[Medium] grpc: Fix CVE-2024-25629 (#12324)

v-smalavathu · rikenm1 · jslobodzian · jslobodzian · commit 05836216399a · 2025-02-27T11:17:22.000-05:00
Signed-off-by: Sreenivasulu Malavathula &lt;v-smalavathu@microsoft.com&gt;
Co-authored-by: Riken Maharjan &lt;106988478+rikenm1@users.noreply.github.com&gt;
Co-authored-by: jslobodzian &lt;joslobo@microsoft.com&gt;
diff --git a/SPECS/grpc/CVE-2024-25629.patch b/SPECS/grpc/CVE-2024-25629.patch
@@ -0,0 +1,31 @@
+From 664fc964bf2dac86c3adbedb5d9d9e0e46d1c79d Mon Sep 17 00:00:00 2001
+From: Sreenivasulu Malavathula <v-smalavathu@microsoft.com>
+Date: Sun, 9 Feb 2025 12:50:08 -0600
+Subject: [PATCH] Address CVE-2024-25629
+
+---
+ third_party/cares/cares/ares__read_line.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/third_party/cares/cares/ares__read_line.c b/third_party/cares/cares/ares__read_line.c
+index c62ad2a2..d6625a38 100644
+--- a/third_party/cares/cares/ares__read_line.c
++++ b/third_party/cares/cares/ares__read_line.c
+@@ -49,6 +49,14 @@ int ares__read_line(FILE *fp, char **buf, size_t *bufsize)
+       if (!fgets(*buf + offset, bytestoread, fp))
+         return (offset != 0) ? 0 : (ferror(fp)) ? ARES_EFILE : ARES_EOF;
+       len = offset + strlen(*buf + offset);
++
++      /* Probably means there was an embedded NULL as the first character in
++       * the line, throw away line */
++      if (len == 0) {
++        offset = 0;
++        continue;
++      }
++
+       if ((*buf)[len - 1] == '\n')
+         {
+           (*buf)[len - 1] = 0;
+--
+2.45.2
+
diff --git a/SPECS/grpc/grpc.spec b/SPECS/grpc/grpc.spec
@@ -1,7 +1,7 @@
 Summary:        Open source remote procedure call (RPC) framework
 Name:           grpc
 Version:        1.42.0
-Release:        8%{?dist}
+Release:        9%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -11,6 +11,7 @@ Source0:        https://github.com/grpc/grpc/archive/v%{version}/%{name}-%{versi
 Source1:        %{name}-%{version}-submodules.tar.gz
 
 Patch0:         CVE-2023-32067.patch
+Patch1:         CVE-2024-25629.patch
 BuildRequires:  abseil-cpp-devel
 BuildRequires:  c-ares-devel
 BuildRequires:  cmake
@@ -151,6 +152,9 @@ export GRPC_PYTHON_BUILD_SYSTEM_ABSL=True
 
 
 %changelog
+* Wed Feb 12 2025 Sreeniavsulu Malavathula <v-smalavathu@microsoft.com> - 1.42.0-9
+- Patch to fix CVE-2024-25629.patch in the grpc submodules package
+
 * Mon Dec 10 2024 Ankita Pareek <ankitapareek@microsoft.com> - 1.42.0-8
 - Address CVE-2023-32067 in the grpc submodules package
 
