diff --git a/SPECS/sriov-network-device-plugin/CVE-2024-45339.patch b/SPECS/sriov-network-device-plugin/CVE-2024-45339.patch new file mode 100644 index 00000000000..c5161cf8205 --- /dev/null +++ b/SPECS/sriov-network-device-plugin/CVE-2024-45339.patch @@ -0,0 +1,119 @@ +From afd4339ec8682b92eb6bcc870d138106ffd5f58d Mon Sep 17 00:00:00 2001 +From: kavyasree +Date: Fri, 31 Jan 2025 21:16:51 +0530 +Subject: [PATCH] Patch CVE-2024-45339 + +Reference: https://github.com/golang/glog/pull/74 +--- + vendor/github.com/golang/glog/glog_file.go | 60 ++++++++++++++++------ + 1 file changed, 44 insertions(+), 16 deletions(-) + +diff --git a/vendor/github.com/golang/glog/glog_file.go b/vendor/github.com/golang/glog/glog_file.go +index e7d125c..6d239fa 100644 +--- a/vendor/github.com/golang/glog/glog_file.go ++++ b/vendor/github.com/golang/glog/glog_file.go +@@ -118,32 +118,53 @@ var onceLogDirs sync.Once + // contains tag ("INFO", "FATAL", etc.) and t. If the file is created + // successfully, create also attempts to update the symlink for that tag, ignoring + // errors. +-func create(tag string, t time.Time) (f *os.File, filename string, err error) { ++func create(tag string, t time.Time, dir string) (f *os.File, filename string, err error) { ++ if dir != "" { ++ f, name, err := createInDir(dir, tag, t) ++ if err == nil { ++ return f, name, err ++ } ++ return nil, "", fmt.Errorf("log: cannot create log: %v", err) ++ } ++ + onceLogDirs.Do(createLogDirs) + if len(logDirs) == 0 { + return nil, "", errors.New("log: no log dirs") + } +- name, link := logName(tag, t) + var lastErr error + for _, dir := range logDirs { +- fname := filepath.Join(dir, name) +- f, err := os.Create(fname) ++ f, name, err := createInDir(dir, tag, t) + if err == nil { +- symlink := filepath.Join(dir, link) +- os.Remove(symlink) // ignore err +- os.Symlink(name, symlink) // ignore err +- if *logLink != "" { +- lsymlink := filepath.Join(*logLink, link) +- os.Remove(lsymlink) // ignore err +- os.Symlink(fname, lsymlink) // ignore err +- } +- return f, fname, nil ++ return f, name, err + } + lastErr = err + } + return nil, "", fmt.Errorf("log: cannot create log: %v", lastErr) + } + ++func createInDir(dir, tag string, t time.Time) (f *os.File, name string, err error) { ++ name, link := logName(tag, t) ++ fname := filepath.Join(dir, name) ++ // O_EXCL is important here, as it prevents a vulnerability. The general idea is that logs often ++ // live in an insecure directory (like /tmp), so an unprivileged attacker could create fname in ++ // advance as a symlink to a file the logging process can access, but the attacker cannot. O_EXCL ++ // fails the open if it already exists, thus prevent our this code from opening the existing file ++ // the attacker points us to. ++ f, err = os.OpenFile(fname, os.O_RDWR|os.O_CREATE|os.O_EXCL, 0666) ++ if err == nil { ++ symlink := filepath.Join(dir, link) ++ os.Remove(symlink) // ignore err ++ os.Symlink(name, symlink) // ignore err ++ if *logLink != "" { ++ lsymlink := filepath.Join(*logLink, link) ++ os.Remove(lsymlink) // ignore err ++ os.Symlink(fname, lsymlink) // ignore err ++ } ++ return f, fname, nil ++ } ++ return nil, "", err ++} ++ + // flushSyncWriter is the interface satisfied by logging destinations. + type flushSyncWriter interface { + Flush() error +@@ -247,6 +268,7 @@ type syncBuffer struct { + names []string + sev logsink.Severity + nbytes uint64 // The number of bytes written to this file ++ madeAt time.Time + } + + func (sb *syncBuffer) Sync() error { +@@ -254,9 +276,14 @@ func (sb *syncBuffer) Sync() error { + } + + func (sb *syncBuffer) Write(p []byte) (n int, err error) { ++ // Rotate the file if it is too large, but ensure we only do so, ++ // if rotate doesn't create a conflicting filename. + if sb.nbytes+uint64(len(p)) >= MaxSize { +- if err := sb.rotateFile(time.Now()); err != nil { +- return 0, err ++ now := timeNow() ++ if now.After(sb.madeAt.Add(1*time.Second)) || now.Second() != sb.madeAt.Second() { ++ if err := sb.rotateFile(now); err != nil { ++ return 0, err ++ } + } + } + n, err = sb.Writer.Write(p) +@@ -274,7 +301,8 @@ const footer = "\nCONTINUED IN NEXT FILE\n" + func (sb *syncBuffer) rotateFile(now time.Time) error { + var err error + pn := "" +- file, name, err := create(sb.sev.String(), now) ++ file, name, err := create(sb.sev.String(), now, "") ++ sb.madeAt = now + + if sb.file != nil { + // The current log file becomes the previous log at the end of +-- +2.34.1 + diff --git a/SPECS/sriov-network-device-plugin/sriov-network-device-plugin.spec b/SPECS/sriov-network-device-plugin/sriov-network-device-plugin.spec index d350a1f1d72..2487373ea30 100644 --- a/SPECS/sriov-network-device-plugin/sriov-network-device-plugin.spec +++ b/SPECS/sriov-network-device-plugin/sriov-network-device-plugin.spec @@ -1,7 +1,7 @@ Summary: Plugin for discovering and advertising networking resources Name: sriov-network-device-plugin Version: 3.7.0 -Release: 2%{?dist} +Release: 3%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Azure Linux @@ -9,6 +9,7 @@ URL: https://github.com/k8snetworkplumbingwg/sriov-network-device-plu Source0: https://github.com/k8snetworkplumbingwg/%{name}/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz Source1: %{name}-%{version}-vendor.tar.gz Patch0: CVE-2024-45338.patch +Patch1: CVE-2024-45339.patch BuildRequires: golang Requires: gawk Requires: hwdata @@ -38,6 +39,9 @@ install -D -m0755 images/ddptool-1.0.1.12.tar.gz %{buildroot}%{_datadir}/%{name} %{_datadir}/%{name}/ddptool-1.0.1.12.tar.gz %changelog +* Fri Jan 31 2025 Kavya Sree Kaitepalli - 3.7.0-3 +- Patch CVE-2024-45339 + * Tue Dec 31 2024 Rohit Rawat - 3.7.0-2 - Patch CVE-2024-45338