Password = ""
+ }
+ }()
+
var resp proto.Message
for {
checkedRevision, err := s.AuthStore().CheckPassword(r.Name, r.Password)
diff --git a/tests/e2e/ctl_v3_auth_security_test.go b/tests/e2e/ctl_v3_auth_security_test.go
new file mode 100644
index 0000000..754fa4b
--- /dev/null
+++ b/tests/e2e/ctl_v3_auth_security_test.go
@@ -0,0 +1,57 @@
+// Copyright 2023 The etcd Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//go:build !cluster_proxy
+
+package e2e
+
+import (
+ "strings"
+ "testing"
+
+ "github.com/stretchr/testify/require"
+
+ "go.etcd.io/etcd/tests/v3/framework/e2e"
+)
+
+// TestAuth_CVE_2021_28235 verifies https://nvd.nist.gov/vuln/detail/CVE-2021-28235
+func TestAuth_CVE_2021_28235(t *testing.T) {
+ testCtl(t, authTest_CVE_2021_28235, withCfg(*e2e.NewConfigNoTLS()), withLogLevel("debug"))
+}
+
+func authTest_CVE_2021_28235(cx ctlCtx) {
+ // create root user with root role
+ rootPass := "changeme123"
+ err := ctlV3User(cx, []string{"add", "root", "--interactive=false"}, "User root created", []string{rootPass})
+ require.NoError(cx.t, err)
+ err = ctlV3User(cx, []string{"grant-role", "root", "root"}, "Role root is granted to user root", nil)
+ require.NoError(cx.t, err)
+ err = ctlV3AuthEnable(cx)
+ require.NoError(cx.t, err)
+
+ // issue a put request
+ cx.user, cx.pass = "root", rootPass
+ err = ctlV3Put(cx, "foo", "bar", "")
+ require.NoError(cx.t, err)
+
+ // GET /debug/requests
+ httpEndpoint := cx.epc.Procs[0].EndpointsHTTP()[0]
+ req := e2e.CURLReq{Endpoint: "/debug/requests?fam=grpc.Recv.etcdserverpb.Auth&b=0&exp=1", Timeout: 5}
+ respData, err := curl(httpEndpoint, "GET", req, e2e.ClientNonTLS)
+ require.NoError(cx.t, err)
+
+ if strings.Contains(respData, rootPass) {
+ cx.t.Errorf("The root password is included in the request.\n %s", respData)
+ }
+}
diff --git a/tests/e2e/ctl_v3_test.go b/tests/e2e/ctl_v3_test.go
index 04f5a65..74b1838 100644
--- a/tests/e2e/ctl_v3_test.go
+++ b/tests/e2e/ctl_v3_test.go
@@ -130,6 +130,12 @@ func withFlagByEnv() ctlOption {
return func(cx *ctlCtx) { cx.envMap = make(map[string]struct{}) }
}
+func withLogLevel(logLevel string) ctlOption {
+ return func(cx *ctlCtx) {
+ cx.cfg.LogLevel = logLevel
+ }
+}
+
func testCtl(t *testing.T, testFunc func(ctlCtx), opts ...ctlOption) {
defer testutil.AfterTest(t)
diff --git a/tests/e2e/util.go b/tests/e2e/util.go
index ce7289a..3b772c0 100644
--- a/tests/e2e/util.go
+++ b/tests/e2e/util.go
@@ -108,3 +108,12 @@ func closeWithTimeout(p *expect.ExpectProcess, d time.Duration) error {
func toTLS(s string) string {
return strings.Replace(s, "http://", "https://", 1)
}
+
+func curl(endpoint string, method string, curlReq e2e.CURLReq, connType e2e.ClientConnType) (string, error) {
+ args := e2e.CURLPrefixArgs(endpoint, e2e.ClientConfig{ConnectionType: connType}, false, method, curlReq)
+ lines, err := e2e.RunUtilCompletion(args, nil)
+ if err != nil {
+ return "", err
+ }
+ return strings.Join(lines, "\n"), nil
+}
--
2.20.1

57
0010-fix-CVE-2021-44716.patch Normal file
View File

@ -0,0 +1,57 @@
From 6b06b626969f252e520b1b8f8c3cd1f515835484 Mon Sep 17 00:00:00 2001
From: bwzhang <zhangbowei@kylinos.cn>
Date: Tue, 7 May 2024 09:29:47 +0800
Subject: [PATCH] fix CVE-2021-44716
http2: cap the size of the server's canonical header cache
The HTTP/2 server keeps a per-connection cache mapping header keys
to their canonicalized form (e.g., foo-bar => Foo-Bar). Cap the
maximum size of this cache to prevent a peer sending many unique
header keys from causing unbounded memory growth.
