[AUTO-CHERRYPICK] Add patches to address CVE-2021-44716 - branch main (#7875)

Co-authored-by: Nan Liu <108544011+liunan-ms@users.noreply.github.com>
Co-authored-by: Nan Liu <liunan@microsoft.com>

Author: CBL-Mariner-Bot

SPECS/node-problem-detector/CVE-2021-44716.patch

@@ -0,0 +1,51 @@
+Parent:     db4efeb8 (http2: deflake TestTransportGroupsPendingDials)
+Author:     Damien Neil <dneil@google.com>
+AuthorDate: 2021-12-06 14:31:43 -0800
+Commit:     Filippo Valsorda <filippo@golang.org>
+CommitDate: 2021-12-09 12:49:13 +0000
+
+http2: cap the size of the server's canonical header cache
+
+The HTTP/2 server keeps a per-connection cache mapping header keys
+to their canonicalized form (e.g., "foo-bar" => "Foo-Bar"). Cap the
+maximum size of this cache to prevent a peer sending many unique
+header keys from causing unbounded memory growth.
+
+Cap chosen arbitrarily at 32 entries. Since this cache does not
+include common headers (e.g., "content-type"), 32 seems like more
+than enough for almost all normal uses.
+
+Fixes #50058
+Fixes CVE-2021-44716
+
+Change-Id: Ia83696dc23253c12af8f26d502557c2cc9841105
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1290827
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/net/+/369794
+Trust: Filippo Valsorda <filippo@golang.org>
+Run-TryBot: Filippo Valsorda <filippo@golang.org>
+Trust: Damien Neil <dneil@google.com>
+Reviewed-by: Russ Cox <rsc@golang.org>
+Reviewed-by: Filippo Valsorda <filippo@golang.org>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+
+diff -ru cli-20.10.27-orig/vendor/golang.org/x/net/http2/server.go cli-20.10.27/vendor/golang.org/x/net/http2/server.go
+--- cli-20.10.27-orig/vendor/golang.org/x/net/http2/server.go	2024-02-05 08:53:30.802532951 -0800
++++ cli-20.10.27/vendor/golang.org/x/net/http2/server.go	2024-02-05 09:19:08.473430121 -0800
+@@ -720,7 +720,15 @@
+ 		sc.canonHeader = make(map[string]string)
+ 	}
+ 	cv = http.CanonicalHeaderKey(v)
+-	sc.canonHeader[v] = cv
++	// maxCachedCanonicalHeaders is an arbitrarily-chosen limit on the number of
++	// entries in the canonHeader cache. This should be larger than the number
++	// of unique, uncommon header keys likely to be sent by the peer, while not
++	// so high as to permit unreaasonable memory usage if the peer sends an unbounded
++	// number of unique header keys.
++	const maxCachedCanonicalHeaders = 32
++	if len(sc.canonHeader) < maxCachedCanonicalHeaders {
++		sc.canonHeader[v] = cv
++	}	
+ 	return cv
+ }
+ 

SPECS/node-problem-detector/node-problem-detector.spec

@@ -1,7 +1,7 @@
 Summary:        Kubernetes daemon to detect and report node issues
 Name:           node-problem-detector
 Version:        0.8.10
-Release:        19%{?dist}
+Release:        20%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -11,6 +11,7 @@ Source0:        https://github.com/kubernetes/%{name}/archive/refs/tags/v%{versi
 Patch0:         001-remove_arch_specific_makefile_logic.patch
 Patch1:         002-add_mariner_OSVersion.patch
 Patch2:         CVE-2022-21698.patch
+Patch3:         CVE-2021-44716.patch
 BuildRequires:  golang
 BuildRequires:  systemd-devel
 Requires:       mariner-release
@@ -65,6 +66,9 @@ make test
 %config(noreplace) %{_sysconfdir}/node-problem-detector.d/*
 
 %changelog
+* Tue Feb 13 2024 Nan Liu <liunan@microsoft.com> - 0.8.10-20
+- Patch CVE-2021-44716
+
 * Fri Feb 09 2024 Muhammad Falak <mwani@microsoft.com> - 0.8.10-19
 - Bump release to rebuild with go 1.21.6
 

