Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
65 changes: 65 additions & 0 deletions SPECS/packer/CVE-2022-3064.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
From 0360b25ae53f9398cfca462f91698d1887a1ae76 Mon Sep 17 00:00:00 2001
From: Pawel Winogrodzki <pawelwi@microsoft.com>
Date: Mon, 1 Jul 2024 16:33:53 -0700
Subject: [PATCH] Port CVE-2022-3064 fix from go-yaml to zclconf.

This patch is ported from go-yaml's fix for CVE-2022-3064:
https://github.com/go-yaml/yaml/commit/f221b8435cfb71e54062f6c6e99e9ade30b124d5

The patch only applies to "scannerc.go", which seems to have been
copied from go-yaml by zclconf.
---
.../github.com/zclconf/go-cty-yaml/scannerc.go | 16 ++++++++++++++++
1 file changed, 16 insertions(+)

diff --git a/vendor/github.com/zclconf/go-cty-yaml/scannerc.go b/vendor/github.com/zclconf/go-cty-yaml/scannerc.go
index ea82e3e..8eb8303 100644
--- a/vendor/github.com/zclconf/go-cty-yaml/scannerc.go
+++ b/vendor/github.com/zclconf/go-cty-yaml/scannerc.go
@@ -906,6 +906,9 @@ func yaml_parser_remove_simple_key(parser *yaml_parser_t) bool {
return true
}

+// max_flow_level limits the flow_level
+const max_flow_level = 10000
+
// Increase the flow level and resize the simple key list if needed.
func yaml_parser_increase_flow_level(parser *yaml_parser_t) bool {
// Reset the simple key on the next level.
@@ -913,6 +916,11 @@ func yaml_parser_increase_flow_level(parser *yaml_parser_t) bool {

// Increase the flow level.
parser.flow_level++
+ if parser.flow_level > max_flow_level {
+ return yaml_parser_set_scanner_error(parser,
+ "while increasing flow level", parser.simple_keys[len(parser.simple_keys)-1].mark,
+ fmt.Sprintf("exceeded max depth of %d", max_flow_level))
+ }
return true
}

@@ -925,6 +933,9 @@ func yaml_parser_decrease_flow_level(parser *yaml_parser_t) bool {
return true
}

+// max_indents limits the indents stack size
+const max_indents = 10000
+
// Push the current indentation level to the stack and set the new level
// the current column is greater than the indentation level. In this case,
// append or insert the specified token into the token queue.
@@ -939,6 +950,11 @@ func yaml_parser_roll_indent(parser *yaml_parser_t, column, number int, typ yaml
// indentation level.
parser.indents = append(parser.indents, parser.indent)
parser.indent = column
+ if len(parser.indents) > max_indents {
+ return yaml_parser_set_scanner_error(parser,
+ "while increasing indent level", parser.simple_keys[len(parser.simple_keys)-1].mark,
+ fmt.Sprintf("exceeded max depth of %d", max_indents))
+ }

// Create a token and insert it into the queue.
token := yaml_token_t{
--
2.34.1

152 changes: 152 additions & 0 deletions SPECS/packer/CVE-2024-24786.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,152 @@
From 1576982839ab9771784526720ed0a2f4a2aa2280 Mon Sep 17 00:00:00 2001
From: bala <balakumaran.kannan@microsoft.com>
Date: Mon, 25 Nov 2024 16:47:53 +0000
Subject: [PATCH] Vendor patch applied

---
.../protobuf/encoding/protojson/decode.go | 12 ++++
.../encoding/protojson/well_known_types.go | 59 +++++++------------
.../protobuf/internal/encoding/json/decode.go | 2 +-
3 files changed, 33 insertions(+), 40 deletions(-)

diff --git a/vendor/google.golang.org/protobuf/encoding/protojson/decode.go b/vendor/google.golang.org/protobuf/encoding/protojson/decode.go
index 5f28148..67fe4e7 100644
--- a/vendor/google.golang.org/protobuf/encoding/protojson/decode.go
+++ b/vendor/google.golang.org/protobuf/encoding/protojson/decode.go
@@ -11,6 +11,7 @@ import (
"strconv"
"strings"

