Cherry-picked fast-track fix for 'local-path-provisioner' (#7725). (#7808)

PawelWMS · web-flow · commit 238a103655ec · 2024-02-09T10:48:04.000-08:00
diff --git a/SPECS/local-path-provisioner/CVE-2021-44716.patch b/SPECS/local-path-provisioner/CVE-2021-44716.patch
@@ -0,0 +1,50 @@
+Parent:     db4efeb8 (http2: deflake TestTransportGroupsPendingDials)
+Author:     Damien Neil <dneil@google.com>
+AuthorDate: 2021-12-06 14:31:43 -0800
+Commit:     Filippo Valsorda <filippo@golang.org>
+CommitDate: 2021-12-09 12:49:13 +0000
+
+http2: cap the size of the server's canonical header cache
+
+The HTTP/2 server keeps a per-connection cache mapping header keys
+to their canonicalized form (e.g., "foo-bar" => "Foo-Bar"). Cap the
+maximum size of this cache to prevent a peer sending many unique
+header keys from causing unbounded memory growth.
+
+Cap chosen arbitrarily at 32 entries. Since this cache does not
+include common headers (e.g., "content-type"), 32 seems like more
+than enough for almost all normal uses.
+
+Fixes #50058
+Fixes CVE-2021-44716
+
+Change-Id: Ia83696dc23253c12af8f26d502557c2cc9841105
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1290827
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/net/+/369794
+Trust: Filippo Valsorda <filippo@golang.org>
+Run-TryBot: Filippo Valsorda <filippo@golang.org>
+Trust: Damien Neil <dneil@google.com>
+Reviewed-by: Russ Cox <rsc@golang.org>
+Reviewed-by: Filippo Valsorda <filippo@golang.org>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+
+diff -ru cli-20.10.27-orig/vendor/golang.org/x/net/http2/server.go cli-20.10.27/vendor/golang.org/x/net/http2/server.go
+--- cli-20.10.27-orig/vendor/golang.org/x/net/http2/server.go	2024-02-05 08:53:30.802532951 -0800
++++ cli-20.10.27/vendor/golang.org/x/net/http2/server.go	2024-02-05 09:19:08.473430121 -0800
+@@ -720,7 +720,15 @@
+ 		sc.canonHeader = make(map[string]string)
+ 	}
+ 	cv = http.CanonicalHeaderKey(v)
+-	sc.canonHeader[v] = cv
++	// maxCachedCanonicalHeaders is an arbitrarily-chosen limit on the number of
++	// entries in the canonHeader cache. This should be larger than the number
++	// of unique, uncommon header keys likely to be sent by the peer, while not
++	// so high as to permit unreaasonable memory usage if the peer sends an unbounded
++	// number of unique header keys.
++	const maxCachedCanonicalHeaders = 32
++	if len(sc.canonHeader) < maxCachedCanonicalHeaders {
++		sc.canonHeader[v] = cv
++	}	
+ 	return cv
+ }
diff --git a/SPECS/local-path-provisioner/local-path-provisioner.spec b/SPECS/local-path-provisioner/local-path-provisioner.spec
@@ -1,7 +1,7 @@
 Summary:        Provides a way for the Kubernetes users to utilize the local storage in each node
 Name:           local-path-provisioner
 Version:        0.0.21
-Release:        14%{?dist}
+Release:        15%{?dist}
 License:        ASL 2.0
 URL:            https://github.com/rancher/local-path-provisioner
 Group:          Applications/Text
@@ -11,6 +11,7 @@ Source0:        https://github.com/rancher/%{name}/archive/refs/tags/v%{version}
 #Note that the source file should be renamed to the format {name}-%{version}.tar.gz
 # Fixed in upstream 0.0.24, so we can remove this patch when we upgrade to that version
 Patch0:         CVE-2022-21698.patch
+Patch1:         CVE-2021-44716.patch
 
 BuildRequires: golang
 
@@ -20,6 +21,7 @@ Provides a way for the Kubernetes users to utilize the local storage in each nod
 %prep
 %setup -q
 %patch 0 -p1 -d vendor/github.com/prometheus/client_golang
+%patch 1 -p1
 
 %build
 export CGO_ENABLED=0
@@ -33,6 +35,9 @@ install local-path-provisioner %{buildroot}%{_bindir}/local-path-provisioner
 %{_bindir}/local-path-provisioner
 
 %changelog
+* Tue Feb 06 2024 Osama Esmail <osamaesmail@microsoft.com> - 0.0.21-15
+- Fix CVE-2021-44716
+
 * Wed Jan 31 2024 Tobias Brick <tobiasb@microsoft.com> - 0.0.21-14
 - Fix CVE-2022-21698
 