SPECS/prometheus-node-exporter/CVE-2021-44716.patch

@@ -0,0 +1,51 @@
+Parent:     db4efeb8 (http2: deflake TestTransportGroupsPendingDials)
+Author:     Damien Neil <dneil@google.com>
+AuthorDate: 2021-12-06 14:31:43 -0800
+Commit:     Filippo Valsorda <filippo@golang.org>
+CommitDate: 2021-12-09 12:49:13 +0000
+
+http2: cap the size of the server's canonical header cache
+
+The HTTP/2 server keeps a per-connection cache mapping header keys
+to their canonicalized form (e.g., "foo-bar" => "Foo-Bar"). Cap the
+maximum size of this cache to prevent a peer sending many unique
+header keys from causing unbounded memory growth.
+
+Cap chosen arbitrarily at 32 entries. Since this cache does not
+include common headers (e.g., "content-type"), 32 seems like more
+than enough for almost all normal uses.
+
+Fixes #50058
+Fixes CVE-2021-44716
+
+Change-Id: Ia83696dc23253c12af8f26d502557c2cc9841105
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1290827
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/net/+/369794
+Trust: Filippo Valsorda <filippo@golang.org>
+Run-TryBot: Filippo Valsorda <filippo@golang.org>
+Trust: Damien Neil <dneil@google.com>
+Reviewed-by: Russ Cox <rsc@golang.org>
+Reviewed-by: Filippo Valsorda <filippo@golang.org>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+
+diff -ru cli-20.10.27-orig/vendor/golang.org/x/net/http2/server.go cli-20.10.27/vendor/golang.org/x/net/http2/server.go
+--- cli-20.10.27-orig/vendor/golang.org/x/net/http2/server.go	2024-02-05 08:53:30.802532951 -0800
++++ cli-20.10.27/vendor/golang.org/x/net/http2/server.go	2024-02-05 09:19:08.473430121 -0800
+@@ -720,7 +720,15 @@
+ 		sc.canonHeader = make(map[string]string)
+ 	}
+ 	cv = http.CanonicalHeaderKey(v)
+-	sc.canonHeader[v] = cv
++	// maxCachedCanonicalHeaders is an arbitrarily-chosen limit on the number of
++	// entries in the canonHeader cache. This should be larger than the number
++	// of unique, uncommon header keys likely to be sent by the peer, while not
++	// so high as to permit unreaasonable memory usage if the peer sends an unbounded
++	// number of unique header keys.
++	const maxCachedCanonicalHeaders = 32
++	if len(sc.canonHeader) < maxCachedCanonicalHeaders {
++		sc.canonHeader[v] = cv
++	}	
+ 	return cv
+ }
+ 

SPECS/prometheus-node-exporter/prometheus-node-exporter.spec

@@ -5,7 +5,7 @@
 Summary:        Exporter for machine metrics
 Name:           prometheus-node-exporter
 Version:        1.3.1
-Release:        23%{?dist}
+Release:        24%{?dist}
 # Upstream license specification: Apache-2.0
 License:        ASL 2.0 AND MIT
 Vendor:         Microsoft Corporation
@@ -39,6 +39,7 @@ Patch1:         0001-Refactor-perf-collector.patch
 # Can be removed if we upgrade to prometheus-node-exporter 1.4.0 or later.
 Patch2:         CVE-2022-21698.patch
 Patch3:         CVE-2023-44487.patch
+Patch4:         CVE-2021-44716.patch
 
 BuildRequires:  golang
 BuildRequires:  systemd-rpm-macros
@@ -112,6 +113,9 @@ getent passwd 'prometheus' >/dev/null || useradd -r -g 'prometheus' -d '%{_share
 %dir %attr(0755,prometheus,prometheus) %{_sharedstatedir}/prometheus/node-exporter
 
