From 0dcacf984b88880bc51ef5ee5831760faca9fd3c Mon Sep 17 00:00:00 2001
From: bwzhang <zhangbowei@kylinos.cn>
Date: Tue, 2 Apr 2024 16:26:14 +0800
Subject: [PATCH] fix CVE-2024-28180

(cherry picked from commit 4fca04c3ff2038ce1ea3f01e2731db59392f6e0b)
---
 0003-fix-CVE-2024-28180.patch | 89 +++++++++++++++++++++++++++++++++++
 cri-o.spec                    |  9 +++-
 2 files changed, 97 insertions(+), 1 deletion(-)
 create mode 100644 0003-fix-CVE-2024-28180.patch

diff --git a/0003-fix-CVE-2024-28180.patch b/0003-fix-CVE-2024-28180.patch
new file mode 100644
index 0000000..47fef05
--- /dev/null
+++ b/0003-fix-CVE-2024-28180.patch
@@ -0,0 +1,89 @@
+From d1aef6461e6fff7afce01fa6aa832914cb0f26a8 Mon Sep 17 00:00:00 2001
+From: bwzhang <zhangbowei@kylinos.cn>
+Date: Thu, 28 Mar 2024 16:30:28 +0800
+Subject: [PATCH] fix CVE-2024-28180
+
+---
+ .../github.com/go-jose/go-jose/v3/crypter.go  |  6 ++++++
+ .../github.com/go-jose/go-jose/v3/encoding.go | 21 +++++++++++++++----
+ 2 files changed, 23 insertions(+), 4 deletions(-)
+
+diff --git a/vendor/github.com/go-jose/go-jose/v3/crypter.go b/vendor/github.com/go-jose/go-jose/v3/crypter.go
+index 6901137..34d4e1f 100644
+--- a/vendor/github.com/go-jose/go-jose/v3/crypter.go
++++ b/vendor/github.com/go-jose/go-jose/v3/crypter.go
+@@ -406,6 +406,9 @@ func (ctx *genericEncrypter) Options() EncrypterOptions {
+ // Decrypt and validate the object and return the plaintext. Note that this
+ // function does not support multi-recipient, if you desire multi-recipient
+ // decryption use DecryptMulti instead.
++//
++// Automatically decompresses plaintext, but returns an error if the decompressed
++// data would be >250kB or >10x the size of the compressed data, whichever is larger.
+ func (obj JSONWebEncryption) Decrypt(decryptionKey interface{}) ([]byte, error) {
+ 	headers := obj.mergedHeaders(nil)
+ 
+@@ -471,6 +474,9 @@ func (obj JSONWebEncryption) Decrypt(decryptionKey interface{}) ([]byte, error)
+ // with support for multiple recipients. It returns the index of the recipient
+ // for which the decryption was successful, the merged headers for that recipient,
+ // and the plaintext.
++//
++// Automatically decompresses plaintext, but returns an error if the decompressed
++// data would be >250kB or >3x the size of the compressed data, whichever is larger.
+ func (obj JSONWebEncryption) DecryptMulti(decryptionKey interface{}) (int, Header, []byte, error) {
+ 	globalHeaders := obj.mergedHeaders(nil)
+ 
+diff --git a/vendor/github.com/go-jose/go-jose/v3/encoding.go b/vendor/github.com/go-jose/go-jose/v3/encoding.go
+index 968a424..c378031 100644
+--- a/vendor/github.com/go-jose/go-jose/v3/encoding.go
++++ b/vendor/github.com/go-jose/go-jose/v3/encoding.go
+@@ -21,6 +21,7 @@ import (
+ 	"compress/flate"
+ 	"encoding/base64"
+ 	"encoding/binary"
++	"fmt"
+ 	"io"
+ 	"math/big"
+ 	"strings"
+@@ -85,7 +86,7 @@ func decompress(algorithm CompressionAlgorithm, input []byte) ([]byte, error) {
+ 	}
+ }
+ 
+-// Compress with DEFLATE
++// deflate compresses the input.
+ func deflate(input []byte) ([]byte, error) {
+ 	output := new(bytes.Buffer)
+ 
+@@ -97,15 +98,27 @@ func deflate(input []byte) ([]byte, error) {
+ 	return output.Bytes(), err
+ }
+ 
+-// Decompress with DEFLATE
++// inflate decompresses the input.
++//
++// Errors if the decompressed data would be >250kB or >10x the size of the
++// compressed data, whichever is larger
+ func inflate(input []byte) ([]byte, error) {
+ 	output := new(bytes.Buffer)
+ 	reader := flate.NewReader(bytes.NewBuffer(input))
+ 
+-	_, err := io.Copy(output, reader)
+-	if err != nil {
++	maxCompressedSize := 10 * int64(len(input))
++	if maxCompressedSize < 250000 {
++		maxCompressedSize = 250000
++	}
++
++	limit := maxCompressedSize + 1
++	n, err := io.CopyN(output, reader, limit)
++	if err != nil && err != io.EOF {
+ 		return nil, err
+ 	}
++	if n == limit {
++		return nil, fmt.Errorf("uncompressed data would be too large (>%d bytes)", maxCompressedSize)
++	}
+ 
+ 	err = reader.Close()
+ 	return output.Bytes(), err
+-- 
+2.20.1
+
diff --git a/cri-o.spec b/cri-o.spec
index f6f5643..7c26465 100644
--- a/cri-o.spec
+++ b/cri-o.spec
@@ -21,7 +21,7 @@
 Name:           cri-o
 Version:        1.29.2
 Epoch:          0
-Release:        3
+Release:        4
 Summary:        Open Container Initiative-based implementation of Kubernetes Container Runtime Interface
 License:        ASL 2.0
 URL:            https://github.com/cri-o/cri-o
@@ -30,6 +30,7 @@ Source1:        https://github.com/cpuguy83/go-md2man/archive/refs/tags/v2.0.3.t
 
 Patch0001:      0001-fix-CVE-2024-24786.patch
 Patch0002:      0002-fix-CVE-2023-48795.patch
+Patch0003:      0003-fix-CVE-2024-28180.patch
 
 ExclusiveArch:  %{?go_arches:%{go_arches}}%{!?go_arches:%{ix86} x86_64 aarch64 %{arm}}
 BuildRequires:  btrfs-progs-devel device-mapper-devel go-srpm-macros
@@ -160,6 +161,12 @@ install -dp %{buildroot}%{_sharedstatedir}/containers
 %{_datadir}/zsh/site-functions/_%{service_name}*
 
 %changelog
+* Tue Apr 2 2024 zhangbowei <zhangbowei@kylinos.cn> - 0:1.29.2-4
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC: CVE-2024-28180
+
 * Mon Apr 1 2024 zhangbowei <zhangbowei@kylinos.cn> - 0:1.29.2-3
 - Type:bugfix
 - CVE:NA
-- 
Gitee