Merge PR "[AUTO-CHERRYPICK] Patch cni for CVE-2022-32149 [HIGH] and CVE-2024-45338 [MEDIUM] - branch main" #14787

Co-authored-by: kgodara912 <kshigodara@outlook.com>
Co-authored-by: Kshitiz Godara <kgodara@microsoft.com>

Author: 3 people

SPECS/cni/CVE-2022-32149.patch

@@ -0,0 +1,64 @@
+From c170bff65d3f42c52b94b0dbec981f57f696547e Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <bracewell@google.com>
+Date: Fri, 2 Sep 2022 09:35:37 -0700
+Subject: [PATCH] language: reject excessively large Accept-Language strings
+
+The BCP 47 tag parser has quadratic time complexity due to inherent
+aspects of its design. Since the parser is, by design, exposed to
+untrusted user input, this can be leveraged to force a program to
+consume significant time parsing Accept-Language headers.
+
+The parser cannot be easily rewritten to fix this behavior for
+various reasons. Instead the solution implemented in this CL is to
+limit the total complexity of tags passed into ParseAcceptLanguage
+by limiting the number of dashes in the string to 1000. This should
+be more than enough for the majority of real world use cases, where
+the number of tags being sent is likely to be in the single digits.
+
+Thanks to the OSS-Fuzz project for discovering this issue and to Adam
+Korczynski (ADA Logics) for writing the fuzz case and for reporting the
+issue.
+
+Fixes CVE-2022-32149
+Fixes golang/go#56152
+
+Change-Id: I7bda1d84cee2b945039c203f26869d58ee9374ae
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1565112
+Reviewed-by: Damien Neil <dneil@google.com>
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/text/+/442235
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Auto-Submit: Roland Shoemaker <roland@golang.org>
+Run-TryBot: Roland Shoemaker <roland@golang.org>
+Signed-off-by: Kshitiz Godara <kgodara@microsoft.com>
+Upstream-reference: https://github.com/golang/text/commit/434eadcdbc3b0256971992e8c70027278364c72c.patch
+---
+ vendor/golang.org/x/text/language/parse.go | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/vendor/golang.org/x/text/language/parse.go b/vendor/golang.org/x/text/language/parse.go
+index 11acfd8..3bba19f 100644
+--- a/vendor/golang.org/x/text/language/parse.go
++++ b/vendor/golang.org/x/text/language/parse.go
+@@ -133,6 +133,7 @@ func update(b *language.Builder, part ...interface{}) (err error) {
+ }
+ 
+ var errInvalidWeight = errors.New("ParseAcceptLanguage: invalid weight")
++var errTagListTooLarge = errors.New("tag list exceeds max length")
+ 
+ // ParseAcceptLanguage parses the contents of an Accept-Language header as
+ // defined in http://www.ietf.org/rfc/rfc2616.txt and returns a list of Tags and
+@@ -142,6 +143,10 @@ var errInvalidWeight = errors.New("ParseAcceptLanguage: invalid weight")
+ // Tags with a weight of zero will be dropped. An error will be returned if the
+ // input could not be parsed.
+ func ParseAcceptLanguage(s string) (tag []Tag, q []float32, err error) {
++	if strings.Count(s, "-") > 1000 {
++		return nil, nil, errTagListTooLarge
++	}
++
+ 	var entry string
+ 	for s != "" {
+ 		if entry, s = split(s, ','); entry == "" {
+-- 
+2.45.4
+

