containerized-data-importer: add patch for CVE-2022-2879 (#9799)

trungams · web-flow · commit 0ad4af6e7457 · 2024-07-11T13:48:39.000-07:00
Signed-off-by: Thien Trung Vuong &lt;tvuong@microsoft.com&gt;
diff --git a/SPECS/containerized-data-importer/CVE-2022-2879.patch b/SPECS/containerized-data-importer/CVE-2022-2879.patch
@@ -0,0 +1,95 @@
+From 042465900fcbb246c602c856ccd924ddf093947e Mon Sep 17 00:00:00 2001
+From: Muhammad Falak R Wani <falakreyaz@gmail.com>
+Date: Tue, 9 Jul 2024 19:27:30 +0530
+Subject: [PATCH] archive/tar: limit size of headers
+
+Set a 1MiB limit on special file blocks (PAX headers, GNU long names,
+GNU link names), to avoid reading arbitrarily large amounts of data
+into memory.
+
+Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting
+this issue.
+
+Fixes CVE-2022-2879
+Updates #54853
+Fixes #55925
+
+Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
+Signed-off-by: Thien Trung Vuong <tvuong@microsoft.com>
+---
+ .../vbatts/tar-split/archive/tar/format.go         |  4 ++++
+ .../vbatts/tar-split/archive/tar/reader.go         | 14 ++++++++++++--
+ .../vbatts/tar-split/archive/tar/writer.go         |  3 +++
+ 3 files changed, 19 insertions(+), 2 deletions(-)
+
+diff --git a/vendor/github.com/vbatts/tar-split/archive/tar/format.go b/vendor/github.com/vbatts/tar-split/archive/tar/format.go
+index 1f89d0c..6097798 100644
+--- a/vendor/github.com/vbatts/tar-split/archive/tar/format.go
++++ b/vendor/github.com/vbatts/tar-split/archive/tar/format.go
+@@ -143,6 +143,10 @@ const (
+ 	blockSize  = 512 // Size of each block in a tar stream
+ 	nameSize   = 100 // Max length of the name field in USTAR format
+ 	prefixSize = 155 // Max length of the prefix field in USTAR format
++
++	// Max length of a special file (PAX header, GNU long name or link).
++	// This matches the limit used by libarchive.
++	maxSpecialFileSize = 1 << 20
+ )
+ 
+ // blockPadding computes the number of bytes needed to pad offset up to the
+diff --git a/vendor/github.com/vbatts/tar-split/archive/tar/reader.go b/vendor/github.com/vbatts/tar-split/archive/tar/reader.go
+index af006fc..2baa0d5 100644
+--- a/vendor/github.com/vbatts/tar-split/archive/tar/reader.go
++++ b/vendor/github.com/vbatts/tar-split/archive/tar/reader.go
+@@ -139,7 +139,7 @@ func (tr *Reader) next() (*Header, error) {
+ 			continue // This is a meta header affecting the next header
+ 		case TypeGNULongName, TypeGNULongLink:
+ 			format.mayOnlyBe(FormatGNU)
+-			realname, err := ioutil.ReadAll(tr)
++			realname, err := readSpecialFile(tr)
+ 			if err != nil {
+ 				return nil, err
+ 			}
+@@ -333,7 +333,7 @@ func mergePAX(hdr *Header, paxHdrs map[string]string) (err error) {
+ // parsePAX parses PAX headers.
+ // If an extended header (type 'x') is invalid, ErrHeader is returned
+ func parsePAX(r io.Reader) (map[string]string, error) {
+-	buf, err := ioutil.ReadAll(r)
++	buf, err := readSpecialFile(r)
+ 	if err != nil {
+ 		return nil, err
+ 	}
+@@ -884,6 +884,16 @@ func tryReadFull(r io.Reader, b []byte) (n int, err error) {
+ 	return n, err
+ }
+ 
++// readSpecialFile is like io.ReadAll except it returns
++// ErrFieldTooLong if more than maxSpecialFileSize is read.
++func readSpecialFile(r io.Reader) ([]byte, error) {
++	buf, err := io.ReadAll(io.LimitReader(r, maxSpecialFileSize+1))
++	if len(buf) > maxSpecialFileSize {
++		return nil, ErrFieldTooLong
++	}
++	return buf, err
++}
++
+ // discard skips n bytes in r, reporting an error if unable to do so.
+ func discard(tr *Reader, n int64) error {
+ 	var seekSkipped, copySkipped int64
+diff --git a/vendor/github.com/vbatts/tar-split/archive/tar/writer.go b/vendor/github.com/vbatts/tar-split/archive/tar/writer.go
+index e80498d..893eac0 100644
+--- a/vendor/github.com/vbatts/tar-split/archive/tar/writer.go
++++ b/vendor/github.com/vbatts/tar-split/archive/tar/writer.go
+@@ -199,6 +199,9 @@ func (tw *Writer) writePAXHeader(hdr *Header, paxHdrs map[string]string) error {
+ 			flag = TypeXHeader
+ 		}
+ 		data := buf.String()
++		if len(data) > maxSpecialFileSize {
++			return ErrFieldTooLong
++		}
+ 		if err := tw.writeRawFile(name, data, flag, FormatPAX); err != nil || isGlobal {
+ 			return err // Global headers return here
+ 		}
+-- 
+2.40.1
+
diff --git a/SPECS/containerized-data-importer/containerized-data-importer.spec b/SPECS/containerized-data-importer/containerized-data-importer.spec
@@ -18,14 +18,15 @@
 Summary:        Container native virtualization
 Name:           containerized-data-importer
 Version:        1.57.0
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 Group:          System/Packages
 URL:            https://github.com/kubevirt/containerized-data-importer
 Source0:        https://github.com/kubevirt/containerized-data-importer/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
 Patch0:         CVE-2024-3727.patch
+Patch1:         CVE-2022-2879.patch
 BuildRequires:  golang
 BuildRequires:  golang-packaging
 BuildRequires:  libnbd-devel
@@ -200,6 +201,9 @@ install -m 0644 _out/manifests/release/cdi-cr.yaml %{buildroot}%{_datadir}/cdi/m
 %{_datadir}/cdi/manifests
 
 %changelog
+* Wed Jul 10 2024 Thien Trung Vuong <tvuong@microsoft.com> - 1.57.0-3
+- Address CVE-2022-2879 by patching vendored github.com/vbatss/tar-split
+
 * Thu Jun 06 2024 Brian Fjeldstad <bfjelds@microsoft.com> - 1.57.0-2
 - Address CVE-2024-3727 by patching vendored github.com/containers/image
 
