[AUTO-CHERRYPICK] Patch moby-buildx CVES CVE-2021-43565 CVE-2022-28948 CVE-2022-41723 - branch main (#9891)

Co-authored-by: Cameron E Baird <cameronbaird@microsoft.com>
Co-authored-by: Riken Maharjan <106988478+rikenm1@users.noreply.github.com>

Author: 3 people

SPECS/moby-buildx/CVE-2021-43565.patch

@@ -0,0 +1,43 @@
+From 49e152b4523c7e9ebdf0c0720c79cca78078a8c4 Mon Sep 17 00:00:00 2001
+From: Cameron Baird <cameronbaird@microsoft.com>
+Date: Fri, 12 Jul 2024 20:23:19 +0000
+Subject: [PATCH 1/3] CVE-2021-43565
+
+Upstream fix: 5770296d904e90f15f38f77dfc2e43fdf5efc083
+ssh: don't assume packet plaintext size
+When reading GCM and ChaChaPoly1305 packets, don't make assumptions
+about the size of the enciphered plaintext. This fixes two panics
+caused by standards non-compliant malformed packets.
+---
+ vendor/golang.org/x/crypto/ssh/cipher.go | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/vendor/golang.org/x/crypto/ssh/cipher.go b/vendor/golang.org/x/crypto/ssh/cipher.go
+index 8bd6b3d..ccd82bc 100644
+--- a/vendor/golang.org/x/crypto/ssh/cipher.go
++++ b/vendor/golang.org/x/crypto/ssh/cipher.go
+@@ -394,6 +394,10 @@ func (c *gcmCipher) readCipherPacket(seqNum uint32, r io.Reader) ([]byte, error)
+ 	}
+ 	c.incIV()
+ 
++	if len(plain) == 0 {
++		return nil, errors.New("ssh: empty packet")
++	}
++
+ 	padding := plain[0]
+ 	if padding < 4 {
+ 		// padding is a byte, so it automatically satisfies
+@@ -710,6 +714,10 @@ func (c *chacha20Poly1305Cipher) readCipherPacket(seqNum uint32, r io.Reader) ([
+ 	plain := c.buf[4:contentEnd]
+ 	s.XORKeyStream(plain, plain)
+ 
++	if len(plain) == 0 {
++		return nil, errors.New("ssh: empty packet")
++	}
++
+ 	padding := plain[0]
+ 	if padding < 4 {
+ 		// padding is a byte, so it automatically satisfies
+-- 
+2.34.1
+

SPECS/moby-buildx/CVE-2022-28948.patch

@@ -0,0 +1,51 @@
+From 6d8040e5ae88d74d619980a0115a4eb91e47c405 Mon Sep 17 00:00:00 2001
+From: Cameron Baird <cameronbaird@microsoft.com>
+Date: Fri, 12 Jul 2024 20:37:35 +0000
+Subject: [PATCH 2/3] CVE-2022-28948
+
+Upstream fix: 8f96da9f5d5eff988554c1aae1784627c4bf6754
+
+Explicitly check the parser for errors on peek
+It's curious choice from the underlying API to generally return a
+positive result on success, but on this case return true in an error
+scenario.
+---
+ vendor/gopkg.in/yaml.v2/decode.go | 5 ++++-
+ vendor/gopkg.in/yaml.v3/decode.go | 5 ++++-
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/vendor/gopkg.in/yaml.v2/decode.go b/vendor/gopkg.in/yaml.v2/decode.go
+index 129bc2a..7473d4b 100644
+--- a/vendor/gopkg.in/yaml.v2/decode.go
++++ b/vendor/gopkg.in/yaml.v2/decode.go
+@@ -102,7 +102,10 @@ func (p *parser) peek() yaml_event_type_t {
+ 	if p.event.typ != yaml_NO_EVENT {
+ 		return p.event.typ
+ 	}
+-	if !yaml_parser_parse(&p.parser, &p.event) {
++	// It's curious choice from the underlying API to generally return a
++	// positive result on success, but on this case return true in an error
++	// scenario. This was the source of bugs in the past (issue #666).
++	if !yaml_parser_parse(&p.parser, &p.event) || p.parser.error != yaml_NO_ERROR {
+ 		p.fail()
+ 	}
+ 	return p.event.typ
+diff --git a/vendor/gopkg.in/yaml.v3/decode.go b/vendor/gopkg.in/yaml.v3/decode.go
+index df36e3a..f316f51 100644
+--- a/vendor/gopkg.in/yaml.v3/decode.go
++++ b/vendor/gopkg.in/yaml.v3/decode.go
+@@ -100,7 +100,10 @@ func (p *parser) peek() yaml_event_type_t {
+ 	if p.event.typ != yaml_NO_EVENT {
+ 		return p.event.typ
+ 	}
+-	if !yaml_parser_parse(&p.parser, &p.event) {
++	// It's curious choice from the underlying API to generally return a
++	// positive result on success, but on this case return true in an error
++	// scenario. This was the source of bugs in the past (issue #666).
++	if !yaml_parser_parse(&p.parser, &p.event) || p.parser.error != yaml_NO_ERROR {
+ 		p.fail()
+ 	}
+ 	return p.event.typ
+-- 
+2.34.1
+