Cap chosen arbitrarily at 32 entries. Since this cache does not
include common headers (e.g., content-type), 32 seems like more
than enough for almost all normal uses.
Fixes #50058
Fixes CVE-2021-44716
Change-Id: Ia83696dc23253c12af8f26d502557c2cc9841105
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1290827
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-on: https://go-review.googlesource.com/c/net/+/369794
Trust: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
Trust: Damien Neil <dneil@google.com>
Reviewed-by: Russ Cox <rsc@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
---
vendor/golang.org/x/net/http2/server.go | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/vendor/golang.org/x/net/http2/server.go b/vendor/golang.org/x/net/http2/server.go
index 5e01ce9..5253650 100644
--- a/vendor/golang.org/x/net/http2/server.go
+++ b/vendor/golang.org/x/net/http2/server.go
@@ -723,7 +723,15 @@ func (sc *serverConn) canonicalHeader(v string) string {
sc.canonHeader = make(map[string]string)
}
cv = http.CanonicalHeaderKey(v)
- sc.canonHeader[v] = cv
+ // maxCachedCanonicalHeaders is an arbitrarily-chosen limit on the number of
+ // entries in the canonHeader cache. This should be larger than the number
+ // of unique, uncommon header keys likely to be sent by the peer, while not
+ // so high as to permit unreaasonable memory usage if the peer sends an unbounded
+ // number of unique header keys.
+ const maxCachedCanonicalHeaders = 32
+ if len(sc.canonHeader) < maxCachedCanonicalHeaders {
+ sc.canonHeader[v] = cv
+ }
return cv
}
--
2.20.1

141
0011-fix-CVE-2022-3064.patch Normal file
View File

@ -0,0 +1,141 @@
From 429f477455b84ede9651f79eb15e78a129a660e9 Mon Sep 17 00:00:00 2001
From: bwzhang <zhangbowei@kylinos.cn>
Date: Thu, 9 May 2024 19:25:53 +0800
Subject: [PATCH] fix CVE-2022-3064
Improve heuristics preventing CPU/memory abuse (#515)
This addresses the following items:
==== Parse time of excessively deep nested or indented documents
Parsing these documents is non-linear; limiting stack depth to 10,000 keeps parse times of pathological documents sub-second (~.25 seconds in benchmarks)
==== Alias node expansion limits
The current limit allows 10,000% expansion, which is too permissive for large documents.
Limiting to 10% expansion for larger documents allows callers to use input size as an effective way to limit resource usage. Continuing to allow larger expansion rates (up to the current 10,000% limit) for smaller documents does not unduly affect memory use.
This change bounds decode operations from alias expansion to ~400,000 operations for small documents (worst-case ~100-150MB) or 10% of the input document for large documents, whichever is greater.