+ "google.golang.org/protobuf/encoding/protowire"
"google.golang.org/protobuf/internal/encoding/json"
"google.golang.org/protobuf/internal/encoding/messageset"
"google.golang.org/protobuf/internal/errors"
@@ -47,6 +48,10 @@ type UnmarshalOptions struct {
protoregistry.MessageTypeResolver
protoregistry.ExtensionTypeResolver
}
+
+ // RecursionLimit limits how deeply messages may be nested.
+ // If zero, a default limit is applied.
+ RecursionLimit int
}

// Unmarshal reads the given []byte and populates the given proto.Message
@@ -67,6 +72,9 @@ func (o UnmarshalOptions) unmarshal(b []byte, m proto.Message) error {
if o.Resolver == nil {
o.Resolver = protoregistry.GlobalTypes
}
+ if o.RecursionLimit == 0 {
+ o.RecursionLimit = protowire.DefaultRecursionLimit
+ }

dec := decoder{json.NewDecoder(b), o}
if err := dec.unmarshalMessage(m.ProtoReflect(), false); err != nil {
@@ -114,6 +122,10 @@ func (d decoder) syntaxError(pos int, f string, x ...interface{}) error {

// unmarshalMessage unmarshals a message into the given protoreflect.Message.
func (d decoder) unmarshalMessage(m protoreflect.Message, skipTypeURL bool) error {
+ d.opts.RecursionLimit--
+ if d.opts.RecursionLimit < 0 {
+ return errors.New("exceeded max recursion depth")
+ }
if unmarshal := wellKnownTypeUnmarshaler(m.Descriptor().FullName()); unmarshal != nil {
return unmarshal(d, m)
}
diff --git a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go
index 6c37d41..4b177c8 100644
--- a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go
+++ b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go
@@ -176,7 +176,7 @@ func (d decoder) unmarshalAny(m protoreflect.Message) error {
// Use another decoder to parse the unread bytes for @type field. This
// avoids advancing a read from current decoder because the current JSON
// object may contain the fields of the embedded type.
- dec := decoder{d.Clone(), UnmarshalOptions{}}
+ dec := decoder{d.Clone(), UnmarshalOptions{RecursionLimit: d.opts.RecursionLimit}}
tok, err := findTypeURL(dec)
switch err {
case errEmptyObject:
@@ -308,48 +308,29 @@ Loop:
// array) in order to advance the read to the next JSON value. It relies on
// the decoder returning an error if the types are not in valid sequence.
func (d decoder) skipJSONValue() error {
- tok, err := d.Read()
- if err != nil {
- return err
- }
- // Only need to continue reading for objects and arrays.
- switch tok.Kind() {
- case json.ObjectOpen:
- for {
- tok, err := d.Read()
- if err != nil {
- return err
- }
- switch tok.Kind() {
- case json.ObjectClose:
- return nil
- case json.Name:
- // Skip object field value.
- if err := d.skipJSONValue(); err != nil {
- return err
- }
- }
+ var open int
+ for {
+ tok, err := d.Read()
+ if err != nil {
+ return err
}
-
- case json.ArrayOpen:
- for {
- tok, err := d.Peek()
- if err != nil {
- return err
- }
- switch tok.Kind() {
- case json.ArrayClose:
- d.Read()
- return nil
- default:
- // Skip array item.
- if err := d.skipJSONValue(); err != nil {
- return err
- }
+ switch tok.Kind() {
+ case json.ObjectClose, json.ArrayClose:
+ open--
+ case json.ObjectOpen, json.ArrayOpen:
+ open++
+ if open > d.opts.RecursionLimit {
+ return errors.New("exceeded max recursion depth")
}
+ case json.EOF:
+ // This can only happen if there's a bug in Decoder.Read.
+ // Avoid an infinite loop if this does happen.
+ return errors.New("unexpected EOF")
+ }
+ if open == 0 {
+ return nil
}
}
- return nil
}

// unmarshalAnyValue unmarshals the given custom-type message from the JSON
diff --git a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go
index d043a6e..d2b3ac0 100644
--- a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go
+++ b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go
@@ -121,7 +121,7 @@ func (d *Decoder) Read() (Token, error) {

case ObjectClose:
if len(d.openStack) == 0 ||
- d.lastToken.kind == comma ||
+ d.lastToken.kind&(Name|comma) != 0 ||
d.openStack[len(d.openStack)-1] != ObjectOpen {
return Token{}, d.newSyntaxError(tok.pos, unexpectedFmt, tok.RawString())
}
--
2.39.4

Loading
Loading