SPECS/moby-buildx/CVE-2022-41723.patch

@@ -0,0 +1,142 @@
+From 04646b47d5f03ab96a681931a1b93cd12209e6bf Mon Sep 17 00:00:00 2001
+From: Cameron Baird <cameronbaird@microsoft.com>
+Date: Fri, 12 Jul 2024 20:49:14 +0000
+Subject: [PATCH 3/3] CVE-2022-41723
+
+Upstream fix: I58a743df450a4a4923dddd5cf6bb0592b0a7bdf3
+http2/hpack: avoid quadratic complexity in hpack decoding
+
+When parsing a field literal containing two Huffman-encoded strings,
+don't decode the first string until verifying all data is present.
+Avoids forced quadratic complexity when repeatedly parsing a partial 
+field, repeating the Huffman decoding of the string on each iteration.
+---
+ vendor/golang.org/x/net/http2/hpack/hpack.go | 79 ++++++++++++--------
+ 1 file changed, 49 insertions(+), 30 deletions(-)
+
+diff --git a/vendor/golang.org/x/net/http2/hpack/hpack.go b/vendor/golang.org/x/net/http2/hpack/hpack.go
+index 85f18a2..02e80e3 100644
+--- a/vendor/golang.org/x/net/http2/hpack/hpack.go
++++ b/vendor/golang.org/x/net/http2/hpack/hpack.go
+@@ -359,6 +359,7 @@ func (d *Decoder) parseFieldLiteral(n uint8, it indexType) error {
+ 
+ 	var hf HeaderField
+ 	wantStr := d.emitEnabled || it.indexed()
++	var undecodedName undecodedString
+ 	if nameIdx > 0 {
+ 		ihf, ok := d.at(nameIdx)
+ 		if !ok {
+@@ -366,15 +367,27 @@ func (d *Decoder) parseFieldLiteral(n uint8, it indexType) error {
+ 		}
+ 		hf.Name = ihf.Name
+ 	} else {
+-		hf.Name, buf, err = d.readString(buf, wantStr)
++		undecodedName, buf, err = d.readString(buf)
+ 		if err != nil {
+ 			return err
+ 		}
+ 	}
+-	hf.Value, buf, err = d.readString(buf, wantStr)
++	undecodedValue, buf, err := d.readString(buf)
+ 	if err != nil {
+ 		return err
+ 	}
++	if wantStr {
++		if nameIdx <= 0 {
++			hf.Name, err = d.decodeString(undecodedName)
++			if err != nil {
++				return err
++			}
++		}
++		hf.Value, err = d.decodeString(undecodedValue)
++		if err != nil {
++			return err
++		}
++	}
+ 	d.buf = buf
+ 	if it.indexed() {
+ 		d.dynTab.add(hf)
+@@ -459,46 +472,52 @@ func readVarInt(n byte, p []byte) (i uint64, remain []byte, err error) {
+ 	return 0, origP, errNeedMore
+ }
+ 
+-// readString decodes an hpack string from p.
++// readString reads an hpack string from p.
+ //
+-// wantStr is whether s will be used. If false, decompression and
+-// []byte->string garbage are skipped if s will be ignored
+-// anyway. This does mean that huffman decoding errors for non-indexed
+-// strings past the MAX_HEADER_LIST_SIZE are ignored, but the server
+-// is returning an error anyway, and because they're not indexed, the error
+-// won't affect the decoding state.
+-func (d *Decoder) readString(p []byte, wantStr bool) (s string, remain []byte, err error) {
++// It returns a reference to the encoded string data to permit deferring decode costs
++// until after the caller verifies all data is present.
++func (d *Decoder) readString(p []byte) (u undecodedString, remain []byte, err error) {
+ 	if len(p) == 0 {
+-		return "", p, errNeedMore
++		return u, p, errNeedMore
+ 	}
+ 	isHuff := p[0]&128 != 0
+ 	strLen, p, err := readVarInt(7, p)
+ 	if err != nil {
+-		return "", p, err
++		return u, p, err
+ 	}
+ 	if d.maxStrLen != 0 && strLen > uint64(d.maxStrLen) {
+-		return "", nil, ErrStringLength
++		// Returning an error here means Huffman decoding errors
++		// for non-indexed strings past the maximum string length
++		// are ignored, but the server is returning an error anyway
++		// and because the string is not indexed the error will not
++		// affect the decoding state.
++		return u, nil, ErrStringLength
+ 	}
+ 	if uint64(len(p)) < strLen {
+-		return "", p, errNeedMore
+-	}
+-	if !isHuff {
+-		if wantStr {
+-			s = string(p[:strLen])
+-		}
+-		return s, p[strLen:], nil
++		return u, p, errNeedMore
+ 	}
++	u.isHuff = isHuff
++	u.b = p[:strLen]
++	return u, p[strLen:], nil
++}
+ 
+-	if wantStr {
+-		buf := bufPool.Get().(*bytes.Buffer)
+-		buf.Reset() // don't trust others
+-		defer bufPool.Put(buf)
+-		if err := huffmanDecode(buf, d.maxStrLen, p[:strLen]); err != nil {
+-			buf.Reset()
+-			return "", nil, err
+-		}
++type undecodedString struct {
++	isHuff bool
++	b      []byte
++}
++
++func (d *Decoder) decodeString(u undecodedString) (string, error) {
++	if !u.isHuff {
++		return string(u.b), nil
++	}
++	buf := bufPool.Get().(*bytes.Buffer)
++	buf.Reset() // don't trust others
++	var s string
++	err := huffmanDecode(buf, d.maxStrLen, u.b)
++	if err == nil {
+ 		s = buf.String()
+-		buf.Reset() // be nice to GC
+ 	}
+-	return s, p[strLen:], nil
++	buf.Reset() // be nice to GC
++	bufPool.Put(buf)
++	return s, err
+ }
+-- 
+2.34.1
+

