From ac59afa04af1a7107ae4f37e92501a9b700e76d6 Mon Sep 17 00:00:00 2001 From: nicolas guibourge Date: Tue, 12 Nov 2024 20:07:12 -0500 Subject: [PATCH] [3.0] prometheus - Fix CVE-2023-45288 (#10956) Co-authored-by: CBL-Mariner Servicing Account Co-authored-by: Mykhailo Bykhovtsev <108374904+mbykhovtsev-ms@users.noreply.github.com> Co-authored-by: Andrew Phelps --- SPECS/prometheus/CVE-2023-45288.patch | 86 +++++++++++++++++++++++++++ SPECS/prometheus/prometheus.spec | 8 ++- 2 files changed, 92 insertions(+), 2 deletions(-) create mode 100644 SPECS/prometheus/CVE-2023-45288.patch diff --git a/SPECS/prometheus/CVE-2023-45288.patch b/SPECS/prometheus/CVE-2023-45288.patch new file mode 100644 index 00000000000..95295abb442 --- /dev/null +++ b/SPECS/prometheus/CVE-2023-45288.patch @@ -0,0 +1,86 @@ +From 87bba52321835fa92f7c91be1b8eef89a93d2506 Mon Sep 17 00:00:00 2001 +From: Damien Neil +Date: Wed, 10 Jan 2024 13:41:39 -0800 +Subject: [PATCH] http2: close connections when receiving too many headers + +Maintaining HPACK state requires that we parse and process +all HEADERS and CONTINUATION frames on a connection. +When a request's headers exceed MaxHeaderBytes, we don't +allocate memory to store the excess headers but we do +parse them. This permits an attacker to cause an HTTP/2 +endpoint to read arbitrary amounts of data, all associated +with a request which is going to be rejected. + +Set a limit on the amount of excess header frames we +will process before closing a connection. + +Thanks to Bartek Nowotarski for reporting this issue. + +Fixes CVE-2023-45288 +Fixes golang/go#65051 + +Change-Id: I15df097268df13bb5a9e9d3a5c04a8a141d850f6 +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2130527 +Reviewed-by: Roland Shoemaker +Reviewed-by: Tatiana Bradley +Reviewed-on: https://go-review.googlesource.com/c/net/+/576155 +Reviewed-by: Dmitri Shuralyov +Auto-Submit: Dmitri Shuralyov +Reviewed-by: Than McIntosh +LUCI-TryBot-Result: Go LUCI +--- + vendor/golang.org/x/net/http2/frame.go | 31 ++++++++++++++++++++++++++ + 1 file changed, 31 insertions(+) + +diff --git a/vendor/golang.org/x/net/http2/frame.go b/vendor/golang.org/x/net/http2/frame.go +index c1f6b90..175c154 100644 +--- a/vendor/golang.org/x/net/http2/frame.go ++++ b/vendor/golang.org/x/net/http2/frame.go +@@ -1565,6 +1565,7 @@ func (fr *Framer) readMetaFrame(hf *HeadersFrame) (*MetaHeadersFrame, error) { + if size > remainSize { + hdec.SetEmitEnabled(false) + mh.Truncated = true ++ remainSize = 0 + return + } + remainSize -= size +@@ -1577,6 +1578,36 @@ func (fr *Framer) readMetaFrame(hf *HeadersFrame) (*MetaHeadersFrame, error) { + var hc headersOrContinuation = hf + for { + frag := hc.HeaderBlockFragment() ++ ++ // Avoid parsing large amounts of headers that we will then discard. ++ // If the sender exceeds the max header list size by too much, ++ // skip parsing the fragment and close the connection. ++ // ++ // "Too much" is either any CONTINUATION frame after we've already ++ // exceeded the max header list size (in which case remainSize is 0), ++ // or a frame whose encoded size is more than twice the remaining ++ // header list bytes we're willing to accept. ++ if int64(len(frag)) > int64(2*remainSize) { ++ if VerboseLogs { ++ log.Printf("http2: header list too large") ++ } ++ // It would be nice to send a RST_STREAM before sending the GOAWAY, ++ // but the struture of the server's frame writer makes this difficult. ++ return nil, ConnectionError(ErrCodeProtocol) ++ } ++ ++ // Also close the connection after any CONTINUATION frame following an ++ // invalid header, since we stop tracking the size of the headers after ++ // an invalid one. ++ if invalid != nil { ++ if VerboseLogs { ++ log.Printf("http2: invalid header: %v", invalid) ++ } ++ // It would be nice to send a RST_STREAM before sending the GOAWAY, ++ // but the struture of the server's frame writer makes this difficult. ++ return nil, ConnectionError(ErrCodeProtocol) ++ } ++ + if _, err := hdec.Write(frag); err != nil { + return nil, ConnectionError(ErrCodeCompression) + } +-- +2.44.0 + diff --git a/SPECS/prometheus/prometheus.spec b/SPECS/prometheus/prometheus.spec index f07a3425355..c9707573e09 100644 --- a/SPECS/prometheus/prometheus.spec +++ b/SPECS/prometheus/prometheus.spec @@ -4,7 +4,7 @@ Summary: Prometheus monitoring system and time series database Name: prometheus Version: 2.45.4 -Release: 3%{?dist} +Release: 4%{?dist} License: Apache-2.0 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -18,7 +18,8 @@ Source5: prometheus.logrotate Source6: promu-%{promu_version}.tar.gz # Debian patch for default settings Patch0: 02-Default_settings.patch -Patch1: CVE-2024-6104.patch +Patch1: CVE-2023-45288.patch +Patch2: CVE-2024-6104.patch BuildRequires: golang BuildRequires: nodejs BuildRequires: nodejs-npm @@ -135,6 +136,9 @@ fi %doc README.md RELEASE.md documentation %changelog +* Wed Nov 06 2024 Nicolas Guibourge - 2.45.4-4 +- Fix CVE-2023-45288 + * Fri Aug 02 2024 Bala - 2.45.4-3 - Fix CVE-2024-6104 by patching vendor gomodule