diff --git a/0010-fix-CVE-2021-44716.patch b/0010-fix-CVE-2021-44716.patch new file mode 100644 index 0000000000000000000000000000000000000000..49fc5fcb0e20cfede648cb013ad9072ac970de55 --- /dev/null +++ b/0010-fix-CVE-2021-44716.patch @@ -0,0 +1,57 @@ +From 6b06b626969f252e520b1b8f8c3cd1f515835484 Mon Sep 17 00:00:00 2001 +From: bwzhang +Date: Tue, 7 May 2024 09:29:47 +0800 +Subject: [PATCH] fix CVE-2021-44716 + +http2: cap the size of the server's canonical header cache + +The HTTP/2 server keeps a per-connection cache mapping header keys +to their canonicalized form (e.g., foo-bar => Foo-Bar). Cap the +maximum size of this cache to prevent a peer sending many unique +header keys from causing unbounded memory growth. + +Cap chosen arbitrarily at 32 entries. Since this cache does not +include common headers (e.g., content-type), 32 seems like more +than enough for almost all normal uses. + +Fixes #50058 +Fixes CVE-2021-44716 + +Change-Id: Ia83696dc23253c12af8f26d502557c2cc9841105 +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1290827 +Reviewed-by: Roland Shoemaker +Reviewed-on: https://go-review.googlesource.com/c/net/+/369794 +Trust: Filippo Valsorda +Run-TryBot: Filippo Valsorda +Trust: Damien Neil +Reviewed-by: Russ Cox +Reviewed-by: Filippo Valsorda +TryBot-Result: Gopher Robot +--- + vendor/golang.org/x/net/http2/server.go | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/vendor/golang.org/x/net/http2/server.go b/vendor/golang.org/x/net/http2/server.go +index 5e01ce9..5253650 100644 +--- a/vendor/golang.org/x/net/http2/server.go ++++ b/vendor/golang.org/x/net/http2/server.go +@@ -723,7 +723,15 @@ func (sc *serverConn) canonicalHeader(v string) string { + sc.canonHeader = make(map[string]string) + } + cv = http.CanonicalHeaderKey(v) +- sc.canonHeader[v] = cv ++ // maxCachedCanonicalHeaders is an arbitrarily-chosen limit on the number of ++ // entries in the canonHeader cache. This should be larger than the number ++ // of unique, uncommon header keys likely to be sent by the peer, while not ++ // so high as to permit unreaasonable memory usage if the peer sends an unbounded ++ // number of unique header keys. ++ const maxCachedCanonicalHeaders = 32 ++ if len(sc.canonHeader) < maxCachedCanonicalHeaders { ++ sc.canonHeader[v] = cv ++ } + return cv + } + +-- +2.20.1 + diff --git a/0011-fix-CVE-2022-3064.patch b/0011-fix-CVE-2022-3064.patch new file mode 100644 index 0000000000000000000000000000000000000000..c2e1970cf6c8ab33710cb8b52f6ea45492d16d74 --- /dev/null +++ b/0011-fix-CVE-2022-3064.patch @@ -0,0 +1,141 @@ +From 429f477455b84ede9651f79eb15e78a129a660e9 Mon Sep 17 00:00:00 2001 +From: bwzhang +Date: Thu, 9 May 2024 19:25:53 +0800 +Subject: [PATCH] fix CVE-2022-3064 + +Improve heuristics preventing CPU/memory abuse (#515) +This addresses the following items: + +==== Parse time of excessively deep nested or indented documents + +Parsing these documents is non-linear; limiting stack depth to 10,000 keeps parse times of pathological documents sub-second (~.25 seconds in benchmarks) + +==== Alias node expansion limits + +The current limit allows 10,000% expansion, which is too permissive for large documents. + +Limiting to 10% expansion for larger documents allows callers to use input size as an effective way to limit resource usage. Continuing to allow larger expansion rates (up to the current 10,000% limit) for smaller documents does not unduly affect memory use. + +This change bounds decode operations from alias expansion to ~400,000 operations for small documents (worst-case ~100-150MB) or 10% of the input document for large documents, whichever is greater. +liggitt authored and niemeyer committed on Oct 3, 2019 +--- + vendor/gopkg.in/yaml.v2/decode.go | 38 +++++++++++++++++++++++++++++ + vendor/gopkg.in/yaml.v2/scannerc.go | 16 ++++++++++++ + 2 files changed, 54 insertions(+) + +diff --git a/vendor/gopkg.in/yaml.v2/decode.go b/vendor/gopkg.in/yaml.v2/decode.go +index e4e56e2..5310876 100644 +--- a/vendor/gopkg.in/yaml.v2/decode.go ++++ b/vendor/gopkg.in/yaml.v2/decode.go +@@ -229,6 +229,10 @@ type decoder struct { + mapType reflect.Type + terrors []string + strict bool ++ ++ decodeCount int ++ aliasCount int ++ aliasDepth int + } + + var ( +@@ -314,7 +318,39 @@ func (d *decoder) prepare(n *node, out reflect.Value) (newout reflect.Value, unm + return out, false, false + } + ++const ( ++ // 400,000 decode operations is ~500kb of dense object declarations, or ~5kb of dense object declarations with 10000% alias expansion ++ alias_ratio_range_low = 400000 ++ // 4,000,000 decode operations is ~5MB of dense object declarations, or ~4.5MB of dense object declarations with 10% alias expansion ++ alias_ratio_range_high = 4000000 ++ // alias_ratio_range is the range over which we scale allowed alias ratios ++ alias_ratio_range = float64(alias_ratio_range_high - alias_ratio_range_low) ++) ++ ++func allowedAliasRatio(decodeCount int) float64 { ++ switch { ++ case decodeCount <= alias_ratio_range_low: ++ // allow 99% to come from alias expansion for small-to-medium documents ++ return 0.99 ++ case decodeCount >= alias_ratio_range_high: ++ // allow 10% to come from alias expansion for very large documents ++ return 0.10 ++ default: ++ // scale smoothly from 99% down to 10% over the range. ++ // this maps to 396,000 - 400,000 allowed alias-driven decodes over the range. ++ // 400,000 decode operations is ~100MB of allocations in worst-case scenarios (single-item maps). ++ return 0.99 - 0.89*(float64(decodeCount-alias_ratio_range_low)/alias_ratio_range) ++ } ++} ++ + func (d *decoder) unmarshal(n *node, out reflect.Value) (good bool) { ++ d.decodeCount++ ++ if d.aliasDepth > 0 { ++ d.aliasCount++ ++ } ++ if d.aliasCount > 100 && d.decodeCount > 1000 && float64(d.aliasCount)/float64(d.decodeCount) > allowedAliasRatio(d.decodeCount) { ++ failf("document contains excessive aliasing") ++ } + switch n.kind { + case documentNode: + return d.document(n, out) +@@ -353,7 +389,9 @@ func (d *decoder) alias(n *node, out reflect.Value) (good bool) { + failf("anchor '%s' value contains itself", n.value) + } + d.aliases[n] = true ++ d.aliasDepth++ + good = d.unmarshal(n.alias, out) ++ d.aliasDepth-- + delete(d.aliases, n) + return good + } +diff --git a/vendor/gopkg.in/yaml.v2/scannerc.go b/vendor/gopkg.in/yaml.v2/scannerc.go +index 077fd1d..570b8ec 100644 +--- a/vendor/gopkg.in/yaml.v2/scannerc.go ++++ b/vendor/gopkg.in/yaml.v2/scannerc.go +@@ -906,6 +906,9 @@ func yaml_parser_remove_simple_key(parser *yaml_parser_t) bool { + return true + } + ++// max_flow_level limits the flow_level ++const max_flow_level = 10000 ++ + // Increase the flow level and resize the simple key list if needed. + func yaml_parser_increase_flow_level(parser *yaml_parser_t) bool { + // Reset the simple key on the next level. +@@ -913,6 +916,11 @@ func yaml_parser_increase_flow_level(parser *yaml_parser_t) bool { + + // Increase the flow level. + parser.flow_level++ ++ if parser.flow_level > max_flow_level { ++ return yaml_parser_set_scanner_error(parser, ++ "while increasing flow level", parser.simple_keys[len(parser.simple_keys)-1].mark, ++ fmt.Sprintf("exceeded max depth of %d", max_flow_level)) ++ } + return true + } + +@@ -925,6 +933,9 @@ func yaml_parser_decrease_flow_level(parser *yaml_parser_t) bool { + return true + } + ++// max_indents limits the indents stack size ++const max_indents = 10000 ++ + // Push the current indentation level to the stack and set the new level + // the current column is greater than the indentation level. In this case, + // append or insert the specified token into the token queue. +@@ -939,6 +950,11 @@ func yaml_parser_roll_indent(parser *yaml_parser_t, column, number int, typ yaml + // indentation level. + parser.indents = append(parser.indents, parser.indent) + parser.indent = column ++ if len(parser.indents) > max_indents { ++ return yaml_parser_set_scanner_error(parser, ++ "while increasing indent level", parser.simple_keys[len(parser.simple_keys)-1].mark, ++ fmt.Sprintf("exceeded max depth of %d", max_indents)) ++ } + + // Create a token and insert it into the queue. + token := yaml_token_t{ +-- +2.20.1 + diff --git a/etcd.spec b/etcd.spec index e2e87becbc8e961f002fea0cda91a5f41dfaa002..478c8498c88d90f95fe626e040717959114f531e 100644 --- a/etcd.spec +++ b/etcd.spec @@ -31,7 +31,7 @@ system.} %global gosupfiles integration/fixtures/* etcdserver/api/v2http/testdata/* Name: etcd -Release: 12 +Release: 14 Summary: Distributed reliable key-value store for the most critical data of a distributed system # Upstream license specification: Apache-2.0 @@ -53,6 +53,8 @@ Patch6: 0006-fix-CVE-2023-39325.patch Patch7: 0007-fix-CVE-2022-34038.patch Patch8: 0008-fix-CVE-2023-32082.patch Patch9: 0009-fix-CVE-2021-28235.patch +Patch10: 0010-fix-CVE-2021-44716.patch +Patch11: 0011-fix-CVE-2022-3064.patch BuildRequires: golang BuildRequires: python3-devel @@ -76,6 +78,8 @@ Requires(pre): shadow-utils %patch7 -p1 %patch8 -p1 %patch9 -p1 +%patch10 -p1 +%patch11 -p1 %ifarch sw_64 %patch3 -p1 %endif @@ -164,6 +168,18 @@ getent passwd %{name} >/dev/null || useradd -r -g %{name} -d %{_sharedstatedir}/ %endif %changelog +* Thu May 09 2024 zhangbowei - 3.4.14-14 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC: fix CVE-2022-3064 + +* Tue May 07 2024 zhangbowei - 3.4.14-13 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC: fix CVE-2021-44716 + * Wed Apr 24 2024 zhangbowei - 3.4.14-12 - Type:bugfix - CVE:NA