diff --git a/SPECS/jx/CVE-2023-45288.patch b/SPECS/jx/CVE-2023-45288.patch new file mode 100644 index 00000000000..4d53dfb5125 --- /dev/null +++ b/SPECS/jx/CVE-2023-45288.patch @@ -0,0 +1,83 @@ +From 63b4ddd633bde166d2b2800dbc6ad6a64f77b838 Mon Sep 17 00:00:00 2001 +From: Damien Neil +Date: Wed, 10 Jan 2024 13:41:39 -0800 +Subject: [PATCH] http2: close connections when receiving too many headers + +Maintaining HPACK state requires that we parse and process +all HEADERS and CONTINUATION frames on a connection. +When a request's headers exceed MaxHeaderBytes, we don't +allocate memory to store the excess headers but we do +parse them. This permits an attacker to cause an HTTP/2 +endpoint to read arbitrary amounts of data, all associated +with a request which is going to be rejected. + +Set a limit on the amount of excess header frames we +will process before closing a connection. + +Thanks to Bartek Nowotarski for reporting this issue. + +Fixes CVE-2023-45288 +Fixes golang/go#65051 + +Change-Id: I15df097268df13bb5a9e9d3a5c04a8a141d850f6 +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2130527 +Reviewed-by: Roland Shoemaker +Reviewed-by: Tatiana Bradley +Reviewed-on: https://go-review.googlesource.com/c/net/+/576155 +Reviewed-by: Dmitri Shuralyov +Auto-Submit: Dmitri Shuralyov +Reviewed-by: Than McIntosh +LUCI-TryBot-Result: Go LUCI +--- + vendor/golang.org/x/net/http2/frame.go | 31 ++++++++++++++++++++++++++ + 1 file changed, 31 insertions(+) + +diff --git a/vendor/golang.org/x/net/http2/frame.go b/vendor/golang.org/x/net/http2/frame.go +index c1f6b90..175c154 100644 +--- a/vendor/golang.org/x/net/http2/frame.go ++++ b/vendor/golang.org/x/net/http2/frame.go +@@ -1565,6 +1565,7 @@ func (fr *Framer) readMetaFrame(hf *HeadersFrame) (*MetaHeadersFrame, error) { + if size > remainSize { + hdec.SetEmitEnabled(false) + mh.Truncated = true ++ remainSize = 0 + return + } + remainSize -= size +@@ -1577,6 +1578,36 @@ func (fr *Framer) readMetaFrame(hf *HeadersFrame) (*MetaHeadersFrame, error) { + var hc headersOrContinuation = hf + for { + frag := hc.HeaderBlockFragment() ++ ++ // Avoid parsing large amounts of headers that we will then discard. ++ // If the sender exceeds the max header list size by too much, ++ // skip parsing the fragment and close the connection. ++ // ++ // "Too much" is either any CONTINUATION frame after we've already ++ // exceeded the max header list size (in which case remainSize is 0), ++ // or a frame whose encoded size is more than twice the remaining ++ // header list bytes we're willing to accept. ++ if int64(len(frag)) > int64(2*remainSize) { ++ if VerboseLogs { ++ log.Printf("http2: header list too large") ++ } ++ // It would be nice to send a RST_STREAM before sending the GOAWAY, ++ // but the struture of the server's frame writer makes this difficult. ++ return nil, ConnectionError(ErrCodeProtocol) ++ } ++ ++ // Also close the connection after any CONTINUATION frame following an ++ // invalid header, since we stop tracking the size of the headers after ++ // an invalid one. ++ if invalid != nil { ++ if VerboseLogs { ++ log.Printf("http2: invalid header: %v", invalid) ++ } ++ // It would be nice to send a RST_STREAM before sending the GOAWAY, ++ // but the struture of the server's frame writer makes this difficult. ++ return nil, ConnectionError(ErrCodeProtocol) ++ } ++ + if _, err := hdec.Write(frag); err != nil { + return nil, ConnectionError(ErrCodeCompression) + } diff --git a/SPECS/jx/jx.spec b/SPECS/jx/jx.spec index f5ca795cca0..0409fe120c9 100644 --- a/SPECS/jx/jx.spec +++ b/SPECS/jx/jx.spec @@ -1,7 +1,7 @@ Summary: Command line tool for working with Jenkins X. Name: jx Version: 3.2.236 -Release: 18%{?dist} +Release: 19%{?dist} License: Apache-2.0 Vendor: Microsoft Corporation Distribution: Mariner @@ -29,6 +29,7 @@ Source0: https://github.com/jenkins-x/jx/archive/v%{version}.tar.gz#/%{na Source1: %{name}-%{version}-vendor.tar.gz Patch0: CVE-2023-44487.patch Patch1: CVE-2021-44716.patch +Patch2: CVE-2023-45288.patch BuildRequires: golang %global debug_package %{nil} @@ -71,6 +72,9 @@ make test && \ %{_bindir}/jx %changelog +* Thu Aug 22 2024 Sumedh Sharma - 3.2.236-19 +- Add patch to resolve CVE-2023-45288 + * Wed Jul 17 2024 Muhammad Falak R Wani - 3.2.236-18 - Drop requirement on a specific version of golang