SPECS/cni/CVE-2024-45338.patch

@@ -0,0 +1,82 @@
+From eafb912b15b9713c4f977114d3b25358bcb3066f Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <roland@golang.org>
+Date: Wed, 4 Dec 2024 09:35:55 -0800
+Subject: [PATCH] html: use strings.EqualFold instead of lowering ourselves
+
+Instead of using strings.ToLower and == to check case insensitive
+equality, just use strings.EqualFold, even when the strings are only
+ASCII. This prevents us unnecessarily lowering extremely long strings,
+which can be a somewhat expensive operation, even if we're only
+attempting to compare equality with five characters.
+
+Thanks to Guido Vranken for reporting this issue.
+
+Fixes golang/go#70906
+Fixes CVE-2024-45338
+
+Change-Id: I323b919f912d60dab6a87cadfdcac3e6b54cd128
+Reviewed-on: https://go-review.googlesource.com/c/net/+/637536
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+Auto-Submit: Gopher Robot <gobot@golang.org>
+Reviewed-by: Roland Shoemaker <roland@golang.org>
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+Signed-off-by: Kshitiz Godara <kgodara@microsoft.com>
+Upstream-reference: https://github.com/golang/net/commit/8e66b04771e35c4e4125e8c60334b34e2423effb.patch
+---
+ vendor/golang.org/x/net/html/doctype.go | 2 +-
+ vendor/golang.org/x/net/html/foreign.go | 3 +--
+ vendor/golang.org/x/net/html/parse.go   | 4 ++--
+ 3 files changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go
+index c484e5a..bca3ae9 100644
+--- a/vendor/golang.org/x/net/html/doctype.go
++++ b/vendor/golang.org/x/net/html/doctype.go
+@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) {
+ 			}
+ 		}
+ 		if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" &&
+-			strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" {
++			strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") {
+ 			quirks = true
+ 		}
+ 	}
+diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go
+index 74774c4..d6aa84d 100644
+--- a/vendor/golang.org/x/net/html/foreign.go
++++ b/vendor/golang.org/x/net/html/foreign.go
+@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool {
+ 		if n.Data == "annotation-xml" {
+ 			for _, a := range n.Attr {
+ 				if a.Key == "encoding" {
+-					val := strings.ToLower(a.Val)
+-					if val == "text/html" || val == "application/xhtml+xml" {
++					if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") {
+ 						return true
+ 					}
+ 				}
+diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go
+index 2cd12fc..851dc42 100644
+--- a/vendor/golang.org/x/net/html/parse.go
++++ b/vendor/golang.org/x/net/html/parse.go
+@@ -1007,7 +1007,7 @@ func inBodyIM(p *parser) bool {
+ 			if p.tok.DataAtom == a.Input {
+ 				for _, t := range p.tok.Attr {
+ 					if t.Key == "type" {
+-						if strings.ToLower(t.Val) == "hidden" {
++						if strings.EqualFold(t.Val, "hidden") {
+ 							// Skip setting framesetOK = false
+ 							return true
+ 						}
+@@ -1435,7 +1435,7 @@ func inTableIM(p *parser) bool {
+ 			return inHeadIM(p)
+ 		case a.Input:
+ 			for _, t := range p.tok.Attr {
+-				if t.Key == "type" && strings.ToLower(t.Val) == "hidden" {
++				if t.Key == "type" && strings.EqualFold(t.Val, "hidden") {
+ 					p.addElement()
+ 					p.oe.pop()
+ 					return true
+-- 
+2.45.4
+

SPECS/cni/cni.spec

@@ -24,7 +24,7 @@
 Summary:        Container Network Interface - networking for Linux containers
 Name:           cni
 Version:        1.0.1
-Release:        19%{?dist}
+Release:        20%{?dist}
 License:        Apache-2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -48,6 +48,8 @@ Source2:        build.sh
 #           -cf %%{name}-%%{version}-vendor.tar.gz vendor
 #
 Source3:        %{name}-%{version}-vendor.tar.gz
+Patch0:         CVE-2022-32149.patch
+Patch1:         CVE-2024-45338.patch
 BuildRequires:  golang
 BuildRequires:  systemd-rpm-macros
 BuildRequires:  xz
@@ -66,12 +68,12 @@ range of support and the specification is simple to implement.
 
 %prep
 %setup -q
-cp %{SOURCE2} build.sh
-
-%build
 # create vendor folder from the vendor tarball and set vendor mode
 tar -xf %{SOURCE3} --no-same-owner
+cp %{SOURCE2} build.sh
+%autopatch -p1
 
+%build
 # go1.16+ default is GO111MODULE=on set to auto temporarily
 # until using upstream release with go.mod
 export GO111MODULE=auto
@@ -113,6 +115,9 @@ install -m 755 -d "%{buildroot}%{cni_doc_dir}"
 %{_sbindir}/cnitool
 
 %changelog
+* Mon Sep 08 2025 Kshitiz Godara <kgodara@microsoft.com> - 1.0.1-20
+- Patch for CVE-2022-32149 and CVE-2024-45338
+
 * Thu Sep 04 2025 Akhila Guruju <v-guakhila@microsoft.com> - 1.0.1-19
 - Bump release to rebuild with golang