git-lfs: upgrade version 3.4.1 -> 3.5.1 to address CVE-2023-39325 & CVE-2023-45288 (#8871)

mfrw · web-flow · commit c83b0e8eb1af · 2024-04-23T20:29:08.000+05:30
Signed-off-by: Muhammad Falak R Wani &lt;falakreyaz@gmail.com&gt;
diff --git a/SPECS/git-lfs/CVE-2023-45288.patch b/SPECS/git-lfs/CVE-2023-45288.patch
@@ -0,0 +1,89 @@
+From 18bc0c1f8e741738490aa0a8415c372db4b20d62 Mon Sep 17 00:00:00 2001
+From: Muhammad Falak R Wani <falakreyaz@gmail.com>
+Date: Tue, 23 Apr 2024 10:07:19 +0530
+Subject: [PATCH] http2: close connections when receiving too many headers
+
+Adapted by @mfrw to apply on vendor directory for v0.17 to drop test
+files
+
+Maintaining HPACK state requires that we parse and process
+all HEADERS and CONTINUATION frames on a connection.
+When a request's headers exceed MaxHeaderBytes, we don't
+allocate memory to store the excess headers but we do
+parse them. This permits an attacker to cause an HTTP/2
+endpoint to read arbitrary amounts of data, all associated
+with a request which is going to be rejected.
+Set a limit on the amount of excess header frames we
+will process before closing a connection.
+
+Thanks to Bartek Nowotarski for reporting this issue.
+
+Fixes CVE-2023-45288
+Fixes golang/go#65051
+
+Change-Id: I15df097268df13bb5a9e9d3a5c04a8a141d850f6
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2130527
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/net/+/576155
+Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
+Auto-Submit: Dmitri Shuralyov <dmitshur@golang.org>
+Reviewed-by: Than McIntosh <thanm@google.com>
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
+---
+ vendor/golang.org/x/net/http2/frame.go | 31 ++++++++++++++++++++++++++
+ 1 file changed, 31 insertions(+)
+
+diff --git a/vendor/golang.org/x/net/http2/frame.go b/vendor/golang.org/x/net/http2/frame.go
+index c1f6b90..175c154 100644
+--- a/vendor/golang.org/x/net/http2/frame.go
++++ b/vendor/golang.org/x/net/http2/frame.go
+@@ -1565,6 +1565,7 @@ func (fr *Framer) readMetaFrame(hf *HeadersFrame) (*MetaHeadersFrame, error) {
+ 		if size > remainSize {
+ 			hdec.SetEmitEnabled(false)
+ 			mh.Truncated = true
++			remainSize = 0
+ 			return
+ 		}
+ 		remainSize -= size
+@@ -1577,6 +1578,36 @@ func (fr *Framer) readMetaFrame(hf *HeadersFrame) (*MetaHeadersFrame, error) {
+ 	var hc headersOrContinuation = hf
+ 	for {
+ 		frag := hc.HeaderBlockFragment()
++
++		// Avoid parsing large amounts of headers that we will then discard.
++		// If the sender exceeds the max header list size by too much,
++		// skip parsing the fragment and close the connection.
++		//
++		// "Too much" is either any CONTINUATION frame after we've already
++		// exceeded the max header list size (in which case remainSize is 0),
++		// or a frame whose encoded size is more than twice the remaining
++		// header list bytes we're willing to accept.
++		if int64(len(frag)) > int64(2*remainSize) {
++			if VerboseLogs {
++				log.Printf("http2: header list too large")
++			}
++			// It would be nice to send a RST_STREAM before sending the GOAWAY,
++			// but the struture of the server's frame writer makes this difficult.
++			return nil, ConnectionError(ErrCodeProtocol)
++		}
++
++		// Also close the connection after any CONTINUATION frame following an
++		// invalid header, since we stop tracking the size of the headers after
++		// an invalid one.
++		if invalid != nil {
++			if VerboseLogs {
++				log.Printf("http2: invalid header: %v", invalid)
++			}
++			// It would be nice to send a RST_STREAM before sending the GOAWAY,
++			// but the struture of the server's frame writer makes this difficult.
++			return nil, ConnectionError(ErrCodeProtocol)
++		}
++
+ 		if _, err := hdec.Write(frag); err != nil {
+ 			return nil, ConnectionError(ErrCodeCompression)
+ 		}
+-- 
+2.40.1
+
diff --git a/SPECS/git-lfs/git-lfs.signatures.json b/SPECS/git-lfs/git-lfs.signatures.json
@@ -1,6 +1,6 @@
 {
  "Signatures": {
-  "git-lfs-3.4.1-vendor.tar.gz": "a7b525a15b71a92ab789853a172345a4e4815de71ebe3486d5b843651b74cf1e",
-  "git-lfs-3.4.1.tar.gz": "2a36239d7968ae18e1ba2820dc664c4ef753f10bf424f98bccaf44d527f19a17"
+  "git-lfs-3.5.1-vendor.tar.gz": "ebe825559dba3bdc835ad510ed8c3468c9933f945086406a4ec6b79fd31bc104",
+  "git-lfs-3.5.1.tar.gz": "d682a12c0bc48d08d28834dd0d575c91d53dd6c6db63c45c2db7c3dd2fb69ea4"
  }
-}
+}
diff --git a/SPECS/git-lfs/git-lfs.spec b/SPECS/git-lfs/git-lfs.spec
@@ -1,7 +1,7 @@
 %global debug_package %{nil}
 Summary:       Git extension for versioning large files
 Name:          git-lfs
-Version:       3.4.1
+Version:       3.5.1
 Release:       1%{?dist}
 Group:         System Environment/Programming
 Vendor:        Microsoft Corporation
@@ -28,6 +28,7 @@ Source0:       https://github.com/git-lfs/git-lfs/archive/v%{version}.tar.gz#/%{
 #         See: https://reproducible-builds.org/docs/archives/
 #       - For the value of "--mtime" use the date "2021-04-26 00:00Z" to simplify future updates.
 Source1:       %{name}-%{version}-vendor.tar.gz
+Patch0:        CVE-2023-45288.patch
 
