From c1bf06fc316611762bc368c8c03c26e37c9167d3 Mon Sep 17 00:00:00 2001
From: lvxiangcong <lvxiangcong@kylinos.cn>
Date: Thu, 13 Feb 2025 18:19:35 +0800
Subject: [PATCH] backport fix cve-2022-3064

(cherry picked from commit be57856a86adb7502ea8a17a90236dcbd083cc98)
---
 0005-backport-fix-CVE-2022-3064.patch | 117 ++++++++++++++++++++++++++
 etcd.spec                             |  10 ++-
 2 files changed, 126 insertions(+), 1 deletion(-)
 create mode 100644 0005-backport-fix-CVE-2022-3064.patch

diff --git a/0005-backport-fix-CVE-2022-3064.patch b/0005-backport-fix-CVE-2022-3064.patch
new file mode 100644
index 0000000..127120a
--- /dev/null
+++ b/0005-backport-fix-CVE-2022-3064.patch
@@ -0,0 +1,117 @@
+From 48b4385de0f9c6e4745205a72185b0f39bc8ea74 Mon Sep 17 00:00:00 2001
+From: lvxiangcong <lvxiangcong@kylinos.cn>
+Date: Thu, 13 Feb 2025 18:13:18 +0800
+Subject: [PATCH] backport-cve-2022-3064
+
+---
+ vendor/gopkg.in/yaml.v2/decode.go   | 36 +++++++++++++++++++++++++++++
+ vendor/gopkg.in/yaml.v2/scannerc.go | 17 +++++++++++++-
+ 2 files changed, 52 insertions(+), 1 deletion(-)
+
+diff --git a/vendor/gopkg.in/yaml.v2/decode.go b/vendor/gopkg.in/yaml.v2/decode.go
+index e4e56e2..43106a8 100644
+--- a/vendor/gopkg.in/yaml.v2/decode.go
++++ b/vendor/gopkg.in/yaml.v2/decode.go
+@@ -229,6 +229,10 @@ type decoder struct {
+ 	mapType reflect.Type
+ 	terrors []string
+ 	strict  bool
++
++	decodeCount int
++	aliasCount  int
++	aliasDepth  int
+ }
+ 
+ var (
+@@ -314,7 +318,39 @@ func (d *decoder) prepare(n *node, out reflect.Value) (newout reflect.Value, unm
+ 	return out, false, false
+ }
+ 
++const (
++	// 400,000 decode operations is ~500kb of dense object declarations, or ~5kb of dense object declarations with 10000% alias expansion
++	alias_ratio_range_low = 400000
++	// 4,000,000 decode operations is ~5MB of dense object declarations, or ~4.5MB of dense object declarations with 10% alias expansion
++	alias_ratio_range_high = 4000000
++	// alias_ratio_range is the range over which we scale allowed alias ratios
++	alias_ratio_range = float64(alias_ratio_range_high - alias_ratio_range_low)
++)
++
++func allowedAliasRatio(decodeCount int) float64 {
++	switch {
++	case decodeCount <= alias_ratio_range_low:
++		// allow 99% to come from alias expansion for small-to-medium documents
++		return 0.99
++	case decodeCount >= alias_ratio_range_high:
++		// allow 10% to come from alias expansion for very large documents
++		return 0.10
++	default:
++		// scale smoothly from 99% down to 10% over the range.
++		// this maps to 396,000 - 400,000 allowed alias-driven decodes over the range.
++		// 400,000 decode operations is ~100MB of allocations in worst-case scenarios (single-item maps).
++		return 0.99 - 0.89*(float64(decodeCount-alias_ratio_range_low)/alias_ratio_range)
++	}
++}
++
+ func (d *decoder) unmarshal(n *node, out reflect.Value) (good bool) {
++	d.decodeCount++
++	if d.aliasDepth > 0 {
++		d.aliasCount++
++	}
++	if d.aliasCount > 100 && d.decodeCount > 1000 && float64(d.aliasCount)/float64(d.decodeCount) > allowedAliasRatio(d.decodeCount) {
++		failf("document contains excessive aliasing")
++	}
+ 	switch n.kind {
+ 	case documentNode:
+ 		return d.document(n, out)
+diff --git a/vendor/gopkg.in/yaml.v2/scannerc.go b/vendor/gopkg.in/yaml.v2/scannerc.go
+index 077fd1d..d1a58a7 100644
+--- a/vendor/gopkg.in/yaml.v2/scannerc.go
++++ b/vendor/gopkg.in/yaml.v2/scannerc.go
+@@ -906,6 +906,9 @@ func yaml_parser_remove_simple_key(parser *yaml_parser_t) bool {
+ 	return true
+ }
+ 
++// max_flow_level limits the flow_level
++const max_flow_level = 10000
++
+ // Increase the flow level and resize the simple key list if needed.
+ func yaml_parser_increase_flow_level(parser *yaml_parser_t) bool {
+ 	// Reset the simple key on the next level.
+@@ -913,6 +916,11 @@ func yaml_parser_increase_flow_level(parser *yaml_parser_t) bool {
+ 
+ 	// Increase the flow level.
+ 	parser.flow_level++
++	if parser.flow_level > max_flow_level {
++		return yaml_parser_set_scanner_error(parser,
++			"while increasing flow level", parser.simple_keys[len(parser.simple_keys)-1].mark,
++			fmt.Sprintf("exceeded max depth of %d", max_flow_level))
++	}
+ 	return true
+ }
+ 
+@@ -925,6 +933,9 @@ func yaml_parser_decrease_flow_level(parser *yaml_parser_t) bool {
+ 	return true
+ }
+ 
++// max_indents limits the indents stack size
++const max_indents = 10000
++
+ // Push the current indentation level to the stack and set the new level
+ // the current column is greater than the indentation level.  In this case,
+ // append or insert the specified token into the token queue.
+@@ -939,7 +950,11 @@ func yaml_parser_roll_indent(parser *yaml_parser_t, column, number int, typ yaml
+ 		// indentation level.
+ 		parser.indents = append(parser.indents, parser.indent)
+ 		parser.indent = column
+-
++		if len(parser.indents) > max_indents {
++			return yaml_parser_set_scanner_error(parser,
++				"while increasing indent level", parser.simple_keys[len(parser.simple_keys)-1].mark,
++				fmt.Sprintf("exceeded max depth of %d", max_indents))
++		}
+ 		// Create a token and insert it into the queue.
+ 		token := yaml_token_t{
+ 			typ:        typ,
+-- 
+2.46.0
+
diff --git a/etcd.spec b/etcd.spec
index 36a8d7e..8afb1da 100644
--- a/etcd.spec
+++ b/etcd.spec
@@ -31,7 +31,7 @@ system.}
 %global gosupfiles      integration/fixtures/* etcdserver/api/v2http/testdata/*
 
