[AUTO-CHERRYPICK] Fix CVE-2022-32149 in libcontainers-common - branch main (#10396)

CBL-Mariner-Bot · sindhu-karri · web-flow · commit 105469e37dab · 2024-09-13T17:45:17.000-04:00
Co-authored-by: sindhu-karri &lt;33163197+sindhu-karri@users.noreply.github.com&gt;
diff --git a/SPECS/libcontainers-common/CVE-2022-32149.patch b/SPECS/libcontainers-common/CVE-2022-32149.patch
@@ -0,0 +1,35 @@
+From 7ee36713a66401f828dfe476196ca290f7c23ffe Mon Sep 17 00:00:00 2001
+From: Sindhu Karri <lakarri@microsoft.com>
+Date: Wed, 28 Aug 2024 05:01:17 +0000
+Subject: [PATCH] Fix CVE-2022-32149
+
+---
+ vendor/golang.org/x/text/language/parse.go | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/vendor/golang.org/x/text/language/parse.go b/vendor/golang.org/x/text/language/parse.go
+index 11acfd8..11d11f4 100644
+--- a/vendor/golang.org/x/text/language/parse.go
++++ b/vendor/golang.org/x/text/language/parse.go
+@@ -133,6 +133,7 @@ func update(b *language.Builder, part ...interface{}) (err error) {
+ }
+ 
+ var errInvalidWeight = errors.New("ParseAcceptLanguage: invalid weight")
++var errTagListTooLarge = errors.New("tag list exceeds max length")
+ 
+ // ParseAcceptLanguage parses the contents of an Accept-Language header as
+ // defined in http://www.ietf.org/rfc/rfc2616.txt and returns a list of Tags and
+@@ -150,6 +151,10 @@ func ParseAcceptLanguage(s string) (tag []Tag, q []float32, err error) {
+ 
+ 		entry, weight := split(entry, ';')
+ 
++	if strings.Count(s, "-") > 1000 {
++		return nil, nil, errTagListTooLarge
++	}
++
+ 		// Scan the language.
+ 		t, err := Parse(entry)
+ 		if err != nil {
+-- 
+2.33.8
+
diff --git a/SPECS/libcontainers-common/libcontainers-common.spec b/SPECS/libcontainers-common/libcontainers-common.spec
@@ -26,7 +26,7 @@
 Summary:        Configuration files common to github.com/containers
 Name:           libcontainers-common
 Version:        20210626
-Release:        5%{?dist}
+Release:        6%{?dist}
 License:        ASL 2.0 AND GPLv3
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -51,6 +51,7 @@ Patch0:         CVE-2021-44716.patch
 #Note (mfrw): The patch for CVE-2024-37298 only applies to podman.
 Patch1:         CVE-2024-37298.patch
 Patch2:         CVE-2021-43565.patch
+Patch3:         CVE-2022-32149.patch
 BuildRequires:  go-go-md2man
 Requires(post): grep
 Requires(post): util-linux
@@ -68,9 +69,11 @@ github.com/containers libraries, such as Buildah, CRI-O, Podman and Skopeo.
 
 %setup -q -T -D -b 7 -n podman-%{podmanver}
 %patch 1 -p1
+%patch 3 -p1
 
 %setup -q -T -D -b 9 -n common-%{commonver}
 %patch 0 -p1
+%patch 3 -p1
 
 # copy the LICENSE file in the build root
 %patch 2 -p1 -d ../podman-%{podmanver}
@@ -168,6 +171,9 @@ fi
 %license LICENSE
 
 %changelog
+* Tue Aug 27 2024 Sindhu Karri <lakarri@microsoft.com> - 20210626-6
+- Patch CVE-2022-32149
+
 * Mon Jul 29 2024 Archana Choudhary <archana1@microsoft.com> - 20210626-5
 - Patch CVE-2021-43565
 
