Sync from SUSE:SLFO:Main skopeo revision 00abbd1476bf0369e33edb9452786202

2025-02-10 14:26:58 +01:00
parent 372437835e
commit 35b5eaa0b8
5 changed files with 231 additions and 18371 deletions
--- a/0001-Use-securejoin.SecureJoin-when-forming-userns-paths.patch
+++ b/0001-Use-securejoin.SecureJoin-when-forming-userns-paths.patch
--- a/0001-http2-close-connections-when-receiving-too-many-head.patch
+++ b/0001-http2-close-connections-when-receiving-too-many-head.patch
@@ -0,0 +1,79 @@
+From 24daef011d67659fced01c3576ddf2ef17d7190c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dcermak@suse.com>
+Date: Wed, 5 Feb 2025 15:38:33 +0100
+Subject: [PATCH 1/2] http2: close connections when receiving too many headers
+
+Maintaining HPACK state requires that we parse and process
+all HEADERS and CONTINUATION frames on a connection.
+When a request's headers exceed MaxHeaderBytes, we don't
+allocate memory to store the excess headers but we do
+parse them. This permits an attacker to cause an HTTP/2
+endpoint to read arbitrary amounts of data, all associated
+with a request which is going to be rejected.
+
+Set a limit on the amount of excess header frames we
+will process before closing a connection.
+
+Thanks to Bartek Nowotarski for reporting this issue.
+
+Fixes CVE-2023-45288
+Fixes bsc#1236507
+
+This is a backport of
+https://go.googlesource.com/net/+/ba872109ef2dc8f1da778651bd1fd3792d0e4587%5E%21/#F0
+---
+ vendor/golang.org/x/net/http2/frame.go | 31 ++++++++++++++++++++++++++
+ 1 file changed, 31 insertions(+)
+
+diff --git a/vendor/golang.org/x/net/http2/frame.go b/vendor/golang.org/x/net/http2/frame.go
+index e2b298d8..a5a94411 100644
+--- a/vendor/golang.org/x/net/http2/frame.go
+++ b/vendor/golang.org/x/net/http2/frame.go
+@@ -1564,6 +1564,7 @@ func (fr *Framer) readMetaFrame(hf *HeadersFrame) (*MetaHeadersFrame, error) {
+ 		if size > remainSize {
+ 			hdec.SetEmitEnabled(false)
+ 			mh.Truncated = true
+			remainSize = 0
+ 			return
+ 		}
+ 		remainSize -= size
+@@ -1576,6 +1577,36 @@ func (fr *Framer) readMetaFrame(hf *HeadersFrame) (*MetaHeadersFrame, error) {
+ 	var hc headersOrContinuation = hf
+ 	for {
+ 		frag := hc.HeaderBlockFragment()
+
+		// Avoid parsing large amounts of headers that we will then discard.
+		// If the sender exceeds the max header list size by too much,
+		// skip parsing the fragment and close the connection.
+		//
+		// "Too much" is either any CONTINUATION frame after we've already
+		// exceeded the max header list size (in which case remainSize is 0),
+		// or a frame whose encoded size is more than twice the remaining
+		// header list bytes we're willing to accept.
+		if int64(len(frag)) > int64(2*remainSize) {
+			if VerboseLogs {
+				log.Printf("http2: header list too large")
+			}
+			// It would be nice to send a RST_STREAM before sending the GOAWAY,
+			// but the struture of the server's frame writer makes this difficult.
+			return nil, ConnectionError(ErrCodeProtocol)
+		}
+
+		// Also close the connection after any CONTINUATION frame following an
+		// invalid header, since we stop tracking the size of the headers after
+		// an invalid one.
+		if invalid != nil {
+			if VerboseLogs {
+				log.Printf("http2: invalid header: %v", invalid)
+			}
+			// It would be nice to send a RST_STREAM before sending the GOAWAY,
+			// but the struture of the server's frame writer makes this difficult.