 Name:           etcd
-Release:        7
+Release:        8
 Summary:        Distributed reliable key-value store for the most critical data of a distributed system
 
 # Upstream license specification: Apache-2.0
@@ -48,6 +48,7 @@ Patch1:         0001-Convert-int-to-string-using-strconv.Itoa.patch
 Patch2:		0002-Etcd-on-unsupported-platform-without-ETCD_UNSUPPORTED_ARCH=arm64-set.patch
 Patch3:		0003-etcd-3.4.14-sw.patch
 Patch4:         0004-backport-Suppress-noisy-basic-auth-token-deletion-log.patch
+Patch5:         0005-backport-fix-CVE-2022-3064.patch
 BuildRequires:  golang
 BuildRequires:  python3-devel
 %{?systemd_requires}
@@ -68,6 +69,7 @@ Requires(pre):  shadow-utils
 %patch3 -p1
 %endif
 %patch4 -p1
+%patch5 -p1
 # For compatibility
 cp -aR etcdserver/api/snap snap
 cp -aR etcdserver/api/membership etcdserver/membership
@@ -153,6 +155,12 @@ getent passwd %{name} >/dev/null || useradd -r -g %{name} -d %{_sharedstatedir}/
 %endif
 
 %changelog
+* Thu Feb 13 2025 lvxiangcong<lvxiangcong@kylinos.cn> - 3.4.14-8
+- Type:CVE
+- CVE:CVE-2022-3064
+- SUG:NA
+- DESC: backport fix CVE-2022-3064
+
 * Tue Feb 11 2025 lvxiangcong<lvxiangcong@kylinos.cn> - 3.4.14-7
 - Type:CVE
 - CVE:CVE-2022-24675 CVE-2022-28327 CVE-2022-24921 CVE-2021-44717 CVE-2021-33195
-- 
Gitee