[AUTO-CHERRYPICK] Fix CVE-2024-24786 in multiple packages by patching - branch 3.0-dev (#11285)

Co-authored-by: Bala <kumaran.4353@gmail.com>

Author: CBL-Mariner-Bot

SPECS/cf-cli/CVE-2024-24786.patch

@@ -0,0 +1,152 @@
+From 1576982839ab9771784526720ed0a2f4a2aa2280 Mon Sep 17 00:00:00 2001
+From: bala <balakumaran.kannan@microsoft.com>
+Date: Mon, 25 Nov 2024 16:47:53 +0000
+Subject: [PATCH] Vendor patch applied
+
+---
+ .../protobuf/encoding/protojson/decode.go     | 12 ++++
+ .../encoding/protojson/well_known_types.go    | 59 +++++++------------
+ .../protobuf/internal/encoding/json/decode.go |  2 +-
+ 3 files changed, 33 insertions(+), 40 deletions(-)
+
+diff --git a/vendor/google.golang.org/protobuf/encoding/protojson/decode.go b/vendor/google.golang.org/protobuf/encoding/protojson/decode.go
+index 5f28148..67fe4e7 100644
+--- a/vendor/google.golang.org/protobuf/encoding/protojson/decode.go
++++ b/vendor/google.golang.org/protobuf/encoding/protojson/decode.go
+@@ -11,6 +11,7 @@ import (
+ 	"strconv"
+ 	"strings"
+ 
++	"google.golang.org/protobuf/encoding/protowire"
+ 	"google.golang.org/protobuf/internal/encoding/json"
+ 	"google.golang.org/protobuf/internal/encoding/messageset"
+ 	"google.golang.org/protobuf/internal/errors"
+@@ -47,6 +48,10 @@ type UnmarshalOptions struct {
+ 		protoregistry.MessageTypeResolver
+ 		protoregistry.ExtensionTypeResolver
+ 	}
++	
++	// RecursionLimit limits how deeply messages may be nested.
++	// If zero, a default limit is applied.
++	RecursionLimit int
+ }
+ 
+ // Unmarshal reads the given []byte and populates the given proto.Message
+@@ -67,6 +72,9 @@ func (o UnmarshalOptions) unmarshal(b []byte, m proto.Message) error {
+ 	if o.Resolver == nil {
+ 		o.Resolver = protoregistry.GlobalTypes
+ 	}
++	if o.RecursionLimit == 0 {
++		o.RecursionLimit = protowire.DefaultRecursionLimit
++	}
+ 
+ 	dec := decoder{json.NewDecoder(b), o}
+ 	if err := dec.unmarshalMessage(m.ProtoReflect(), false); err != nil {
+@@ -114,6 +122,10 @@ func (d decoder) syntaxError(pos int, f string, x ...interface{}) error {
+ 
+ // unmarshalMessage unmarshals a message into the given protoreflect.Message.
+ func (d decoder) unmarshalMessage(m protoreflect.Message, skipTypeURL bool) error {
++	d.opts.RecursionLimit--
++	if d.opts.RecursionLimit < 0 {
++		return errors.New("exceeded max recursion depth")
++	}
+ 	if unmarshal := wellKnownTypeUnmarshaler(m.Descriptor().FullName()); unmarshal != nil {
+ 		return unmarshal(d, m)
+ 	}
+diff --git a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go
+index 6c37d41..4b177c8 100644
+--- a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go
++++ b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go