 %changelog
+* Tue Feb 13 2024 Nan Liu <liunan@microsoft.com> - 1.3.1-24
+- Patch CVE-2021-44716
+
 * Thu Feb 08 2024 Daniel McIlvaney <damcilva@microsoft.com> - 1.3.1-23
 - Address CVE-2023-44487 by patching vendored golang.org/x/net
 

SPECS/prometheus-process-exporter/CVE-2021-44716.patch

@@ -0,0 +1,51 @@
+Parent:     db4efeb8 (http2: deflake TestTransportGroupsPendingDials)
+Author:     Damien Neil <dneil@google.com>
+AuthorDate: 2021-12-06 14:31:43 -0800
+Commit:     Filippo Valsorda <filippo@golang.org>
+CommitDate: 2021-12-09 12:49:13 +0000
+
+http2: cap the size of the server's canonical header cache
+
+The HTTP/2 server keeps a per-connection cache mapping header keys
+to their canonicalized form (e.g., "foo-bar" => "Foo-Bar"). Cap the
+maximum size of this cache to prevent a peer sending many unique
+header keys from causing unbounded memory growth.
+
+Cap chosen arbitrarily at 32 entries. Since this cache does not
+include common headers (e.g., "content-type"), 32 seems like more
+than enough for almost all normal uses.
+
+Fixes #50058
+Fixes CVE-2021-44716
+
+Change-Id: Ia83696dc23253c12af8f26d502557c2cc9841105
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1290827
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/net/+/369794
+Trust: Filippo Valsorda <filippo@golang.org>
+Run-TryBot: Filippo Valsorda <filippo@golang.org>
+Trust: Damien Neil <dneil@google.com>
+Reviewed-by: Russ Cox <rsc@golang.org>
+Reviewed-by: Filippo Valsorda <filippo@golang.org>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+
+diff -ru cli-20.10.27-orig/vendor/golang.org/x/net/http2/server.go cli-20.10.27/vendor/golang.org/x/net/http2/server.go
+--- cli-20.10.27-orig/vendor/golang.org/x/net/http2/server.go	2024-02-05 08:53:30.802532951 -0800
++++ cli-20.10.27/vendor/golang.org/x/net/http2/server.go	2024-02-05 09:19:08.473430121 -0800
+@@ -720,7 +720,15 @@
+ 		sc.canonHeader = make(map[string]string)
+ 	}
+ 	cv = http.CanonicalHeaderKey(v)
+-	sc.canonHeader[v] = cv
++	// maxCachedCanonicalHeaders is an arbitrarily-chosen limit on the number of
++	// entries in the canonHeader cache. This should be larger than the number
++	// of unique, uncommon header keys likely to be sent by the peer, while not
++	// so high as to permit unreaasonable memory usage if the peer sends an unbounded
++	// number of unique header keys.
++	const maxCachedCanonicalHeaders = 32
++	if len(sc.canonHeader) < maxCachedCanonicalHeaders {
++		sc.canonHeader[v] = cv
++	}	
+ 	return cv
+ }
+ 

SPECS/prometheus-process-exporter/prometheus-process-exporter.spec

@@ -5,7 +5,7 @@
 Summary:        Prometheus exporter exposing process metrics from procfs
 Name:           prometheus-process-exporter
 Version:        0.7.10
-Release:        18%{?dist}
+Release:        19%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -33,6 +33,7 @@ Patch1:         03-disable-fakescraper.patch
 # Can be removed if we ever update to a version that includes this pull request: https://github.com/ncabatoff/process-exporter/pull/264.
 Patch2:         CVE-2022-21698.patch
 Patch3:         CVE-2023-44487.patch
+Patch4:         CVE-2021-44716.patch
 
 BuildRequires:  golang
 BuildRequires:  systemd-rpm-macros
@@ -101,6 +102,9 @@ getent passwd 'prometheus' >/dev/null || useradd -r -g 'prometheus' -d '%{_share
 %dir %attr(0755,prometheus,prometheus) %{_sharedstatedir}/prometheus
 
 %changelog
+* Tue Feb 13 2024 Nan Liu <liunan@microsoft.com> - 0.7.10-19
+- Patch CVE-2021-44716
+
 * Fri Feb 09 2024 Muhammad Falak <mwani@microsoft.com> - 0.7.10-18
 - Bump release to rebuild with go 1.21.6
 

