[AUTO-CHERRYPICK] Fix multiple CVEs in moby-buildx package - branch main (#10381)

Co-authored-by: Bala <kumaran.4353@gmail.com>

Author: CBL-Mariner-Bot

SPECS/moby-buildx/CVE-2021-41092.patch

@@ -0,0 +1,64 @@
+From 42d1c02750b3631402da3973e5f36b76c8c934f4 Mon Sep 17 00:00:00 2001
+From: Samuel Karp <skarp@amazon.com>
+Date: Wed, 21 Jul 2021 17:59:42 -0700
+Subject: [PATCH] registry: ensure default auth config has address
+
+Signed-off-by: Samuel Karp <skarp@amazon.com>
+---
+ .../github.com/docker/cli/cli/command/registry.go | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+diff --git a/vendor/github.com/docker/cli/cli/command/registry.go b/vendor/github.com/docker/cli/cli/command/registry.go
+index e6311c8..68e3dd3 100644
+--- a/vendor/github.com/docker/cli/cli/command/registry.go
++++ b/vendor/github.com/docker/cli/cli/command/registry.go
+@@ -63,17 +63,14 @@ func RegistryAuthenticationPrivilegedFunc(cli Cli, index *registrytypes.IndexInf
+ 		indexServer := registry.GetAuthConfigKey(index)
+ 		isDefaultRegistry := indexServer == ElectAuthServer(context.Background(), cli)
+ 		authConfig, err := GetDefaultAuthConfig(cli, true, indexServer, isDefaultRegistry)
+-		if authConfig == nil {
+-			authConfig = &types.AuthConfig{}
+-		}
+ 		if err != nil {
+ 			fmt.Fprintf(cli.Err(), "Unable to retrieve stored credentials for %s, error: %s.\n", indexServer, err)
+ 		}
+-		err = ConfigureAuth(cli, "", "", authConfig, isDefaultRegistry)
++		err = ConfigureAuth(cli, "", "", &authConfig, isDefaultRegistry)
+ 		if err != nil {
+ 			return "", err
+ 		}
+-		return EncodeAuthToBase64(*authConfig)
++		return EncodeAuthToBase64(authConfig)
+ 	}
+ }
+ 
+@@ -92,7 +89,7 @@ func ResolveAuthConfig(ctx context.Context, cli Cli, index *registrytypes.IndexI
+ 
+ // GetDefaultAuthConfig gets the default auth config given a serverAddress
+ // If credentials for given serverAddress exists in the credential store, the configuration will be populated with values in it
+-func GetDefaultAuthConfig(cli Cli, checkCredStore bool, serverAddress string, isDefaultRegistry bool) (*types.AuthConfig, error) {
++func GetDefaultAuthConfig(cli Cli, checkCredStore bool, serverAddress string, isDefaultRegistry bool) (types.AuthConfig, error) {
+ 	if !isDefaultRegistry {
+ 		serverAddress = registry.ConvertToHostname(serverAddress)
+ 	}
+@@ -101,13 +98,15 @@ func GetDefaultAuthConfig(cli Cli, checkCredStore bool, serverAddress string, is
+ 	if checkCredStore {
+ 		authconfig, err = cli.ConfigFile().GetAuthConfig(serverAddress)
+ 		if err != nil {
+-			return nil, err
++			return types.AuthConfig{
++				ServerAddress: serverAddress,
++			}, err
+ 		}
+ 	}
+ 	authconfig.ServerAddress = serverAddress
+ 	authconfig.IdentityToken = ""
+ 	res := types.AuthConfig(authconfig)
+-	return &res, nil
++	return res, nil
+ }
+ 
+ // ConfigureAuth handles prompting of user's username and password if needed
+-- 
+2.33.8
+