+@@ -176,7 +176,7 @@ func (d decoder) unmarshalAny(m protoreflect.Message) error {
+ 	// Use another decoder to parse the unread bytes for @type field. This
+ 	// avoids advancing a read from current decoder because the current JSON
+ 	// object may contain the fields of the embedded type.
+-	dec := decoder{d.Clone(), UnmarshalOptions{}}
++	dec := decoder{d.Clone(), UnmarshalOptions{RecursionLimit: d.opts.RecursionLimit}}
+ 	tok, err := findTypeURL(dec)
+ 	switch err {
+ 	case errEmptyObject:
+@@ -308,48 +308,29 @@ Loop:
+ // array) in order to advance the read to the next JSON value. It relies on
+ // the decoder returning an error if the types are not in valid sequence.
+ func (d decoder) skipJSONValue() error {
+-	tok, err := d.Read()
+-	if err != nil {
+-		return err
+-	}
+-	// Only need to continue reading for objects and arrays.
+-	switch tok.Kind() {
+-	case json.ObjectOpen:
+-		for {
+-			tok, err := d.Read()
+-			if err != nil {
+-				return err
+-			}
+-			switch tok.Kind() {
+-			case json.ObjectClose:
+-				return nil
+-			case json.Name:
+-				// Skip object field value.
+-				if err := d.skipJSONValue(); err != nil {
+-					return err
+-				}
+-			}
++	var open int
++	for {
++		tok, err := d.Read()
++		if err != nil {
++			return err
+ 		}
+-
+-	case json.ArrayOpen:
+-		for {
+-			tok, err := d.Peek()
+-			if err != nil {
+-				return err
+-			}
+-			switch tok.Kind() {
+-			case json.ArrayClose:
+-				d.Read()
+-				return nil
+-			default:
+-				// Skip array item.
+-				if err := d.skipJSONValue(); err != nil {
+-					return err
+-				}
++		switch tok.Kind() {
++		case json.ObjectClose, json.ArrayClose:
++			open--
++		case json.ObjectOpen, json.ArrayOpen:
++			open++
++			if open > d.opts.RecursionLimit {
++				return errors.New("exceeded max recursion depth")
+ 			}
++		case json.EOF:
++			// This can only happen if there's a bug in Decoder.Read.
++			// Avoid an infinite loop if this does happen.
++			return errors.New("unexpected EOF")
++		}
++		if open == 0 {
++			return nil
+ 		}
+ 	}
+-	return nil
+ }
+ 
+ // unmarshalAnyValue unmarshals the given custom-type message from the JSON
+diff --git a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go
+index d043a6e..d2b3ac0 100644
+--- a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go
++++ b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go
+@@ -121,7 +121,7 @@ func (d *Decoder) Read() (Token, error) {
+ 
+ 	case ObjectClose:
+ 		if len(d.openStack) == 0 ||
+-			d.lastToken.kind == comma ||
++			d.lastToken.kind&(Name|comma) != 0 ||
+ 			d.openStack[len(d.openStack)-1] != ObjectOpen {
+ 			return Token{}, d.newSyntaxError(tok.pos, unexpectedFmt, tok.RawString())
+ 		}
+-- 
+2.39.4
+

