diff --git a/0001-CVE-2022-32149.patch b/0001-CVE-2022-32149.patch new file mode 100644 index 0000000000000000000000000000000000000000..1652f20e2af3a81177260796e01159307d0febef --- /dev/null +++ b/0001-CVE-2022-32149.patch @@ -0,0 +1,83 @@ +From d3e0b7bbfb2b6ae861c2b7d9b257fc46fcd0b5b2 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Thu, 25 Apr 2024 09:30:21 +0800 +Subject: [PATCH] CVE-2022-32149 + +--- + .../vendor/golang.org/x/text/language/parse.go | 5 +++++ + .../vendor/golang.org/x/text/language/parse.go | 5 +++++ + vendor/golang.org/x/text/language/parse.go | 5 +++++ + 3 files changed, 15 insertions(+) + +diff --git a/dnsname-18822f9a4fb35d1349eb256f4cd2bfd372474d84/vendor/golang.org/x/text/language/parse.go b/dnsname-18822f9a4fb35d1349eb256f4cd2bfd372474d84/vendor/golang.org/x/text/language/parse.go +index fca2d30..5265091 100644 +--- a/dnsname-18822f9a4fb35d1349eb256f4cd2bfd372474d84/vendor/golang.org/x/text/language/parse.go ++++ b/dnsname-18822f9a4fb35d1349eb256f4cd2bfd372474d84/vendor/golang.org/x/text/language/parse.go +@@ -764,6 +764,7 @@ func nextExtension(s string, p int) int { + } + + var errInvalidWeight = errors.New("ParseAcceptLanguage: invalid weight") ++var errTagListTooLarge = errors.New("tag list exceeds max length") + + // ParseAcceptLanguage parses the contents of an Accept-Language header as + // defined in http://www.ietf.org/rfc/rfc2616.txt and returns a list of Tags and +@@ -773,6 +774,10 @@ var errInvalidWeight = errors.New("ParseAcceptLanguage: invalid weight") + // Tags with a weight of zero will be dropped. An error will be returned if the + // input could not be parsed. + func ParseAcceptLanguage(s string) (tag []Tag, q []float32, err error) { ++ if strings.Count(s, "-") > 1000 { ++ return nil, nil, errTagListTooLarge ++ } ++ + var entry string + for s != "" { + if entry, s = split(s, ','); entry == "" { +diff --git a/gvisor-tap-vsock-4ee84d66bd86668f011733d8873989b5862bcd07/vendor/golang.org/x/text/language/parse.go b/gvisor-tap-vsock-4ee84d66bd86668f011733d8873989b5862bcd07/vendor/golang.org/x/text/language/parse.go +index 59b0410..b982d9e 100644 +--- a/gvisor-tap-vsock-4ee84d66bd86668f011733d8873989b5862bcd07/vendor/golang.org/x/text/language/parse.go ++++ b/gvisor-tap-vsock-4ee84d66bd86668f011733d8873989b5862bcd07/vendor/golang.org/x/text/language/parse.go +@@ -147,6 +147,7 @@ func update(b *language.Builder, part ...interface{}) (err error) { + } + + var errInvalidWeight = errors.New("ParseAcceptLanguage: invalid weight") ++var errTagListTooLarge = errors.New("tag list exceeds max length") + + // ParseAcceptLanguage parses the contents of an Accept-Language header as + // defined in http://www.ietf.org/rfc/rfc2616.txt and returns a list of Tags and +@@ -164,6 +165,10 @@ func ParseAcceptLanguage(s string) (tag []Tag, q []float32, err error) { + } + }() + ++ if strings.Count(s, "-") > 1000 { ++ return nil, nil, errTagListTooLarge ++ } ++ + var entry string + for s != "" { + if entry, s = split(s, ','); entry == "" { +diff --git a/vendor/golang.org/x/text/language/parse.go b/vendor/golang.org/x/text/language/parse.go +index 59b0410..b982d9e 100644 +--- a/vendor/golang.org/x/text/language/parse.go ++++ b/vendor/golang.org/x/text/language/parse.go +@@ -147,6 +147,7 @@ func update(b *language.Builder, part ...interface{}) (err error) { + } + + var errInvalidWeight = errors.New("ParseAcceptLanguage: invalid weight") ++var errTagListTooLarge = errors.New("tag list exceeds max length") + + // ParseAcceptLanguage parses the contents of an Accept-Language header as + // defined in http://www.ietf.org/rfc/rfc2616.txt and returns a list of Tags and +@@ -164,6 +165,10 @@ func ParseAcceptLanguage(s string) (tag []Tag, q []float32, err error) { + } + }() + ++ if strings.Count(s, "-") > 1000 { ++ return nil, nil, errTagListTooLarge ++ } ++ + var entry string + for s != "" { + if entry, s = split(s, ','); entry == "" { +-- +2.33.0 + diff --git a/podman.spec b/podman.spec index a370bf01f56dee0592cb6c07652f8481486862c6..69b7873b3e77529650567463744640132898a9e6 100644 --- a/podman.spec +++ b/podman.spec @@ -2,7 +2,7 @@ Name: podman Version: 3.4.4 -Release: 1 +Release: 2 Summary: A daemonless container engine for managing Containers Epoch: 1 License: ASL 2.0 @@ -65,6 +65,7 @@ Provides: bundled(golang(k8s.io/apimachinery)) = v0.19.0 Patch1: 0001-Fix-the-invalid-memory-address-reference.patch Patch2: 0002-add-openEuler-hardened-ld.patch +Patch3: 0001-CVE-2022-32149.patch %description Podman manages the entire container ecosystem which includes pods, @@ -141,7 +142,7 @@ Conflicts: docker docker-latest docker-ce docker-ee moby-engine Help document for the podman package %prep -%autosetup -Sgit -n %{name}-%{version} +%setup -n %{name}-%{version} # untar dnsname tar zxf %{SOURCE1} # untar %%{name}-machine-cni @@ -149,6 +150,9 @@ tar zxf %{SOURCE2} # untar %%{name}-gvproxy tar zxf %{SOURCE3} tar -xf %SOURCE4 +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 %build GO_MD2MAN_PATH="$(pwd)%{_bindir}" @@ -319,6 +323,9 @@ done %{_libexecdir}/%{name}/gvproxy %changelog +* Thu Apr 25 2024 lijian - 1:3.4.4-2 +- Fix CVE-2022-32149 + * Tue Jul 05 2022 fushanqing - 1:3.4.4-1 - update to 3.4.4