SPECS/moby-buildx/CVE-2022-41717.patch

@@ -0,0 +1,75 @@
+From 1e63c2f08a10a150fa02c50ece89b340ae64efe4 Mon Sep 17 00:00:00 2001
+From: Damien Neil <dneil@google.com>
+Date: Tue, 6 Dec 2022 11:57:53 -0800
+Subject: [PATCH] http2: limit canonical header cache by bytes, not entries
+
+The canonical header cache is a per-connection cache mapping header
+keys to their canonicalized form. (For example, "foo-bar" => "Foo-Bar").
+We limit the number of entries in the cache to prevent an attacker
+from consuming unbounded amounts of memory by sending many unique
+keys, but a small number of very large keys can still consume an
+unreasonable amount of memory.
+
+Track the amount of memory consumed by the cache and limit it based
+on memory rather than number of entries.
+
+Thanks to Josselin Costanzi for reporting this issue.
+
+For golang/go#56350
+
+Change-Id: I41db4c9823ed5bf371a9881accddff1268489b16
+Reviewed-on: https://go-review.googlesource.com/c/net/+/455635
+Reviewed-by: Jenny Rakoczy <jenny@golang.org>
+Run-TryBot: Damien Neil <dneil@google.com>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+---
+ vendor/golang.org/x/net/http2/server.go | 18 +++++++++++-------
+ 1 file changed, 11 insertions(+), 7 deletions(-)
+
+diff --git a/vendor/golang.org/x/net/http2/server.go b/vendor/golang.org/x/net/http2/server.go
+index 52afaa6..f26f665 100644
+--- a/vendor/golang.org/x/net/http2/server.go
++++ b/vendor/golang.org/x/net/http2/server.go
+@@ -525,6 +525,7 @@ type serverConn struct {
+ 	headerTableSize             uint32
+ 	peerMaxHeaderListSize       uint32            // zero means unknown (default)
+ 	canonHeader                 map[string]string // http2-lower-case -> Go-Canonical-Case
++	canonHeaderKeysSize         int               // canonHeader keys size in bytes
+ 	writingFrame                bool              // started writing a frame (on serve goroutine or separate)
+ 	writingFrameAsync           bool              // started a frame on its own goroutine but haven't heard back on wroteFrameCh
+ 	needsFrameFlush             bool              // last frame write wasn't a flush
+@@ -701,6 +702,13 @@ func (sc *serverConn) condlogf(err error, format string, args ...interface{}) {
+ 	}
+ }
+ 
++// maxCachedCanonicalHeadersKeysSize is an arbitrarily-chosen limit on the size
++// of the entries in the canonHeader cache.
++// This should be larger than the size of unique, uncommon header keys likely to
++// be sent by the peer, while not so high as to permit unreasonable memory usage
++// if the peer sends an unbounded number of unique header keys.
++const maxCachedCanonicalHeadersKeysSize = 2048
++
+ func (sc *serverConn) canonicalHeader(v string) string {
+ 	sc.serveG.check()
+ 	buildCommonHeaderMapsOnce()
+@@ -716,14 +724,10 @@ func (sc *serverConn) canonicalHeader(v string) string {
+ 		sc.canonHeader = make(map[string]string)
+ 	}
+ 	cv = http.CanonicalHeaderKey(v)
+-	// maxCachedCanonicalHeaders is an arbitrarily-chosen limit on the number of
+-	// entries in the canonHeader cache. This should be larger than the number
+-	// of unique, uncommon header keys likely to be sent by the peer, while not
+-	// so high as to permit unreaasonable memory usage if the peer sends an unbounded
+-	// number of unique header keys.
+-	const maxCachedCanonicalHeaders = 32
+-	if len(sc.canonHeader) < maxCachedCanonicalHeaders {
++	size := 100 + len(v)*2 // 100 bytes of map overhead + key + value
++	if sc.canonHeaderKeysSize+size <= maxCachedCanonicalHeadersKeysSize {
+ 		sc.canonHeader[v] = cv
++		sc.canonHeaderKeysSize += size
+ 	}	
+ 	return cv
+ }
+-- 
+2.33.8
+