+			return nil, ConnectionError(ErrCodeProtocol)
+		}
+
+ 		if _, err := hdec.Write(frag); err != nil {
+ 			return nil, ConnectionError(ErrCodeCompression)
+ 		}
+-- 
+2.48.1
+
--- a/0002-Switch-hashicorp-go-retryablehttp-to-the-SUSE-fork.patch
+++ b/0002-Switch-hashicorp-go-retryablehttp-to-the-SUSE-fork.patch
@@ -0,0 +1,136 @@
+From 31243434c9214391e60b78aeea714dffa7cbb07f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dcermak@suse.com>
+Date: Wed, 5 Feb 2025 17:55:27 +0100
+Subject: [PATCH 2/2] Switch hashicorp/go-retryablehttp to the SUSE fork
+
+The SUSE fork has the fix for CVE-2024-6104 backported to v0.7.5 and is a proper
+go module. Thereby this fix can no longer get overwritten by an accidental
+`make vendor-in-container`
+
+This fixes CVE-2024-6104
+This fixes bsc#1227056
+---
+ go.mod                                        |  3 ++
+ go.sum                                        |  4 +--
+ .../hashicorp/go-retryablehttp/client.go      | 28 ++++++++++++++-----
+ vendor/modules.txt                            |  2 +-
+ 4 files changed, 27 insertions(+), 10 deletions(-)
+
+diff --git a/go.mod b/go.mod
+index 871877a0..e45872e6 100644
+--- a/go.mod
+++ b/go.mod
+@@ -138,3 +138,6 @@ require (
+ 	gopkg.in/go-jose/go-jose.v2 v2.6.3 // indirect
+ 	gopkg.in/yaml.v2 v2.4.0 // indirect
+ )
+
+// replaced with the HEAD commit of the suse-v0.7.5 branch at github.com/suse/go-retryablehttp
+replace github.com/hashicorp/go-retryablehttp v0.7.5 => github.com/suse/go-retryablehttp v0.0.0-20241209123412-5c0e967751af
+diff --git a/go.sum b/go.sum
+index 8c962c1d..168c66e0 100644
+--- a/go.sum
+++ b/go.sum
+@@ -206,8 +206,6 @@ github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrj
+ github.com/hashicorp/go-hclog v1.2.0 h1:La19f8d7WIlm4ogzNHB0JGqs5AUDAZ2UfCY4sJXcJdM=
+ github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=
+ github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
+-github.com/hashicorp/go-retryablehttp v0.7.5 h1:bJj+Pj19UZMIweq/iie+1u5YCdGrnxCT9yvm0e+Nd5M=
+-github.com/hashicorp/go-retryablehttp v0.7.5/go.mod h1:Jy/gPYAdjqffZ/yFGCFV2doI5wjtH1ewM9u8iYVjtX8=
+ github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
+ github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
+ github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
+@@ -364,6 +362,8 @@ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO
+ github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
+ github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
+ github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/suse/go-retryablehttp v0.0.0-20241209123412-5c0e967751af h1:DY/ORvARYzbrRccGK9YHtH74BGo4rYKW+UsekETTs8Y=
+github.com/suse/go-retryablehttp v0.0.0-20241209123412-5c0e967751af/go.mod h1:Jy/gPYAdjqffZ/yFGCFV2doI5wjtH1ewM9u8iYVjtX8=
+ github.com/sylabs/sif/v2 v2.15.1 h1:75BcunPOY11fVhe02/WHuNLTfDd3OHH0ex0MuuNMYX0=
+ github.com/sylabs/sif/v2 v2.15.1/go.mod h1:YiwCUdZOhiohnPbyxuxvCZa+03HwAaiC+vfAKZPR8nQ=
+ github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 h1:kdXcSzyDtseVEc4yCz2qF8ZrQvIDBJLl4S1c3GCXmoI=
+diff --git a/vendor/github.com/hashicorp/go-retryablehttp/client.go b/vendor/github.com/hashicorp/go-retryablehttp/client.go
+index c9edbd05..1394fbc0 100644
+--- a/vendor/github.com/hashicorp/go-retryablehttp/client.go
+++ b/vendor/github.com/hashicorp/go-retryablehttp/client.go
+@@ -609,9 +609,9 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
+ 	if logger != nil {
+ 		switch v := logger.(type) {
+ 		case LeveledLogger:
+-			v.Debug("performing request", "method", req.Method, "url", req.URL)
+			v.Debug("performing request", "method", req.Method, "url", redactURL(req.URL))
+ 		case Logger:
+-			v.Printf("[DEBUG] %s %s", req.Method, req.URL)
+			v.Printf("[DEBUG] %s %s", req.Method, redactURL(req.URL))
+ 		}
+ 	}
+ 
+@@ -666,9 +666,9 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
+ 		if err != nil {
+ 			switch v := logger.(type) {
+ 			case LeveledLogger:
+-				v.Error("request failed", "error", err, "method", req.Method, "url", req.URL)
+				v.Error("request failed", "error", err, "method", req.Method, "url", redactURL(req.URL))
+ 			case Logger:
+-				v.Printf("[ERR] %s %s request failed: %v", req.Method, req.URL, err)
+				v.Printf("[ERR] %s %s request failed: %v", req.Method, redactURL(req.URL), err)
+ 			}
+ 		} else {
+ 			// Call this here to maintain the behavior of logging all requests,
+@@ -704,7 +704,7 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
+ 
+ 		wait := c.Backoff(c.RetryWaitMin, c.RetryWaitMax, i, resp)
+ 		if logger != nil {
+-			desc := fmt.Sprintf("%s %s", req.Method, req.URL)
+			desc := fmt.Sprintf("%s %s", req.Method, redactURL(req.URL))
+ 			if resp != nil {
+ 				desc = fmt.Sprintf("%s (status: %d)", desc, resp.StatusCode)
+ 			}
+@@ -760,11 +760,11 @@ func (c *Client) Do(req *Request) (*http.Response, error) {
+ 	// communicate why
+ 	if err == nil {
+ 		return nil, fmt.Errorf("%s %s giving up after %d attempt(s)",
+-			req.Method, req.URL, attempt)
+			req.Method, redactURL(req.URL), attempt)
+ 	}
+ 
+ 	return nil, fmt.Errorf("%s %s giving up after %d attempt(s): %w",
+-		req.Method, req.URL, attempt, err)
+		req.Method, redactURL(req.URL), attempt, err)
+ }
+ 
+ // Try to read the response body so we can reuse this connection.