SPECS/cf-cli/cf-cli.spec

@@ -5,7 +5,7 @@ Summary:        The official command line client for Cloud Foundry.
 Name:           cf-cli
 # Note: Upgrading the package also warrants an upgrade in the CF_BUILD_SHA
 Version:        8.7.3
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        Apache-2.0
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -32,6 +32,7 @@ Source0:        https://github.com/cloudfoundry/cli/archive/refs/tags/v%{version
 #       - For the value of "--mtime" use the date "2021-04-26 00:00Z" to simplify future updates.
 Source1:        cli-%{version}-vendor.tar.gz
 Patch0:         CVE-2023-39325.patch
+Patch1:         CVE-2024-24786.patch
 
 BuildRequires:  golang >= 1.18.3
 %global debug_package %{nil}
@@ -44,6 +45,7 @@ The official command line client for Cloud Foundry.
 %setup -q -n cli-%{version}
 tar --no-same-owner -xf %{SOURCE1}
 %patch 0 -p1
+%patch 1 -p1
 
 %build
 export GOPATH=%{our_gopath}
@@ -65,6 +67,9 @@ install -p -m 755 -t %{buildroot}%{_bindir} ./out/cf
 %{_bindir}/cf
 
 %changelog
+* Mon Nov 25 2024 Bala <balakumaran.kannan@microsoft.com> - 8.7.3-3
+- Fix CVE-2024-24786
+
 * Mon Jul 29 2024 Muhammad Falak <mwani@microsoft.com> - 8.7.3-2
 - Fix CF_BUILD_SHA to have correct build sha in the binary
 - Move Source1 un-taring in prep section

SPECS/containerd/CVE-2024-24786.patch

@@ -0,0 +1,152 @@
+From 1576982839ab9771784526720ed0a2f4a2aa2280 Mon Sep 17 00:00:00 2001
+From: bala <balakumaran.kannan@microsoft.com>
+Date: Mon, 25 Nov 2024 16:47:53 +0000
+Subject: [PATCH] Vendor patch applied
+
+---
+ .../protobuf/encoding/protojson/decode.go     | 12 ++++
+ .../encoding/protojson/well_known_types.go    | 59 +++++++------------
+ .../protobuf/internal/encoding/json/decode.go |  2 +-
+ 3 files changed, 33 insertions(+), 40 deletions(-)
+
+diff --git a/vendor/google.golang.org/protobuf/encoding/protojson/decode.go b/vendor/google.golang.org/protobuf/encoding/protojson/decode.go
+index 5f28148..67fe4e7 100644
+--- a/vendor/google.golang.org/protobuf/encoding/protojson/decode.go
++++ b/vendor/google.golang.org/protobuf/encoding/protojson/decode.go
+@@ -11,6 +11,7 @@ import (
+ 	"strconv"
+ 	"strings"
+ 
++	"google.golang.org/protobuf/encoding/protowire"
+ 	"google.golang.org/protobuf/internal/encoding/json"
+ 	"google.golang.org/protobuf/internal/encoding/messageset"
+ 	"google.golang.org/protobuf/internal/errors"
+@@ -47,6 +48,10 @@ type UnmarshalOptions struct {
+ 		protoregistry.MessageTypeResolver
+ 		protoregistry.ExtensionTypeResolver
+ 	}
++	
++	// RecursionLimit limits how deeply messages may be nested.
++	// If zero, a default limit is applied.
++	RecursionLimit int
+ }
+ 
+ // Unmarshal reads the given []byte and populates the given proto.Message
+@@ -67,6 +72,9 @@ func (o UnmarshalOptions) unmarshal(b []byte, m proto.Message) error {
+ 	if o.Resolver == nil {
+ 		o.Resolver = protoregistry.GlobalTypes
+ 	}
++	if o.RecursionLimit == 0 {
++		o.RecursionLimit = protowire.DefaultRecursionLimit
++	}
+ 
+ 	dec := decoder{json.NewDecoder(b), o}
+ 	if err := dec.unmarshalMessage(m.ProtoReflect(), false); err != nil {
+@@ -114,6 +122,10 @@ func (d decoder) syntaxError(pos int, f string, x ...interface{}) error {
+ 
+ // unmarshalMessage unmarshals a message into the given protoreflect.Message.
+ func (d decoder) unmarshalMessage(m protoreflect.Message, skipTypeURL bool) error {
++	d.opts.RecursionLimit--
++	if d.opts.RecursionLimit < 0 {
++		return errors.New("exceeded max recursion depth")
++	}
+ 	if unmarshal := wellKnownTypeUnmarshaler(m.Descriptor().FullName()); unmarshal != nil {
+ 		return unmarshal(d, m)
+ 	}
