-
Notifications
You must be signed in to change notification settings - Fork 522
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fixes CVE-22-32149 by backporting the fix as a patch file
- Loading branch information
Showing
2 changed files
with
73 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,66 @@ | ||
From 434eadcdbc3b0256971992e8c70027278364c72c Mon Sep 17 00:00:00 2001 | ||
From: Roland Shoemaker <[email protected]> | ||
Date: Fri, 2 Sep 2022 09:35:37 -0700 | ||
Subject: [PATCH] language: reject excessively large Accept-Language strings | ||
|
||
The BCP 47 tag parser has quadratic time complexity due to inherent | ||
aspects of its design. Since the parser is, by design, exposed to | ||
untrusted user input, this can be leveraged to force a program to | ||
consume significant time parsing Accept-Language headers. | ||
|
||
The parser cannot be easily rewritten to fix this behavior for | ||
various reasons. Instead the solution implemented in this CL is to | ||
limit the total complexity of tags passed into ParseAcceptLanguage | ||
by limiting the number of dashes in the string to 1000. This should | ||
be more than enough for the majority of real world use cases, where | ||
the number of tags being sent is likely to be in the single digits. | ||
|
||
Thanks to the OSS-Fuzz project for discovering this issue and to Adam | ||
Korczynski (ADA Logics) for writing the fuzz case and for reporting the | ||
issue. | ||
|
||
Fixes CVE-2022-32149 | ||
Fixes golang/go#56152 | ||
|
||
Change-Id: I7bda1d84cee2b945039c203f26869d58ee9374ae | ||
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1565112 | ||
Reviewed-by: Damien Neil <[email protected]> | ||
Reviewed-by: Tatiana Bradley <[email protected]> | ||
Reviewed-on: https://go-review.googlesource.com/c/text/+/442235 | ||
TryBot-Result: Gopher Robot <[email protected]> | ||
Auto-Submit: Roland Shoemaker <[email protected]> | ||
Run-TryBot: Roland Shoemaker <[email protected]> | ||
|
||
Modified to apply to vendored code by: Jiri Appl <[email protected]> | ||
- Adjusted paths | ||
- Removed reference to parse_test.go | ||
--- | ||
vendor/golang.org/x/text/language/parse.go | 5 +++++ | ||
1 files changed, 18 insertions(+) | ||
|
||
diff --git a/vendor/golang.org/x/text/language/parse.go b/vendor/golang.org/x/text/language/parse.go | ||
index 59b0410..b982d9e 100644 | ||
--- a/vendor/golang.org/x/text/language/parse.go | ||
+++ b/vendor/golang.org/x/text/language/parse.go | ||
@@ -147,6 +147,7 @@ func update(b *language.Builder, part ...interface{}) (err error) { | ||
} | ||
|
||
var errInvalidWeight = errors.New("ParseAcceptLanguage: invalid weight") | ||
+var errTagListTooLarge = errors.New("tag list exceeds max length") | ||
|
||
// ParseAcceptLanguage parses the contents of an Accept-Language header as | ||
// defined in http://www.ietf.org/rfc/rfc2616.txt and returns a list of Tags and | ||
@@ -164,6 +165,10 @@ func ParseAcceptLanguage(s string) (tag []Tag, q []float32, err error) { | ||
} | ||
}() | ||
|
||
+ if strings.Count(s, "-") > 1000 { | ||
+ return nil, nil, errTagListTooLarge | ||
+ } | ||
+ | ||
var entry string | ||
for s != "" { | ||
if entry, s = split(s, ','); entry == "" { | ||
-- | ||
2.34.1 | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,7 +1,7 @@ | ||
Summary: The official command line client for Cloud Foundry. | ||
Name: cf-cli | ||
Version: 8.4.0 | ||
Release: 20%{?dist} | ||
Release: 21%{?dist} | ||
License: Apache-2.0 | ||
Vendor: Microsoft Corporation | ||
Distribution: Mariner | ||
|
@@ -30,6 +30,9 @@ Source1: cli-%{version}-vendor.tar.gz | |
Patch0: CVE-2023-44487.patch | ||
Patch1: CVE-2021-44716.patch | ||
Patch2: CVE-2021-43565.patch | ||
# Produced by git clone https://github.com/golang/text && cd text && | ||
# git checkout 434eadcdbc3b0256971992e8c70027278364c72c && git format-patch -1 HEAD | ||
Patch3: CVE-2022-32149.patch | ||
|
||
BuildRequires: golang | ||
%global debug_package %{nil} | ||
|
@@ -64,6 +67,9 @@ install -p -m 755 -t %{buildroot}%{_bindir} ./out/cf | |
%{_bindir}/cf | ||
|
||
%changelog | ||
* Tue Sep 17 2024 Jiri Appl <[email protected]> - 8.4.0-21 | ||
- Patch CVE-2022-32149 bringing upstream patch over the vendored golang.org/x/text module | ||
|
||
* Mon Sep 09 2024 CBL-Mariner Servicing Account <[email protected]> - 8.4.0-20 | ||
- Bump release to rebuild with go 1.22.7 | ||
|
||
|