[AUTO-CHERRYPICK] cri-o: add patch for CVE-2024-44337 [Medium] - branch main (#13148)

CBL-Mariner-Bot · arc9693 · jslobodzian · web-flow · commit 6f5f1ed3371f · 2025-03-28T13:42:15.000-04:00
Co-authored-by: Archana Choudhary &lt;36061892+arc9693@users.noreply.github.com&gt;
Co-authored-by: jslobodzian &lt;joslobo@microsoft.com&gt;
diff --git a/SPECS/cri-o/CVE-2024-44337.patch b/SPECS/cri-o/CVE-2024-44337.patch
@@ -0,0 +1,19 @@
+# From: Archana Choudhary <archana1@microsoft.com>
+# Date: Wed, 9 Oct 2024 09:54:22 -0400
+# Subject: [PATCH] Fixes CVE-2024-44337
+# Backported(fixed fuzzing) from the original patch by Krzysztof Kowalczyk <kkowalczyk@gmail.com>
+# Source: https://github.com/gomarkdown/markdown/commit/a2a9c4f76ef5a5c32108e36f7c47f8d310322252
+
+--- a/vendor/github.com/gomarkdown/markdown/parser/block.go.orig	2021-04-26 00:00:00.000000000 +0000
++++ b/vendor/github.com/gomarkdown/markdown/parser/block.go	2024-11-06 09:25:11.349954099 +0000
+@@ -1825,7 +1825,9 @@
+ 			if p.extensions&DefinitionLists != 0 {
+ 				if i < len(data)-1 && data[i+1] == ':' {
+ 					listLen := p.list(data[prev:], ast.ListTypeDefinition, 0)
+-					return prev + listLen
++					if listLen > 0 {
++						return prev + listLen
++					}
+ 				}
+ 			}
+ 
diff --git a/SPECS/cri-o/cri-o.spec b/SPECS/cri-o/cri-o.spec
@@ -26,7 +26,7 @@ Summary:        OCI-based implementation of Kubernetes Container Runtime Interfa
 # Define macros for further referenced sources
 Name:           cri-o
 Version:        1.22.3
-Release:        11%{?dist}
+Release:        12%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -73,7 +73,8 @@ Patch17:        CVE-2024-9341.patch
 Patch18:        CVE-2024-45338.patch
 Patch19:        CVE-2023-0778.patch
 Patch20:        CVE-2023-6476.patch
-Patch21:        CVE-2025-27144.patch
+Patch21:        CVE-2024-44337.patch
+Patch22:        CVE-2025-27144.patch
 BuildRequires:  btrfs-progs-devel
 BuildRequires:  device-mapper-devel
 BuildRequires:  fdupes
@@ -226,9 +227,12 @@ mkdir -p /opt/cni/bin
 %{_fillupdir}/sysconfig.kubelet
 
 %changelog
-* Fri Mar 21 2025 Dallas Delaney <dadelan@microsoft.com> - 1.22.3-11
+* Fri Mar 21 2025 Dallas Delaney <dadelan@microsoft.com> - 1.22.3-12
 - Add patch for CVE-2025-27144
 
+* Fri Mar 21 2025 Archana Choudhary <archana1@microsoft.com> - 1.22.3-11
+- Add patch for CVE-2024-44337
+
 * Thu Jan 23 2025 Sumedh Sharma <sumsharma@microsoft.com> - 1.22.3-10
 - Add patch for CVE-2023-0778 & CVE-2023-6476.
 