+diff --git a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go
+index 6c37d41..4b177c8 100644
+--- a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go
++++ b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go
+@@ -176,7 +176,7 @@ func (d decoder) unmarshalAny(m protoreflect.Message) error {
+ 	// Use another decoder to parse the unread bytes for @type field. This
+ 	// avoids advancing a read from current decoder because the current JSON
+ 	// object may contain the fields of the embedded type.
+-	dec := decoder{d.Clone(), UnmarshalOptions{}}
++	dec := decoder{d.Clone(), UnmarshalOptions{RecursionLimit: d.opts.RecursionLimit}}
+ 	tok, err := findTypeURL(dec)
+ 	switch err {
+ 	case errEmptyObject:
+@@ -308,48 +308,29 @@ Loop:
+ // array) in order to advance the read to the next JSON value. It relies on
+ // the decoder returning an error if the types are not in valid sequence.
+ func (d decoder) skipJSONValue() error {
+-	tok, err := d.Read()
+-	if err != nil {
+-		return err
+-	}
+-	// Only need to continue reading for objects and arrays.
+-	switch tok.Kind() {
+-	case json.ObjectOpen:
+-		for {
+-			tok, err := d.Read()
+-			if err != nil {
+-				return err
+-			}
+-			switch tok.Kind() {
+-			case json.ObjectClose:
+-				return nil
+-			case json.Name:
+-				// Skip object field value.
+-				if err := d.skipJSONValue(); err != nil {
+-					return err
+-				}
+-			}
++	var open int
++	for {
++		tok, err := d.Read()
++		if err != nil {
++			return err
+ 		}
+-
+-	case json.ArrayOpen:
+-		for {
+-			tok, err := d.Peek()
+-			if err != nil {
+-				return err
+-			}
+-			switch tok.Kind() {
+-			case json.ArrayClose:
+-				d.Read()
+-				return nil
+-			default:
+-				// Skip array item.
+-				if err := d.skipJSONValue(); err != nil {
+-					return err
+-				}
++		switch tok.Kind() {
++		case json.ObjectClose, json.ArrayClose:
++			open--
++		case json.ObjectOpen, json.ArrayOpen:
++			open++
++			if open > d.opts.RecursionLimit {
++				return errors.New("exceeded max recursion depth")
+ 			}
++		case json.EOF:
++			// This can only happen if there's a bug in Decoder.Read.
++			// Avoid an infinite loop if this does happen.
++			return errors.New("unexpected EOF")
++		}
++		if open == 0 {
++			return nil
+ 		}
+ 	}
+-	return nil
+ }
+ 
+ // unmarshalAnyValue unmarshals the given custom-type message from the JSON
+diff --git a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go
+index d043a6e..d2b3ac0 100644
+--- a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go
++++ b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go
+@@ -121,7 +121,7 @@ func (d *Decoder) Read() (Token, error) {
+ 
+ 	case ObjectClose:
+ 		if len(d.openStack) == 0 ||
+-			d.lastToken.kind == comma ||
++			d.lastToken.kind&(Name|comma) != 0 ||
+ 			d.openStack[len(d.openStack)-1] != ObjectOpen {
+ 			return Token{}, d.newSyntaxError(tok.pos, unexpectedFmt, tok.RawString())
+ 		}
+-- 
+2.39.4
+

SPECS/containerd/containerd.spec

@@ -4,7 +4,7 @@
 Summary: Industry-standard container runtime
 Name: containerd
 Version: 1.7.13
-Release: 4%{?dist}
+Release: 5%{?dist}
 License: ASL 2.0
 Group: Tools/Container
 URL: https://www.containerd.io
@@ -18,6 +18,7 @@ Patch0:  Makefile.patch
 Patch1:  fix_tests_for_golang1.21.patch
 Patch2:	 CVE-2023-44487.patch
 Patch3:  CVE-2023-47108.patch
+Patch4:  CVE-2024-24786.patch
 
 %{?systemd_requires}
 
@@ -87,6 +88,9 @@ fi
 %dir /opt/containerd/lib
 
 %changelog
+* Mon Nov 25 2024 Bala <balakumaran.kannan@microsoft.com> - 1.7.13-5
+- Fix CVE-2024-24786
+
 * Tue Oct 15 2024 Muhammad Falak <mwani@microsoft.com> - 1.7.13-4
 - Pin golang version to <= 1.22