SPECS/moby-buildx/CVE-2023-45288.patch

@@ -0,0 +1,90 @@
+Parent:     ebc8168a (all: fix some typos)
+Author:     Damien Neil <dneil@google.com>
+AuthorDate: 2024-01-10 13:41:39 -0800
+Commit:     Gopher Robot <gobot@golang.org>
+CommitDate: 2024-04-03 16:01:29 +0000
+
+http2: close connections when receiving too many headers
+
+Maintaining HPACK state requires that we parse and process
+all HEADERS and CONTINUATION frames on a connection.
+When a request's headers exceed MaxHeaderBytes, we don't
+allocate memory to store the excess headers but we do
+parse them. This permits an attacker to cause an HTTP/2
+endpoint to read arbitrary amounts of data, all associated
+with a request which is going to be rejected.
+
+Set a limit on the amount of excess header frames we
+will process before closing a connection.
+
+Thanks to Bartek Nowotarski for reporting this issue.
+
+Fixes CVE-2023-45288
+Fixes golang/go#65051
+
+Change-Id: I15df097268df13bb5a9e9d3a5c04a8a141d850f6
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2130527
+Reviewed-by: Roland Shoemaker <bracewell@google.com>
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/net/+/576155
+Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
+Auto-Submit: Dmitri Shuralyov <dmitshur@golang.org>
+Reviewed-by: Than McIntosh <thanm@google.com>
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+
+---
+ vendor/golang.org/x/net/http2/frame.go | 31 ++++++++++++++++++++++++++
+ 1 file changed, 31 insertions(+)
+
+diff --git a/vendor/golang.org/x/net/http2/frame.go b/vendor/golang.org/x/net/http2/frame.go
+index 514c126..37f3e0e 100644
+--- a/vendor/golang.org/x/net/http2/frame.go
++++ b/vendor/golang.org/x/net/http2/frame.go
+@@ -1521,6 +1521,7 @@ func (fr *Framer) readMetaFrame(hf *HeadersFrame) (*MetaHeadersFrame, error) {
+ 		if size > remainSize {
+ 			hdec.SetEmitEnabled(false)
+ 			mh.Truncated = true
++			remainSize = 0
+ 			return
+ 		}
+ 		remainSize -= size
+@@ -1533,6 +1534,36 @@ func (fr *Framer) readMetaFrame(hf *HeadersFrame) (*MetaHeadersFrame, error) {
+ 	var hc headersOrContinuation = hf
+ 	for {
+ 		frag := hc.HeaderBlockFragment()
++
++		// Avoid parsing large amounts of headers that we will then discard.
++		// If the sender exceeds the max header list size by too much,
++		// skip parsing the fragment and close the connection.
++		//
++		// "Too much" is either any CONTINUATION frame after we've already
++		// exceeded the max header list size (in which case remainSize is 0),
++		// or a frame whose encoded size is more than twice the remaining
++		// header list bytes we're willing to accept.
++		if int64(len(frag)) > int64(2*remainSize) {
++			if VerboseLogs {
++				log.Printf("http2: header list too large")
++			}
++			// It would be nice to send a RST_STREAM before sending the GOAWAY,
++			// but the struture of the server's frame writer makes this difficult.
++			return nil, ConnectionError(ErrCodeProtocol)
++		}
++
++		// Also close the connection after any CONTINUATION frame following an
++		// invalid header, since we stop tracking the size of the headers after
++		// an invalid one.
++		if invalid != nil {
++			if VerboseLogs {
++				log.Printf("http2: invalid header: %v", invalid)
++			}
++			// It would be nice to send a RST_STREAM before sending the GOAWAY,
++			// but the struture of the server's frame writer makes this difficult.
++			return nil, ConnectionError(ErrCodeProtocol)
++		}
++
+ 		if _, err := hdec.Write(frag); err != nil {
+ 			return nil, ConnectionError(ErrCodeCompression)
+ 		}
+-- 
+2.33.8
+