-
Notifications
You must be signed in to change notification settings - Fork 535
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
containerized-data-importer: add patch for CVE-2022-2879 (#9799)
Signed-off-by: Thien Trung Vuong <[email protected]>
- Loading branch information
Showing
2 changed files
with
100 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,95 @@ | ||
From 042465900fcbb246c602c856ccd924ddf093947e Mon Sep 17 00:00:00 2001 | ||
From: Muhammad Falak R Wani <[email protected]> | ||
Date: Tue, 9 Jul 2024 19:27:30 +0530 | ||
Subject: [PATCH] archive/tar: limit size of headers | ||
|
||
Set a 1MiB limit on special file blocks (PAX headers, GNU long names, | ||
GNU link names), to avoid reading arbitrarily large amounts of data | ||
into memory. | ||
|
||
Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting | ||
this issue. | ||
|
||
Fixes CVE-2022-2879 | ||
Updates #54853 | ||
Fixes #55925 | ||
|
||
Signed-off-by: Muhammad Falak R Wani <[email protected]> | ||
Signed-off-by: Thien Trung Vuong <[email protected]> | ||
--- | ||
.../vbatts/tar-split/archive/tar/format.go | 4 ++++ | ||
.../vbatts/tar-split/archive/tar/reader.go | 14 ++++++++++++-- | ||
.../vbatts/tar-split/archive/tar/writer.go | 3 +++ | ||
3 files changed, 19 insertions(+), 2 deletions(-) | ||
|
||
diff --git a/vendor/github.com/vbatts/tar-split/archive/tar/format.go b/vendor/github.com/vbatts/tar-split/archive/tar/format.go | ||
index 1f89d0c..6097798 100644 | ||
--- a/vendor/github.com/vbatts/tar-split/archive/tar/format.go | ||
+++ b/vendor/github.com/vbatts/tar-split/archive/tar/format.go | ||
@@ -143,6 +143,10 @@ const ( | ||
blockSize = 512 // Size of each block in a tar stream | ||
nameSize = 100 // Max length of the name field in USTAR format | ||
prefixSize = 155 // Max length of the prefix field in USTAR format | ||
+ | ||
+ // Max length of a special file (PAX header, GNU long name or link). | ||
+ // This matches the limit used by libarchive. | ||
+ maxSpecialFileSize = 1 << 20 | ||
) | ||
|
||
// blockPadding computes the number of bytes needed to pad offset up to the | ||
diff --git a/vendor/github.com/vbatts/tar-split/archive/tar/reader.go b/vendor/github.com/vbatts/tar-split/archive/tar/reader.go | ||
index af006fc..2baa0d5 100644 | ||
--- a/vendor/github.com/vbatts/tar-split/archive/tar/reader.go | ||
+++ b/vendor/github.com/vbatts/tar-split/archive/tar/reader.go | ||
@@ -139,7 +139,7 @@ func (tr *Reader) next() (*Header, error) { | ||
continue // This is a meta header affecting the next header | ||
case TypeGNULongName, TypeGNULongLink: | ||
format.mayOnlyBe(FormatGNU) | ||
- realname, err := ioutil.ReadAll(tr) | ||
+ realname, err := readSpecialFile(tr) | ||
if err != nil { | ||
return nil, err | ||
} | ||
@@ -333,7 +333,7 @@ func mergePAX(hdr *Header, paxHdrs map[string]string) (err error) { | ||
// parsePAX parses PAX headers. | ||
// If an extended header (type 'x') is invalid, ErrHeader is returned | ||
func parsePAX(r io.Reader) (map[string]string, error) { | ||
- buf, err := ioutil.ReadAll(r) | ||
+ buf, err := readSpecialFile(r) | ||
if err != nil { | ||
return nil, err | ||
} | ||
@@ -884,6 +884,16 @@ func tryReadFull(r io.Reader, b []byte) (n int, err error) { | ||
return n, err | ||
} | ||
|
||
+// readSpecialFile is like io.ReadAll except it returns | ||
+// ErrFieldTooLong if more than maxSpecialFileSize is read. | ||
+func readSpecialFile(r io.Reader) ([]byte, error) { | ||
+ buf, err := io.ReadAll(io.LimitReader(r, maxSpecialFileSize+1)) | ||
+ if len(buf) > maxSpecialFileSize { | ||
+ return nil, ErrFieldTooLong | ||
+ } | ||
+ return buf, err | ||
+} | ||
+ | ||
// discard skips n bytes in r, reporting an error if unable to do so. | ||
func discard(tr *Reader, n int64) error { | ||
var seekSkipped, copySkipped int64 | ||
diff --git a/vendor/github.com/vbatts/tar-split/archive/tar/writer.go b/vendor/github.com/vbatts/tar-split/archive/tar/writer.go | ||
index e80498d..893eac0 100644 | ||
--- a/vendor/github.com/vbatts/tar-split/archive/tar/writer.go | ||
+++ b/vendor/github.com/vbatts/tar-split/archive/tar/writer.go | ||
@@ -199,6 +199,9 @@ func (tw *Writer) writePAXHeader(hdr *Header, paxHdrs map[string]string) error { | ||
flag = TypeXHeader | ||
} | ||
data := buf.String() | ||
+ if len(data) > maxSpecialFileSize { | ||
+ return ErrFieldTooLong | ||
+ } | ||
if err := tw.writeRawFile(name, data, flag, FormatPAX); err != nil || isGlobal { | ||
return err // Global headers return here | ||
} | ||
-- | ||
2.40.1 | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -18,14 +18,15 @@ | |
Summary: Container native virtualization | ||
Name: containerized-data-importer | ||
Version: 1.57.0 | ||
Release: 2%{?dist} | ||
Release: 3%{?dist} | ||
License: ASL 2.0 | ||
Vendor: Microsoft Corporation | ||
Distribution: Azure Linux | ||
Group: System/Packages | ||
URL: https://github.com/kubevirt/containerized-data-importer | ||
Source0: https://github.com/kubevirt/containerized-data-importer/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz | ||
Patch0: CVE-2024-3727.patch | ||
Patch1: CVE-2022-2879.patch | ||
BuildRequires: golang | ||
BuildRequires: golang-packaging | ||
BuildRequires: libnbd-devel | ||
|
@@ -200,6 +201,9 @@ install -m 0644 _out/manifests/release/cdi-cr.yaml %{buildroot}%{_datadir}/cdi/m | |
%{_datadir}/cdi/manifests | ||
|
||
%changelog | ||
* Wed Jul 10 2024 Thien Trung Vuong <[email protected]> - 1.57.0-3 | ||
- Address CVE-2022-2879 by patching vendored github.com/vbatss/tar-split | ||
|
||
* Thu Jun 06 2024 Brian Fjeldstad <[email protected]> - 1.57.0-2 | ||
- Address CVE-2024-3727 by patching vendored github.com/containers/image | ||
|
||
|