[AUTO-CHERRYPICK] cni : Fix CVE-2022-29526 and CVE-2024-45338 - branch 3.0-dev (#12077)

CBL-Mariner-Bot · KavyaSree2610 · web-flow · commit 5a0497d222af · 2025-01-26T10:31:18.000-05:00
Co-authored-by: KavyaSree2610 &lt;92566732+KavyaSree2610@users.noreply.github.com&gt;
diff --git a/SPECS/cni/CVE-2022-29526.patch b/SPECS/cni/CVE-2022-29526.patch
@@ -0,0 +1,47 @@
+From e13d51dae376f08ea381869af4880ca312111086 Mon Sep 17 00:00:00 2001
+From: Damien Neil <dneil@google.com>
+Date: Tue, 12 Apr 2022 13:38:17 -0700
+Subject: [PATCH] [release-branch.go1.17] syscall: check correct group in
+ Faccessat
+
+The Faccessat call checks the user, group, or other permission bits of a
+file to see if the calling process can access it. The test to see if the
+group permissions should be used was made with the wrong group id, using
+the process's group id rather than the file's group id. Fix this to use
+the correct group id.
+
+No test since we cannot easily change file permissions when not running
+as root and the test is meaningless if running as root.
+
+For #52313
+Fixes #52439
+
+Change-Id: I4e2c84754b0af7830b40fd15dedcbc58374d75ee
+Reviewed-on: https://go-review.googlesource.com/c/go/+/399539
+Reviewed-by: Ian Lance Taylor <iant@google.com>
+Run-TryBot: Ian Lance Taylor <iant@google.com>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+(cherry picked from commit f66925e854e71e0c54b581885380a490d7afa30c)
+Reviewed-on: https://go-review.googlesource.com/c/go/+/401078
+Auto-Submit: Tatiana Bradley <tatiana@golang.org>
+Run-TryBot: Tatiana Bradley <tatiana@golang.org>
+Run-TryBot: Damien Neil <dneil@google.com>
+Auto-Submit: Damien Neil <dneil@google.com>
+Reviewed-by: Tatiana Bradley <tatiana@golang.org>
+---
+ vendor/golang.org/x/sys/unix/syscall_linux.go | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/syscall/syscall_linux.go b/src/syscall/syscall_linux.go
+index 3041f6f8fceda7..b2cc53e5c0dbe3 100644
+--- a/vendor/golang.org/x/sys/unix/syscall_linux.go
++++ b/vendor/golang.org/x/sys/unix/syscall_linux.go
+@@ -106,7 +106,7 @@ func Faccessat(dirfd int, path string, mode uint32, flags int) (err error) {
+ 			gid = Getgid()
+ 		}
+ 
+-		if uint32(gid) == st.Gid || isGroupMember(gid) {
++		if uint32(gid) == st.Gid || isGroupMember(int(st.Gid)) {
+ 			fmode = (st.Mode >> 3) & 7
+ 		} else {
+ 			fmode = st.Mode & 7
diff --git a/SPECS/cni/CVE-2024-45338.patch b/SPECS/cni/CVE-2024-45338.patch
@@ -0,0 +1,80 @@
+From 8e66b04771e35c4e4125e8c60334b34e2423effb Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <roland@golang.org>
+Date: Wed, 04 Dec 2024 09:35:55 -0800
+Subject: [PATCH] html: use strings.EqualFold instead of lowering ourselves
+
+Instead of using strings.ToLower and == to check case insensitive
+equality, just use strings.EqualFold, even when the strings are only
+ASCII. This prevents us unnecessarily lowering extremely long strings,
+which can be a somewhat expensive operation, even if we're only
+attempting to compare equality with five characters.
+
+Thanks to Guido Vranken for reporting this issue.
+
+Fixes golang/go#70906
+Fixes CVE-2024-45338
+
+Change-Id: I323b919f912d60dab6a87cadfdcac3e6b54cd128
+Reviewed-on: https://go-review.googlesource.com/c/net/+/637536
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+Auto-Submit: Gopher Robot <gobot@golang.org>
+Reviewed-by: Roland Shoemaker <roland@golang.org>
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+---
+ vendor/golang.org/x/net/html/doctype.go | 2 +-
+ vendor/golang.org/x/net/html/foreign.go | 3 +--
+ vendor/golang.org/x/net/html/parse.go   | 4 ++--
+ 3 files changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go
+index c484e5a..bca3ae9 100644
+--- a/vendor/golang.org/x/net/html/doctype.go
++++ b/vendor/golang.org/x/net/html/doctype.go
+@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) {
+ 			}
+ 		}
+ 		if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" &&
+-			strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" {
++			strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") {
+ 			quirks = true
+ 		}
+ 	}
+diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go
+index 9da9e9d..e8515d8 100644
+--- a/vendor/golang.org/x/net/html/foreign.go
++++ b/vendor/golang.org/x/net/html/foreign.go
+@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool {
+ 		if n.Data == "annotation-xml" {
+ 			for _, a := range n.Attr {
+ 				if a.Key == "encoding" {
+-					val := strings.ToLower(a.Val)
+-					if val == "text/html" || val == "application/xhtml+xml" {
++					if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") {
+ 						return true
+ 					}
+ 				}
+diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go
+index 038941d..cb012d8 100644
+--- a/vendor/golang.org/x/net/html/parse.go
++++ b/vendor/golang.org/x/net/html/parse.go
+@@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool {
+ 			if p.tok.DataAtom == a.Input {
+ 				for _, t := range p.tok.Attr {
+ 					if t.Key == "type" {
+-						if strings.ToLower(t.Val) == "hidden" {
++						if strings.EqualFold(t.Val, "hidden") {
+ 							// Skip setting framesetOK = false
+ 							return true
+ 						}
+@@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool {
+ 			return inHeadIM(p)
+ 		case a.Input:
+ 			for _, t := range p.tok.Attr {
+-				if t.Key == "type" && strings.ToLower(t.Val) == "hidden" {
++				if t.Key == "type" && strings.EqualFold(t.Val, "hidden") {
+ 					p.addElement()
+ 					p.oe.pop()
+ 					return true
+-- 
+2.25.1
+
diff --git a/SPECS/cni/cni.spec b/SPECS/cni/cni.spec
@@ -24,7 +24,7 @@
 Summary:        Container Network Interface - networking for Linux containers
 Name:           cni
 Version:        1.1.2
-Release:        3%{?dist}
+Release:        4%{?dist}
 License:        Apache-2.0
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -50,6 +50,8 @@ Source2:        build.sh
 Source3:        %{name}-%{version}-vendor.tar.gz
 Patch0:         CVE-2021-38561.patch
 Patch1:         CVE-2022-32149.patch
+Patch2:		CVE-2024-45338.patch
+Patch3:		CVE-2022-29526.patch
 BuildRequires:  golang
 BuildRequires:  systemd-rpm-macros
 BuildRequires:  xz
@@ -115,6 +117,9 @@ install -m 755 -d "%{buildroot}%{cni_doc_dir}"
 %{_sbindir}/cnitool
 
 %changelog
+* Thu Jan 23 2025 Kavya Sree Kaitepalli <kkaitepalli@microsoft.com> - 1.1.2-4
+- Patch CVE-2024-45338 and CVE-2022-29526
+
 * Fri Sep 06 2024 Muhammad Falak R Wani <mwani@microsoft.com> - 1.1.2-3
 - Patch CVE-2022-32149
 
