[AUTO-CHERRYPICK] cri-o: patch CVE-2021-43565 - branch main (#9901)

CBL-Mariner-Bot · arc9693 · web-flow · commit f9abe2539f3b · 2024-07-25T19:01:19.000-04:00
Co-authored-by: Archana Choudhary &lt;36061892+arc9693@users.noreply.github.com&gt;
diff --git a/SPECS/cri-o/CVE-2021-43565.patch b/SPECS/cri-o/CVE-2021-43565.patch
@@ -0,0 +1,56 @@
+From 5770296d904e90f15f38f77dfc2e43fdf5efc083 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <roland@golang.org>
+Date: Tue, 9 Nov 2021 11:45:57 -0800
+Subject: [PATCH] ssh: don't assume packet plaintext size
+
+When reading GCM and ChaChaPoly1305 packets, don't make assumptions
+about the size of the enciphered plaintext. This fixes two panics
+caused by standards non-compliant malformed packets.
+
+Thanks to Rod Hynes, Psiphon Inc. for reporting this issue.
+
+Fixes golang/go#49932
+Fixes CVE-2021-43565
+
+Change-Id: I660cff39d197e0d04ec44d11d792b22d954df2ef
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1262659
+Reviewed-by: Katie Hockman <katiehockman@google.com>
+Reviewed-by: Julie Qiu <julieqiu@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/crypto/+/368814
+Trust: Roland Shoemaker <roland@golang.org>
+Trust: Katie Hockman <katie@golang.org>
+Run-TryBot: Roland Shoemaker <roland@golang.org>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Reviewed-by: Julie Qiu <julie@golang.org>
+Reviewed-by: Katie Hockman <katie@golang.org>
+---
+ ssh/cipher.go      |   8 ++++
+ ssh/cipher_test.go | 100 +++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 108 insertions(+)
+
+diff --git a/vendor/golang.org/x/crypto/ssh/cipher.go b/vendor/golang.org/x/crypto/ssh/cipher.go
+index bddbde5dbd..f8bdf4984c 100644
+--- a/vendor/golang.org/x/crypto/ssh/cipher.go
++++ b/vendor/golang.org/x/crypto/ssh/cipher.go
+@@ -394,6 +394,10 @@ func (c *gcmCipher) readCipherPacket(seqNum uint32, r io.Reader) ([]byte, error)
+ 	}
+ 	c.incIV()
+ 
++	if len(plain) == 0 {
++		return nil, errors.New("ssh: empty packet")
++	}
++
+ 	padding := plain[0]
+ 	if padding < 4 {
+ 		// padding is a byte, so it automatically satisfies
+@@ -710,6 +714,10 @@ func (c *chacha20Poly1305Cipher) readCipherPacket(seqNum uint32, r io.Reader) ([
+ 	plain := c.buf[4:contentEnd]
+ 	s.XORKeyStream(plain, plain)
+ 
++	if len(plain) == 0 {
++		return nil, errors.New("ssh: empty packet")
++	}
++
+ 	padding := plain[0]
+ 	if padding < 4 {
+ 		// padding is a byte, so it automatically satisfies
diff --git a/SPECS/cri-o/cri-o.spec b/SPECS/cri-o/cri-o.spec
@@ -26,7 +26,7 @@ Summary:        OCI-based implementation of Kubernetes Container Runtime Interfa
 # Define macros for further referenced sources
 Name:           cri-o
 Version:        1.22.3
-Release:        4%{?dist}
+Release:        5%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -65,6 +65,7 @@ Patch9:         CVE-2024-28180.patch
 Patch10:        CVE-2024-21626.patch
 Patch11:        CVE-2024-3154.patch
 Patch12:        CVE-2024-3727.patch
+Patch13:        CVE-2021-43565.patch
 BuildRequires:  btrfs-progs-devel
 BuildRequires:  device-mapper-devel
 BuildRequires:  fdupes
@@ -217,6 +218,9 @@ mkdir -p /opt/cni/bin
 %{_fillupdir}/sysconfig.kubelet
 
 %changelog
+* Mon Jul 22 2024 Archana Choudhary <archana1@microsoft.com> - 1.22.3-5
+- Patch CVE-2021-43565
+
 * Wed Jun 26 2024 Muhammad Falak <mwani@microsoft.com> - 1.22.3-4
 - Bump release to rebuild with go 1.21.11
 
