diff --git a/0004-backport-fix-CVE-2022-3064.patch b/0004-backport-fix-CVE-2022-3064.patch new file mode 100644 index 0000000000000000000000000000000000000000..127120a82b094c8336bb72d72eb3c35942e4e4f6 --- /dev/null +++ b/0004-backport-fix-CVE-2022-3064.patch @@ -0,0 +1,117 @@ +From 48b4385de0f9c6e4745205a72185b0f39bc8ea74 Mon Sep 17 00:00:00 2001 +From: lvxiangcong +Date: Thu, 13 Feb 2025 18:13:18 +0800 +Subject: [PATCH] backport-cve-2022-3064 + +--- + vendor/gopkg.in/yaml.v2/decode.go | 36 +++++++++++++++++++++++++++++ + vendor/gopkg.in/yaml.v2/scannerc.go | 17 +++++++++++++- + 2 files changed, 52 insertions(+), 1 deletion(-) + +diff --git a/vendor/gopkg.in/yaml.v2/decode.go b/vendor/gopkg.in/yaml.v2/decode.go +index e4e56e2..43106a8 100644 +--- a/vendor/gopkg.in/yaml.v2/decode.go ++++ b/vendor/gopkg.in/yaml.v2/decode.go +@@ -229,6 +229,10 @@ type decoder struct { + mapType reflect.Type + terrors []string + strict bool ++ ++ decodeCount int ++ aliasCount int ++ aliasDepth int + } + + var ( +@@ -314,7 +318,39 @@ func (d *decoder) prepare(n *node, out reflect.Value) (newout reflect.Value, unm + return out, false, false + } + ++const ( ++ // 400,000 decode operations is ~500kb of dense object declarations, or ~5kb of dense object declarations with 10000% alias expansion ++ alias_ratio_range_low = 400000 ++ // 4,000,000 decode operations is ~5MB of dense object declarations, or ~4.5MB of dense object declarations with 10% alias expansion ++ alias_ratio_range_high = 4000000 ++ // alias_ratio_range is the range over which we scale allowed alias ratios ++ alias_ratio_range = float64(alias_ratio_range_high - alias_ratio_range_low) ++) ++ ++func allowedAliasRatio(decodeCount int) float64 { ++ switch { ++ case decodeCount <= alias_ratio_range_low: ++ // allow 99% to come from alias expansion for small-to-medium documents ++ return 0.99 ++ case decodeCount >= alias_ratio_range_high: ++ // allow 10% to come from alias expansion for very large documents ++ return 0.10 ++ default: ++ // scale smoothly from 99% down to 10% over the range. ++ // this maps to 396,000 - 400,000 allowed alias-driven decodes over the range. ++ // 400,000 decode operations is ~100MB of allocations in worst-case scenarios (single-item maps). ++ return 0.99 - 0.89*(float64(decodeCount-alias_ratio_range_low)/alias_ratio_range) ++ } ++} ++ + func (d *decoder) unmarshal(n *node, out reflect.Value) (good bool) { ++ d.decodeCount++ ++ if d.aliasDepth > 0 { ++ d.aliasCount++ ++ } ++ if d.aliasCount > 100 && d.decodeCount > 1000 && float64(d.aliasCount)/float64(d.decodeCount) > allowedAliasRatio(d.decodeCount) { ++ failf("document contains excessive aliasing") ++ } + switch n.kind { + case documentNode: + return d.document(n, out) +diff --git a/vendor/gopkg.in/yaml.v2/scannerc.go b/vendor/gopkg.in/yaml.v2/scannerc.go +index 077fd1d..d1a58a7 100644 +--- a/vendor/gopkg.in/yaml.v2/scannerc.go ++++ b/vendor/gopkg.in/yaml.v2/scannerc.go +@@ -906,6 +906,9 @@ func yaml_parser_remove_simple_key(parser *yaml_parser_t) bool { + return true + } + ++// max_flow_level limits the flow_level ++const max_flow_level = 10000 ++ + // Increase the flow level and resize the simple key list if needed. + func yaml_parser_increase_flow_level(parser *yaml_parser_t) bool { + // Reset the simple key on the next level. +@@ -913,6 +916,11 @@ func yaml_parser_increase_flow_level(parser *yaml_parser_t) bool { + + // Increase the flow level. + parser.flow_level++ ++ if parser.flow_level > max_flow_level { ++ return yaml_parser_set_scanner_error(parser, ++ "while increasing flow level", parser.simple_keys[len(parser.simple_keys)-1].mark, ++ fmt.Sprintf("exceeded max depth of %d", max_flow_level)) ++ } + return true + } + +@@ -925,6 +933,9 @@ func yaml_parser_decrease_flow_level(parser *yaml_parser_t) bool { + return true + } + ++// max_indents limits the indents stack size ++const max_indents = 10000 ++ + // Push the current indentation level to the stack and set the new level + // the current column is greater than the indentation level. In this case, + // append or insert the specified token into the token queue. +@@ -939,7 +950,11 @@ func yaml_parser_roll_indent(parser *yaml_parser_t, column, number int, typ yaml + // indentation level. + parser.indents = append(parser.indents, parser.indent) + parser.indent = column +- ++ if len(parser.indents) > max_indents { ++ return yaml_parser_set_scanner_error(parser, ++ "while increasing indent level", parser.simple_keys[len(parser.simple_keys)-1].mark, ++ fmt.Sprintf("exceeded max depth of %d", max_indents)) ++ } + // Create a token and insert it into the queue. + token := yaml_token_t{ + typ: typ, +-- +2.46.0 + diff --git a/0005-backport-fix-CVE-2022-41723.patch b/0005-backport-fix-CVE-2022-41723.patch new file mode 100644 index 0000000000000000000000000000000000000000..ecdbe4b01b208d78589c78eabc6f2e5e20cf884a --- /dev/null +++ b/0005-backport-fix-CVE-2022-41723.patch @@ -0,0 +1,143 @@ +From 33fc2e1988454d3a2f9d887161884f76f344178f Mon Sep 17 00:00:00 2001 +From: lvxiangcong +Date: Fri, 14 Feb 2025 14:29:45 +0800 +Subject: [PATCH] backport fix cve-2022-41723 + +--- + vendor/golang.org/x/net/http2/hpack/hpack.go | 80 ++++++++++++-------- + 1 file changed, 50 insertions(+), 30 deletions(-) + +diff --git a/vendor/golang.org/x/net/http2/hpack/hpack.go b/vendor/golang.org/x/net/http2/hpack/hpack.go +index 85f18a2..0d3fd2b 100644 +--- a/vendor/golang.org/x/net/http2/hpack/hpack.go ++++ b/vendor/golang.org/x/net/http2/hpack/hpack.go +@@ -359,6 +359,7 @@ func (d *Decoder) parseFieldLiteral(n uint8, it indexType) error { + + var hf HeaderField + wantStr := d.emitEnabled || it.indexed() ++ var undecodedName undecodedString + if nameIdx > 0 { + ihf, ok := d.at(nameIdx) + if !ok { +@@ -366,15 +367,27 @@ func (d *Decoder) parseFieldLiteral(n uint8, it indexType) error { + } + hf.Name = ihf.Name + } else { +- hf.Name, buf, err = d.readString(buf, wantStr) ++ undecodedName, buf, err = d.readString(buf) + if err != nil { + return err + } + } +- hf.Value, buf, err = d.readString(buf, wantStr) ++ undecodedValue, buf, err := d.readString(buf) + if err != nil { + return err + } ++ if wantStr { ++ if nameIdx <= 0 { ++ hf.Name, err = d.decodeString(undecodedName) ++ if err != nil { ++ return err ++ } ++ } ++ hf.Value, err = d.decodeString(undecodedValue) ++ if err != nil { ++ return err ++ } ++ } + d.buf = buf + if it.indexed() { + d.dynTab.add(hf) +@@ -383,6 +396,7 @@ func (d *Decoder) parseFieldLiteral(n uint8, it indexType) error { + return d.callEmit(hf) + } + ++ + func (d *Decoder) callEmit(hf HeaderField) error { + if d.maxStrLen != 0 { + if len(hf.Name) > d.maxStrLen || len(hf.Value) > d.maxStrLen { +@@ -459,46 +473,52 @@ func readVarInt(n byte, p []byte) (i uint64, remain []byte, err error) { + return 0, origP, errNeedMore + } + +-// readString decodes an hpack string from p. ++// readString reads an hpack string from p. + // +-// wantStr is whether s will be used. If false, decompression and +-// []byte->string garbage are skipped if s will be ignored +-// anyway. This does mean that