+@@ -845,3 +845,17 @@ func (c *Client) StandardClient() *http.Client {
+ 		Transport: &RoundTripper{Client: c},
+ 	}
+ }
+
+// Taken from url.URL#Redacted() which was introduced in go 1.15.
+// We can switch to using it directly if we'll bump the minimum required go version.
+func redactURL(u *url.URL) string {
+	if u == nil {
+		return ""
+	}
+
+	ru := *u
+	if _, has := ru.User.Password(); has {
+		ru.User = url.UserPassword(ru.User.Username(), "xxxxx")
+	}
+	return ru.String()
+}
+diff --git a/vendor/modules.txt b/vendor/modules.txt
+index c90997ef..144c2ed9 100644
+--- a/vendor/modules.txt
+++ b/vendor/modules.txt
+@@ -370,7 +370,7 @@ github.com/hashicorp/go-cleanhttp
+ # github.com/hashicorp/go-multierror v1.1.1
+ ## explicit; go 1.13
+ github.com/hashicorp/go-multierror
+-# github.com/hashicorp/go-retryablehttp v0.7.5
+# github.com/hashicorp/go-retryablehttp v0.7.5 => github.com/suse/go-retryablehttp v0.0.0-20241209123412-5c0e967751af
+ ## explicit; go 1.13
+ github.com/hashicorp/go-retryablehttp
+ # github.com/inconshreveable/mousetrap v1.1.0
+-- 
+2.48.1
+
--- a/skopeo.changes
+++ b/skopeo.changes
@@ -1,8 +1,21 @@
+-------------------------------------------------------------------
+Thu Feb  6 08:51:23 UTC 2025 - Dan Čermák <dcermak@suse.com>
+
+- Add patches for CVE-2024-6104 & CVE-2023-45288
+
+  Add patches:
+  * 0001-http2-close-connections-when-receiving-too-many-head.patch (CVE-2023-45288, bsc#1236483)
+  * 0002-Switch-hashicorp-go-retryablehttp-to-the-SUSE-fork.patch (CVE-2024-6104, bsc#1227056)
+
+  Remove patch:
+  * 0001-Use-securejoin.SecureJoin-when-forming-userns-paths.patch
+    Skopeo is not affected by the CVE-2024-9676, thus this patch is not necessary
+
 -------------------------------------------------------------------
 Tue Oct 29 06:25:15 UTC 2024 - Madhankumar Chellamuthu <madhankumar.chellamuthu@suse.com>

 - Add patch for CVE-2024-9676 (bsc#1231698)
-  * 0001-Use-securejoin.SecureJoin-when-forming-userns-paths.patch  
+  * 0001-Use-securejoin.SecureJoin-when-forming-userns-paths.patch

 -------------------------------------------------------------------
 Mon May 20 13:43:43 UTC 2024 - danish.prakash@suse.com
--- a/skopeo.spec
+++ b/skopeo.spec
@@ -29,7 +29,8 @@ URL:            https://%project
 Source:         %{name}-%{version}.tar.xz
 Source1:        skopeo.rpmlintrc
 Requires:       libcontainers-common
-Patch0:         0001-Use-securejoin.SecureJoin-when-forming-userns-paths.patch
+Patch0:         0001-http2-close-connections-when-receiving-too-many-head.patch
+Patch1:         0002-Switch-hashicorp-go-retryablehttp-to-the-SUSE-fork.patch
 BuildRequires:  bash
 BuildRequires:  device-mapper-devel >= 1.2.68
 BuildRequires:  glib2-devel