liggitt authored and niemeyer committed on Oct 3, 2019
---
vendor/gopkg.in/yaml.v2/decode.go | 38 +++++++++++++++++++++++++++++
vendor/gopkg.in/yaml.v2/scannerc.go | 16 ++++++++++++
2 files changed, 54 insertions(+)
diff --git a/vendor/gopkg.in/yaml.v2/decode.go b/vendor/gopkg.in/yaml.v2/decode.go
index e4e56e2..5310876 100644
--- a/vendor/gopkg.in/yaml.v2/decode.go
+++ b/vendor/gopkg.in/yaml.v2/decode.go
@@ -229,6 +229,10 @@ type decoder struct {
mapType reflect.Type
terrors []string
strict bool
+
+ decodeCount int
+ aliasCount int
+ aliasDepth int
}
var (
@@ -314,7 +318,39 @@ func (d *decoder) prepare(n *node, out reflect.Value) (newout reflect.Value, unm
return out, false, false
}
+const (
+ // 400,000 decode operations is ~500kb of dense object declarations, or ~5kb of dense object declarations with 10000% alias expansion
+ alias_ratio_range_low = 400000
+ // 4,000,000 decode operations is ~5MB of dense object declarations, or ~4.5MB of dense object declarations with 10% alias expansion
+ alias_ratio_range_high = 4000000
+ // alias_ratio_range is the range over which we scale allowed alias ratios
+ alias_ratio_range = float64(alias_ratio_range_high - alias_ratio_range_low)
+)
+
+func allowedAliasRatio(decodeCount int) float64 {
+ switch {
+ case decodeCount <= alias_ratio_range_low:
+ // allow 99% to come from alias expansion for small-to-medium documents
+ return 0.99
+ case decodeCount >= alias_ratio_range_high:
+ // allow 10% to come from alias expansion for very large documents
+ return 0.10
+ default:
+ // scale smoothly from 99% down to 10% over the range.
+ // this maps to 396,000 - 400,000 allowed alias-driven decodes over the range.
+ // 400,000 decode operations is ~100MB of allocations in worst-case scenarios (single-item maps).
+ return 0.99 - 0.89*(float64(decodeCount-alias_ratio_range_low)/alias_ratio_range)
+ }
+}
+
func (d *decoder) unmarshal(n *node, out reflect.Value) (good bool) {
+ d.decodeCount++
+ if d.aliasDepth > 0 {
+ d.aliasCount++
+ }
+ if d.aliasCount > 100 && d.decodeCount > 1000 && float64(d.aliasCount)/float64(d.decodeCount) > allowedAliasRatio(d.decodeCount) {
+ failf("document contains excessive aliasing")
+ }
switch n.kind {
case documentNode:
return d.document(n, out)
@@ -353,7 +389,9 @@ func (d *decoder) alias(n *node, out reflect.Value) (good bool) {
failf("anchor '%s' value contains itself", n.value)
}
d.aliases[n] = true
+ d.aliasDepth++
good = d.unmarshal(n.alias, out)
+ d.aliasDepth--
delete(d.aliases, n)
return good
}
diff --git a/vendor/gopkg.in/yaml.v2/scannerc.go b/vendor/gopkg.in/yaml.v2/scannerc.go
index 077fd1d..570b8ec 100644
--- a/vendor/gopkg.in/yaml.v2/scannerc.go
+++ b/vendor/gopkg.in/yaml.v2/scannerc.go
@@ -906,6 +906,9 @@ func yaml_parser_remove_simple_key(parser *yaml_parser_t) bool {
return true
}
+// max_flow_level limits the flow_level
+const max_flow_level = 10000
+
// Increase the flow level and resize the simple key list if needed.
func yaml_parser_increase_flow_level(parser *yaml_parser_t) bool {
// Reset the simple key on the next level.
@@ -913,6 +916,11 @@ func yaml_parser_increase_flow_level(parser *yaml_parser_t) bool {
// Increase the flow level.
parser.flow_level++
+ if parser.flow_level > max_flow_level {
+ return yaml_parser_set_scanner_error(parser,
+ "while increasing flow level", parser.simple_keys[len(parser.simple_keys)-1].mark,
+ fmt.Sprintf("exceeded max depth of %d", max_flow_level))
+ }
return true
}
@@ -925,6 +933,9 @@ func yaml_parser_decrease_flow_level(parser *yaml_parser_t) bool {
return true
}
+// max_indents limits the indents stack size
+const max_indents = 10000
+
// Push the current indentation level to the stack and set the new level
// the current column is greater than the indentation level. In this case,
// append or insert the specified token into the token queue.