SPECS/moby-buildx/moby-buildx.spec

@@ -5,7 +5,7 @@ Summary:        A Docker CLI plugin for extended build capabilities with BuildKi
 Name:           moby-%{upstream_name}
 # update "commit_hash" above when upgrading version
 Version:        0.7.1
-Release:        20%{?dist}
+Release:        21%{?dist}
 License:        ASL 2.0
 Group:          Tools/Container
 Vendor:         Microsoft Corporation
@@ -16,6 +16,9 @@ Source0:        https://github.com/docker/buildx/archive/refs/tags/v%{version}.t
 Patch0:         CVE-2022-21698.patch
 Patch1:         CVE-2023-44487.patch
 Patch2:         CVE-2021-44716.patch
+Patch3:         CVE-2021-43565.patch
+Patch4:         CVE-2022-28948.patch
+Patch5:         CVE-2022-41723.patch
 
 BuildRequires: bash
 BuildRequires: golang
@@ -46,9 +49,14 @@ cp -aT buildx "%{buildroot}/%{_libexecdir}/docker/cli-plugins/docker-buildx"
 %{_libexecdir}/docker/cli-plugins/docker-buildx
 
 %changelog
-* Wed Jul 17 2024 Muhammad Falak R Wani <mwani@microsoft.com> - 0.7.1-20
+* Wed Jul 17 2024 Muhammad Falak R Wani <mwani@microsoft.com> - 0.7.1-21
 - Drop requirement on a specific version of golang
 
+* Mon Jul 15 2024 Cameron Baird <cameronbaird@microsoft.com> - 0.7.1-20
+- Address CVE-2021-43565 by patching vendored golang.org/x/crypto/ssh
+- Address CVE-2022-28948 by patching vendored gopkg.in/yaml
+- Address CVE-2022-41723 by patching vendored golang.org/x/net/http2
+
 * Thu Jun 06 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 0.7.1-19
 - Bump release to rebuild with go 1.21.11