!53 Fix CVE-2024-24786

From: @northgarden Reviewed-by: @wangyueliang Signed-off-by: @wangyueliang
2024-03-25 05:42:22 +00:00 · 2024-03-25 05:42:22 +00:00 · a74034cd19
commit a74034cd19
parent cd9c018e59 65b6c1bfbc
2 changed files with 67 additions and 1 deletions
--- a/0007-fix-CVE-2024-24786.patch
+++ b/0007-fix-CVE-2024-24786.patch
@ -0,0 +1,59 @@
+From 171172b7a8a24104415f1d461da7a839dd9933a3 Mon Sep 17 00:00:00 2001
+From: bwzhang <zhangbowei@kylinos.cn>
+Date: Mon, 25 Mar 2024 10:47:11 +0800
+Subject: [PATCH] fix CVE-2024-24786
+
+encoding/protojson, internal/encoding/json: handle missing object values
+
+In internal/encoding/json, report an error when encountering a }
+when we are expecting an object field value. For example, the input
+ now correctly results in an error at the closing } token.
+
+In encoding/protojson, check for an unexpected EOF token in
+skipJSONValue. This is redundant with the check in internal/encoding/json,
+but adds a bit more defense against any other similar bugs that
+might exist.
+
+Fixes CVE-2024-24786
+
+Change-Id: I03d52512acb5091c8549e31ca74541d57e56c99d
+Reviewed-on: https://go-review.googlesource.com/c/protobuf/+/569356
+TryBot-Bypass: Damien Neil <dneil@google.com>
+Reviewed-by: Roland Shoemaker <roland@golang.org>
+Commit-Queue: Damien Neil <dneil@google.com>
+---
+ .../protobuf/encoding/protojson/well_known_types.go           | 4 ++++
+ .../protobuf/internal/encoding/json/decode.go                 | 2 +-
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go
+index 72924a9..d3825ba 100644
+--- a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go
+++ b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go
+@@ -328,6 +328,10 @@ func (d decoder) skipJSONValue() error {
+ 				if err := d.skipJSONValue(); err != nil {
+ 					return err
+ 				}
+			case json.EOF:
+				// This can only happen if there's a bug in Decoder.Read.
+				// Avoid an infinite loop if this does happen.
+				return errors.New("unexpected EOF")
+ 			}
+ 		}
+ 
+diff --git a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go
+index b13fd29..b2be4e8 100644
+--- a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go
+++ b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go
+@@ -121,7 +121,7 @@ func (d *Decoder) Read() (Token, error) {
+ 
+ 	case ObjectClose:
+ 		if len(d.openStack) == 0 ||
+-			d.lastToken.kind == comma ||
+			d.lastToken.kind&(Name|comma) != 0 ||
+ 			d.openStack[len(d.openStack)-1] != ObjectOpen {
+ 			return Token{}, d.newSyntaxError(tok.pos, unexpectedFmt, tok.RawString())
+ 		}
+-- 
+2.20.1
+
--- a/k3s-containerd.spec
+++ b/k3s-containerd.spec
@ -3,7 +3,7 @@
 %global version_suffix k3s1
 Version:        1.6.6
 Name:           k3s-containerd
-Release:        10
+Release:        11
 Summary:        An industry-standard container runtime
 License:        Apache-2.0
 URL:            https://github.com/k3s-io/containerd
@ -15,6 +15,7 @@ Patch0003:      0003-fix-PLATYPUS-attack-of-RAPL-accessible-to-a-containe.patch
 Patch0004:      0004-fix-CVE-2023-25173.patch
 Patch0005:      0005-fix-CVE-2023-39325.patch
 Patch0006:      0006-fix-CVE-2022-41723.patch
+Patch0007:      0007-fix-CVE-2024-24786.patch

 BuildRequires:  golang glibc-static make btrfs-progs-devel

@ -75,6 +76,12 @@ cp -rf %{_builddir}/containerd-%{version}-%{version_suffix}/. %{buildroot}%{_lib


 %changelog
+* Mon Mar 25 2024 zhangbowei <zhangbowei@kylinos.cn> - 1.6.6-k3s1-11
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC: fix CVE-2024-24786
+
 * Fri Mar 22 2024 zhangbowei <zhangbowei@kylinos.cn> - 1.6.6-k3s1-10
 - Type:bugfix
 - CVE:NA