@@ -939,6 +950,11 @@ func yaml_parser_roll_indent(parser *yaml_parser_t, column, number int, typ yaml
// indentation level.
parser.indents = append(parser.indents, parser.indent)
parser.indent = column
+ if len(parser.indents) > max_indents {
+ return yaml_parser_set_scanner_error(parser,
+ "while increasing indent level", parser.simple_keys[len(parser.simple_keys)-1].mark,
+ fmt.Sprintf("exceeded max depth of %d", max_indents))
+ }
// Create a token and insert it into the queue.
token := yaml_token_t{
--
2.20.1

54
etcd.spec
View File

@ -31,7 +31,7 @@ system.}
%global gosupfiles integration/fixtures/* etcdserver/api/v2http/testdata/* %global gosupfiles integration/fixtures/* etcdserver/api/v2http/testdata/*
Name: etcd Name: etcd
Release: 8 Release: 14
Summary: Distributed reliable key-value store for the most critical data of a distributed system Summary: Distributed reliable key-value store for the most critical data of a distributed system
# Upstream license specification: Apache-2.0 # Upstream license specification: Apache-2.0
@ -50,6 +50,11 @@ Patch3: 0003-etcd-Add-sw64-architecture.patch
Patch4: 0004-fix-CVE-2023-45288.patch Patch4: 0004-fix-CVE-2023-45288.patch
Patch5: 0005-fix-CVE-2022-41723.patch Patch5: 0005-fix-CVE-2022-41723.patch
Patch6: 0006-fix-CVE-2023-39325.patch Patch6: 0006-fix-CVE-2023-39325.patch
Patch7: 0007-fix-CVE-2022-34038.patch
Patch8: 0008-fix-CVE-2023-32082.patch
Patch9: 0009-fix-CVE-2021-28235.patch
Patch10: 0010-fix-CVE-2021-44716.patch
Patch11: 0011-fix-CVE-2022-3064.patch
BuildRequires: golang BuildRequires: golang
BuildRequires: python3-devel BuildRequires: python3-devel
@ -70,6 +75,11 @@ Requires(pre): shadow-utils
%patch4 -p1 %patch4 -p1
%patch5 -p1 %patch5 -p1
%patch6 -p1 %patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch11 -p1
%ifarch sw_64 %ifarch sw_64
%patch3 -p1 %patch3 -p1
%endif %endif
@ -158,19 +168,55 @@ getent passwd %{name} >/dev/null || useradd -r -g %{name} -d %{_sharedstatedir}/
%endif %endif
%changelog %changelog
* Wed Apr 17 2024 zhangbowei <zhangbowei@kylinos.cn> -3.4.14-8 * Thu May 09 2024 zhangbowei <zhangbowei@kylinos.cn> - 3.4.14-14
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC: fix CVE-2022-3064
* Tue May 07 2024 zhangbowei <zhangbowei@kylinos.cn> - 3.4.14-13
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC: fix CVE-2021-44716
* Wed Apr 24 2024 zhangbowei <zhangbowei@kylinos.cn> - 3.4.14-12
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC: fix CVE-2021-28235
* Tue Apr 23 2024 laokz <zhangkai@iscas.ac.cn> - 3.4.14-11
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC: add riscv64 to avoid unsupported arch error
* Mon Apr 22 2024 zhangbowei <zhangbowei@kylinos.cn> - 3.4.14-10
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC: fix CVE-2023-32082
* Fri Apr 19 2024 zhangbowei <zhangbowei@kylinos.cn> - 3.4.14-9
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC: fix CVE-2022-34038
* Wed Apr 17 2024 zhangbowei <zhangbowei@kylinos.cn> - 3.4.14-8
- Type:bugfix - Type:bugfix
- CVE:NA - CVE:NA
- SUG:NA - SUG:NA
- DESC: fix CVE-2023-39325 - DESC: fix CVE-2023-39325
* Wed Apr 17 2024 zhangbowei <zhangbowei@kylinos.cn> -3.4.14-7 * Wed Apr 17 2024 zhangbowei <zhangbowei@kylinos.cn> - 3.4.14-7
- Type:bugfix - Type:bugfix
- CVE:NA - CVE:NA
- SUG:NA - SUG:NA
- DESC: fix CVE-2022-41723 - DESC: fix CVE-2022-41723
* Wed Apr 17 2024 zhangbowei <zhangbowei@kylinos.cn> -3.4.14-6 * Wed Apr 17 2024 zhangbowei <zhangbowei@kylinos.cn> - 3.4.14-6
- Type:bugfix - Type:bugfix
- CVE:NA - CVE:NA
- SUG:NA - SUG:NA