Skip to content

Commit 2fc76b5

Browse files
xorduxxordux
authored
prometheus-adapter: Fix CVE-2024-24786 (#9125)
1 parent 4310410 commit 2fc76b5

2 files changed

Lines changed: 57 additions & 1 deletion

File tree

SPECS/prometheus-adapter/CVE-2024-24786.patch

Lines changed: 52 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,52 @@
1+
From 6d8650a5d365c3f80dcf3cd32681dc9c33a04f2d Mon Sep 17 00:00:00 2001
2+
From: Rohit Rawat <xordux@gmail.com>
3+
Date: Thu, 16 May 2024 18:12:11 +0000
4+
Subject: [PATCH] protobuf-go: Fix CVE-2024-24786
5+
6+
---
7+
.../protobuf/encoding/protojson/well_known_types.go | 8 ++++++++
8+
.../protobuf/internal/encoding/json/decode.go | 2 +-
9+
2 files changed, 9 insertions(+), 1 deletion(-)
10+
11+
diff --git a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go
12+
index 72924a9..95562c0 100644
13+
--- a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go
14+
+++ b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go
15+
@@ -328,6 +328,10 @@ func (d decoder) skipJSONValue() error {
16+
if err := d.skipJSONValue(); err != nil {
17+
return err
18+
}
19+
+ case json.EOF:
20+
+ // This can only happen if there's a bug in Decoder.Read.
21+
+ // Avoid an infinite loop if this does happen.
22+
+ return errors.New("unexpected EOF")
23+
}
24+
}
25+
26+
@@ -341,6 +345,10 @@ func (d decoder) skipJSONValue() error {
27+
case json.ArrayClose:
28+
d.Read()
29+
return nil
30+
+ case json.EOF:
31+
+ // This can only happen if there's a bug in Decoder.Read.
32+
+ // Avoid an infinite loop if this does happen.
33+
+ return errors.New("unexpected EOF")
34+
default:
35+
// Skip array item.
36+
if err := d.skipJSONValue(); err != nil {
37+
diff --git a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go
38+
index b13fd29..b2be4e8 100644
39+
--- a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go
40+
+++ b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go
41+
@@ -121,7 +121,7 @@ func (d *Decoder) Read() (Token, error) {
42+
43+
case ObjectClose:
44+
if len(d.openStack) == 0 ||
45+
- d.lastToken.kind == comma ||
46+
+ d.lastToken.kind&(Name|comma) != 0 ||
47+
d.openStack[len(d.openStack)-1] != ObjectOpen {
48+
return Token{}, d.newSyntaxError(tok.pos, unexpectedFmt, tok.RawString())
49+
}
50+
--
51+
2.33.8
52+

SPECS/prometheus-adapter/prometheus-adapter.spec

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,12 +1,13 @@
11
Summary: Kubernetes Custom, Resource, and External Metric APIs implemented to work with Prometheus.
22
Name: prometheus-adapter
33
Version: 0.10.0
4-
Release: 11%{?dist}
4+
Release: 12%{?dist}
55
License: Apache-2.0
66
Vendor: Microsoft Corporation
77
Distribution: Mariner
88
URL: https://github.com/kubernetes-sigs/prometheus-adapter
99
Source0: https://github.com/kubernetes-sigs/%{name}/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
10+
Patch0: CVE-2024-24786.patch
1011
BuildRequires: golang
1112

1213
%description
@@ -41,6 +42,9 @@ make test
4142
%doc README.md RELEASE.md
4243

4344
%changelog
45+
* Thu May 16 2024 Rohit Rawat <rohitrawat@microsoft.com> - 0.10.0-12
46+
- Fix CVE-2024-24786
47+
4448
* Fri Feb 02 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 0.10.0-11
4549
- Bump release to rebuild with go 1.21.6
4650

0 commit comments

Comments
 (0)