huffman decoding errors for non-indexed +-// strings past the MAX_HEADER_LIST_SIZE are ignored, but the server +-// is returning an error anyway, and because they're not indexed, the error +-// won't affect the decoding state. +-func (d *Decoder) readString(p []byte, wantStr bool) (s string, remain []byte, err error) { ++// It returns a reference to the encoded string data to permit deferring decode costs ++// until after the caller verifies all data is present. ++func (d *Decoder) readString(p []byte) (u undecodedString, remain []byte, err error) { + if len(p) == 0 { +- return "", p, errNeedMore ++ return u, p, errNeedMore + } + isHuff := p[0]&128 != 0 + strLen, p, err := readVarInt(7, p) + if err != nil { +- return "", p, err ++ return u, p, err + } + if d.maxStrLen != 0 && strLen > uint64(d.maxStrLen) { +- return "", nil, ErrStringLength ++ // Returning an error here means Huffman decoding errors ++ // for non-indexed strings past the maximum string length ++ // are ignored, but the server is returning an error anyway ++ // and because the string is not indexed the error will not ++ // affect the decoding state. ++ return u, nil, ErrStringLength + } + if uint64(len(p)) < strLen { +- return "", p, errNeedMore +- } +- if !isHuff { +- if wantStr { +- s = string(p[:strLen]) +- } +- return s, p[strLen:], nil ++ return u, p, errNeedMore + } ++ u.isHuff = isHuff ++ u.b = p[:strLen] ++ return u, p[strLen:], nil ++} + +- if wantStr { +- buf := bufPool.Get().(*bytes.Buffer) +- buf.Reset() // don't trust others +- defer bufPool.Put(buf) +- if err := huffmanDecode(buf, d.maxStrLen, p[:strLen]); err != nil { +- buf.Reset() +- return "", nil, err +- } ++type undecodedString struct { ++ isHuff bool ++ b []byte ++} ++ ++func (d *Decoder) decodeString(u undecodedString) (string, error) { ++ if !u.isHuff { ++ return string(u.b), nil ++ } ++ buf := bufPool.Get().(*bytes.Buffer) ++ buf.Reset() // don't trust others ++ var s string ++ err := huffmanDecode(buf, d.maxStrLen, u.b) ++ if err == nil { + s = buf.String() +- buf.Reset() // be nice to GC + } +- return s, p[strLen:], nil ++ buf.Reset() // be nice to GC ++ bufPool.Put(buf) ++ return s, err + } +-- +2.46.0 + diff --git a/etcd.spec b/etcd.spec index cf963c4e36e3a45fcee4b1f2b20e3e220f52c82e..82b84688ea43ce760e2ae71aeedf7f6cdb50dbec 100644 --- a/etcd.spec +++ b/etcd.spec @@ -31,7 +31,7 @@ system.} %global gosupfiles integration/fixtures/* etcdserver/api/v2http/testdata/* Name: etcd -Release: 5 +Release: 6 Summary: Distributed reliable key-value store for the most critical data of a distributed system # Upstream license specification: Apache-2.0 @@ -47,6 +47,8 @@ Source10: genmanpages.sh Patch1: 0001-Convert-int-to-string-using-strconv.Itoa.patch Patch2: 0002-Etcd-on-unsupported-platform-without-ETCD_UNSUPPORTED_ARCH=arm64-set.patch Patch3: 0003-etcd-3.4.14-sw.patch +Patch4: 0004-backport-fix-CVE-2022-3064.patch +Patch5: 0005-backport-fix-CVE-2022-41723.patch BuildRequires: golang BuildRequires: python3-devel @@ -67,6 +69,8 @@ Requires(pre): shadow-utils %ifarch sw_64 %patch3 -p1 %endif +%patch4 -p1 +%patch5 -p1 # For compatibility cp -aR etcdserver/api/snap snap cp -aR etcdserver/api/membership etcdserver/membership @@ -152,6 +156,12 @@ getent passwd %{name} >/dev/null || useradd -r -g %{name} -d %{_sharedstatedir}/ %endif %changelog +* Fri Feb 14 2025 lvxiangcong - 3.4.14-6 +- Type:CVE +- CVE:CVE-2022-3064 CVE-2022-41723 +- SUG:NA +- DESC: backport fix CVE-2022-3064 and CVE-2022-41723 + * Wed Oct 19 2022 wuzx - 3.4.14-5 - add sw64 patch