[AUTO-CHERRYPICK] Patch CVE-2024-24786 in moby-engine - branch main (#11607)

nicogbg · suresh-thelkar · jslobodzian · web-flow · commit 8ee3863336da · 2024-12-20T15:53:00.000-05:00
Co-authored-by: suresh-thelkar &lt;suresh.thelkar@yahoo.com&gt;
Co-authored-by: jslobodzian &lt;joslobo@microsoft.com&gt;
diff --git a/SPECS/moby-engine/CVE-2024-24786.patch b/SPECS/moby-engine/CVE-2024-24786.patch
@@ -0,0 +1,43 @@
+From a43fa39c1012862334a186e4c3a9c67e7d111461 Mon Sep 17 00:00:00 2001
+From: Suresh Thelkar <sthelkar@microsoft.com>
+Date: Thu, 5 Dec 2024 10:28:31 +0530
+Subject: [PATCH] Patch for CVE-2024-24786
+
+Upstream patch details are given below.
+https://github.com/protocolbuffers/protobuf-go/commit/f01a588
+---
+ .../protobuf/encoding/protojson/well_known_types.go           | 4 ++++
+ .../protobuf/internal/encoding/json/decode.go                 | 2 +-
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go
+index c85f846..634ba41 100644
+--- a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go
++++ b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go
+@@ -348,6 +348,10 @@ func (d decoder) skipJSONValue() error {
+ 				}
+ 			}
+ 		}
++	case json.EOF:
++		// This can only happen if there's a bug in Decoder.Read.
++		// Avoid an infinite loop if this does happen.
++		return errors.New("unexpected EOF")
+ 	}
+ 	return nil
+ }
+diff --git a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go
+index b13fd29..b2be4e8 100644
+--- a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go
++++ b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go
+@@ -121,7 +121,7 @@ func (d *Decoder) Read() (Token, error) {
+ 
+ 	case ObjectClose:
+ 		if len(d.openStack) == 0 ||
+-			d.lastToken.kind == comma ||
++			d.lastToken.kind&(Name|comma) != 0 ||
+ 			d.openStack[len(d.openStack)-1] != ObjectOpen {
+ 			return Token{}, d.newSyntaxError(tok.pos, unexpectedFmt, tok.RawString())
+ 		}
+-- 
+2.34.1
+
diff --git a/SPECS/moby-engine/moby-engine.spec b/SPECS/moby-engine/moby-engine.spec
@@ -3,7 +3,7 @@
 Summary: The open-source application container engine
 Name:    moby-engine
 Version: 24.0.9
-Release: 11%{?dist}
+Release: 13%{?dist}
 License: ASL 2.0
 Group:   Tools/Container
 URL: https://mobyproject.org
@@ -26,6 +26,8 @@ Patch6:  CVE-2024-41110.patch
 Patch7:  CVE-2024-29018.patch
 Patch8:  CVE-2024-36621.patch
 Patch9:  CVE-2024-36623.patch
+Patch10: CVE-2024-45337.patch
+Patch11:  CVE-2024-24786.patch
 
 %{?systemd_requires}
 
@@ -126,6 +128,12 @@ fi
 %{_unitdir}/*
 
 %changelog
+* Thu Dec 19 2024 Suresh Thelkar <sthelkar@microsoft.com> - 24.0.9-13
+- Patch CVE-2024-24786
+
+* Tue Dec 17 2024 Andrew Phelps <anphel@microsoft.com> - 24.0.9-12
+- Add patch for CVE-2024-45337
+
 * Wed Dec 04 2024 Adit Jha <aditjha@microsoft.com> - 24.0.9-11
 - Patch CVE-2024-36621 & CVE-2024-36623
 