 BuildRequires: golang
 BuildRequires: which
@@ -41,10 +42,11 @@ Requires:      git
 Git LFS is a command line extension and specification for managing large files with Git
 
 %prep
-%autosetup
+%autosetup -N
 
 %build
 tar --no-same-owner -xf %{SOURCE1}
+%autopatch -p1 
 export GOPATH=%{our_gopath}
 export GOFLAGS="-buildmode=pie -trimpath -mod=vendor -modcacherw -ldflags=-linkmode=external"
 go generate ./commands
@@ -77,6 +79,10 @@ git lfs uninstall
 %{_mandir}/man5/*
 
 %changelog
+* Tue Apr 23 2024 Muhammad Falak <mwani@microsoft.com> - 3.5.1-1
+- Bump version to 3.5.1 to address CVE-2023-39325
+- Introduce patch to address CVE-2023-45288
+
 * Thu Apr 18 2024 Andrew Phelps <anphel@microsoft.com> - 3.4.1-1
 - Bump version to 3.4.1 based on AZL3 spec
 - Add BR on asciidoctor & drop un-needed BR
diff --git a/cgmanifest.json b/cgmanifest.json
@@ -4290,8 +4290,8 @@
         "type": "other",
         "other": {
           "name": "git-lfs",
-          "version": "3.4.1",
-          "downloadUrl": "https://github.com/git-lfs/git-lfs/archive/v3.4.1.tar.gz"
+          "version": "3.5.1",
+          "downloadUrl": "https://github.com/git-lfs/git-lfs/archive/v3.5.1.tar.gz"
         }
       }
     },

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"Signatures": {`
`3`		`- "git-lfs-3.4.1-vendor.tar.gz": "a7b525a15b71a92ab789853a172345a4e4815de71ebe3486d5b843651b74cf1e",`
`4`		`- "git-lfs-3.4.1.tar.gz": "2a36239d7968ae18e1ba2820dc664c4ef753f10bf424f98bccaf44d527f19a17"`
	`3`	`+ "git-lfs-3.5.1-vendor.tar.gz": "ebe825559dba3bdc835ad510ed8c3468c9933f945086406a4ec6b79fd31bc104",`
	`4`	`+ "git-lfs-3.5.1.tar.gz": "d682a12c0bc48d08d28834dd0d575c91d53dd6c6db63c45c2db7c3dd2fb69ea4"`
`5`	`5`	`}`
`6`		`-}`
	`6`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -4290,8 +4290,8 @@`
`4290`	`4290`	`"type": "other",`
`4291`	`4291`	`"other": {`
`4292`	`4292`	`"name": "git-lfs",`
`4293`		`- "version": "3.4.1",`
`4294`		`- "downloadUrl": "https://github.com/git-lfs/git-lfs/archive/v3.4.1.tar.gz"`
	`4293`	`+ "version": "3.5.1",`
	`4294`	`+ "downloadUrl": "https://github.com/git-lfs/git-lfs/archive/v3.5.1.tar.gz"`
`4295`	`4295`	`}`
`4296`	`4296`	`}`
`4297`	`4297`	`},`