From c1cb84c913577ec3096de546b8782e9f7d2c887c Mon Sep 17 00:00:00 2001 From: Osama Esmail Date: Mon, 5 Feb 2024 15:22:52 -0800 Subject: [PATCH 1/5] patching flannel --- SPECS/flannel/CVE-2021-44716.patch | 50 ++++++++++++++++++++++++++++++ SPECS/flannel/flannel.spec | 5 ++- 2 files changed, 54 insertions(+), 1 deletion(-) create mode 100644 SPECS/flannel/CVE-2021-44716.patch diff --git a/SPECS/flannel/CVE-2021-44716.patch b/SPECS/flannel/CVE-2021-44716.patch new file mode 100644 index 00000000000..45879cb1b9b --- /dev/null +++ b/SPECS/flannel/CVE-2021-44716.patch @@ -0,0 +1,50 @@ +Parent: db4efeb8 (http2: deflake TestTransportGroupsPendingDials) +Author: Damien Neil +AuthorDate: 2021-12-06 14:31:43 -0800 +Commit: Filippo Valsorda +CommitDate: 2021-12-09 12:49:13 +0000 + +http2: cap the size of the server's canonical header cache + +The HTTP/2 server keeps a per-connection cache mapping header keys +to their canonicalized form (e.g., "foo-bar" => "Foo-Bar"). Cap the +maximum size of this cache to prevent a peer sending many unique +header keys from causing unbounded memory growth. + +Cap chosen arbitrarily at 32 entries. Since this cache does not +include common headers (e.g., "content-type"), 32 seems like more +than enough for almost all normal uses. + +Fixes #50058 +Fixes CVE-2021-44716 + +Change-Id: Ia83696dc23253c12af8f26d502557c2cc9841105 +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1290827 +Reviewed-by: Roland Shoemaker +Reviewed-on: https://go-review.googlesource.com/c/net/+/369794 +Trust: Filippo Valsorda +Run-TryBot: Filippo Valsorda +Trust: Damien Neil +Reviewed-by: Russ Cox +Reviewed-by: Filippo Valsorda +TryBot-Result: Gopher Robot + +diff -ru cli-20.10.27-orig/vendor/golang.org/x/net/http2/server.go cli-20.10.27/vendor/golang.org/x/net/http2/server.go +--- cli-20.10.27-orig/vendor/golang.org/x/net/http2/server.go 2024-02-05 08:53:30.802532951 -0800 ++++ cli-20.10.27/vendor/golang.org/x/net/http2/server.go 2024-02-05 09:19:08.473430121 -0800 +@@ -720,7 +720,15 @@ + sc.canonHeader = make(map[string]string) + } + cv = http.CanonicalHeaderKey(v) +- sc.canonHeader[v] = cv ++ // maxCachedCanonicalHeaders is an arbitrarily-chosen limit on the number of ++ // entries in the canonHeader cache. This should be larger than the number ++ // of unique, uncommon header keys likely to be sent by the peer, while not ++ // so high as to permit unreaasonable memory usage if the peer sends an unbounded ++ // number of unique header keys. ++ const maxCachedCanonicalHeaders = 32 ++ if len(sc.canonHeader) < maxCachedCanonicalHeaders { ++ sc.canonHeader[v] = cv ++ } + return cv + } \ No newline at end of file diff --git a/SPECS/flannel/flannel.spec b/SPECS/flannel/flannel.spec index e2239921e12..752b175933c 100644 --- a/SPECS/flannel/flannel.spec +++ b/SPECS/flannel/flannel.spec @@ -4,7 +4,7 @@ Summary: Simple and easy way to configure a layer 3 network fabric designed for Kubernetes Name: flannel Version: 0.14.0 -Release: 20%{?dist} +Release: 21%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Mariner @@ -48,6 +48,9 @@ install -p -m 755 -t %{buildroot}%{_bindir} ./dist/flanneld %{_bindir}/flanneld %changelog +* Mon Feb 5 2024 Osama Esmail - 0.14.0-21 +- Patching CVE-2021-44716 + * Wed Oct 18 2023 Minghe Ren - 0.14.0-20 - Bump release to rebuild against glibc 2.35-6 From ed737c409a0033e2c57f4630c1a8252eb79f525b Mon Sep 17 00:00:00 2001 From: Osama Esmail Date: Mon, 5 Feb 2024 15:47:29 -0800 Subject: [PATCH 2/5] dummy move --- SPECS/flannel/flannel.spec | 1 + 1 file changed, 1 insertion(+) diff --git a/SPECS/flannel/flannel.spec b/SPECS/flannel/flannel.spec index 752b175933c..0e254598235 100644 --- a/SPECS/flannel/flannel.spec +++ b/SPECS/flannel/flannel.spec @@ -12,6 +12,7 @@ Group: System Environment/Libraries URL: https://github.com/flannel-io/flannel #Source0: https://github.com/flannel-io/flannel/archive/refs/tags/v0.14.0.tar.gz Source0: %{name}-%{version}.tar.gz +Patch0: CVE-2021-44717.patch BuildRequires: gcc BuildRequires: glibc-devel From 5eb13f2d9aee853fd43f0480344d61adfea0b1a5 Mon Sep 17 00:00:00 2001 From: Osama Esmail Date: Mon, 5 Feb 2024 15:57:25 -0800 Subject: [PATCH 3/5] fat finger --- SPECS/flannel/flannel.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SPECS/flannel/flannel.spec b/SPECS/flannel/flannel.spec index 0e254598235..deb44267238 100644 --- a/SPECS/flannel/flannel.spec +++ b/SPECS/flannel/flannel.spec @@ -12,7 +12,7 @@ Group: System Environment/Libraries URL: https://github.com/flannel-io/flannel #Source0: https://github.com/flannel-io/flannel/archive/refs/tags/v0.14.0.tar.gz Source0: %{name}-%{version}.tar.gz -Patch0: CVE-2021-44717.patch +Patch0: CVE-2021-44716.patch BuildRequires: gcc BuildRequires: glibc-devel From 90866cba273aadc53b702759a2212d08c8c03dd0 Mon Sep 17 00:00:00 2001 From: Osama Esmail Date: Mon, 5 Feb 2024 16:10:59 -0800 Subject: [PATCH 4/5] try again --- SPECS/flannel/CVE-2021-44716.patch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SPECS/flannel/CVE-2021-44716.patch b/SPECS/flannel/CVE-2021-44716.patch index 45879cb1b9b..5c871692014 100644 --- a/SPECS/flannel/CVE-2021-44716.patch +++ b/SPECS/flannel/CVE-2021-44716.patch @@ -47,4 +47,4 @@ diff -ru cli-20.10.27-orig/vendor/golang.org/x/net/http2/server.go cli-20.10.27/ + sc.canonHeader[v] = cv + } return cv - } \ No newline at end of file + } From 8aa33bd89e8afbc84f26fa7ce19032a7f8e742a8 Mon Sep 17 00:00:00 2001 From: osamaesmailmsft <110202916+osamaesmailmsft@users.noreply.github.com> Date: Mon, 5 Feb 2024 16:42:05 -0800 Subject: [PATCH 5/5] Update SPECS/flannel/flannel.spec Co-authored-by: Tobias Brick <39196763+tobiasb-ms@users.noreply.github.com> --- SPECS/flannel/flannel.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SPECS/flannel/flannel.spec b/SPECS/flannel/flannel.spec index deb44267238..62540610585 100644 --- a/SPECS/flannel/flannel.spec +++ b/SPECS/flannel/flannel.spec @@ -49,7 +49,7 @@ install -p -m 755 -t %{buildroot}%{_bindir} ./dist/flanneld %{_bindir}/flanneld %changelog -* Mon Feb 5 2024 Osama Esmail - 0.14.0-21 +* Mon Feb 05 2024 Osama Esmail - 0.14.0-21 - Patching CVE-2021-44716 * Wed Oct 18 2023 Minghe Ren - 0.14.0-20