SPECS/rook/CVE-2021-44716.patch

@@ -0,0 +1,51 @@
+Parent:     db4efeb8 (http2: deflake TestTransportGroupsPendingDials)
+Author:     Damien Neil <dneil@google.com>
+AuthorDate: 2021-12-06 14:31:43 -0800
+Commit:     Filippo Valsorda <filippo@golang.org>
+CommitDate: 2021-12-09 12:49:13 +0000
+
+http2: cap the size of the server's canonical header cache
+
+The HTTP/2 server keeps a per-connection cache mapping header keys
+to their canonicalized form (e.g., "foo-bar" => "Foo-Bar"). Cap the
+maximum size of this cache to prevent a peer sending many unique
+header keys from causing unbounded memory growth.
+
+Cap chosen arbitrarily at 32 entries. Since this cache does not
+include common headers (e.g., "content-type"), 32 seems like more
+than enough for almost all normal uses.
+
+Fixes #50058
+Fixes CVE-2021-44716
+
+Change-Id: Ia83696dc23253c12af8f26d502557c2cc9841105
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1290827
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/net/+/369794
+Trust: Filippo Valsorda <filippo@golang.org>
+Run-TryBot: Filippo Valsorda <filippo@golang.org>
+Trust: Damien Neil <dneil@google.com>
+Reviewed-by: Russ Cox <rsc@golang.org>
+Reviewed-by: Filippo Valsorda <filippo@golang.org>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+
+diff -ru cli-20.10.27-orig/vendor/golang.org/x/net/http2/server.go cli-20.10.27/vendor/golang.org/x/net/http2/server.go
+--- cli-20.10.27-orig/vendor/golang.org/x/net/http2/server.go	2024-02-05 08:53:30.802532951 -0800
++++ cli-20.10.27/vendor/golang.org/x/net/http2/server.go	2024-02-05 09:19:08.473430121 -0800
+@@ -720,7 +720,15 @@
+ 		sc.canonHeader = make(map[string]string)
+ 	}
+ 	cv = http.CanonicalHeaderKey(v)
+-	sc.canonHeader[v] = cv
++	// maxCachedCanonicalHeaders is an arbitrarily-chosen limit on the number of
++	// entries in the canonHeader cache. This should be larger than the number
++	// of unique, uncommon header keys likely to be sent by the peer, while not
++	// so high as to permit unreaasonable memory usage if the peer sends an unbounded
++	// number of unique header keys.
++	const maxCachedCanonicalHeaders = 32
++	if len(sc.canonHeader) < maxCachedCanonicalHeaders {
++		sc.canonHeader[v] = cv
++	}	
+ 	return cv
+ }
+ 

SPECS/rook/rook.spec

@@ -19,7 +19,7 @@
 Summary:        Orchestrator for distributed storage systems in cloud-native environments
 Name:           rook
 Version:        1.6.2
-Release:        18%{?dist}
+Release:        19%{?dist}
 License:        Apache-2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -56,6 +56,7 @@ Patch0:         flexvolume-dir.patch
 # Can be removed if we upgrade to prometheus-node-exporter 1.10.0 or later.
 Patch1:         CVE-2022-21698.patch
 Patch2:         CVE-2023-44487.patch
+Patch3:         CVE-2021-44716.patch
 # Ceph version is needed to set correct container tag in manifests
 BuildRequires:  ceph
 # Rook requirements
@@ -254,6 +255,9 @@ sed -i -e "s|\(.*tag: \)VERSION|\1%{helm_appVersion}|" %{values_yaml}
 # bother adding docs or changelog or anything
 
 %changelog
+* Tue Feb 13 2024 Nan Liu <liunan@microsoft.com> - 1.6.2-19
+- Patch CVE-2021-44716
+
 * Fri Feb 09 2024 Muhammad Falak <mwani@microsoft.com> - 1.6.2-18
 - Bump release to rebuild with go 1.21.6