diff --git a/SPECS/fluent-bit/CVE-2024-34250.patch b/SPECS/fluent-bit/CVE-2024-34250.patch new file mode 100644 index 00000000000..ffcae8c2327 --- /dev/null +++ b/SPECS/fluent-bit/CVE-2024-34250.patch @@ -0,0 +1,114 @@ +diff --git a/lib/wasm-micro-runtime-WAMR-1.3.0/core/iwasm/interpreter/wasm_loader.c b/lib/wasm-micro-runtime-WAMR-1.3.0/core/iwasm/interpreter/wasm_loader.c +index 2a06f42..87af852 100644 +--- a/lib/wasm-micro-runtime-WAMR-1.3.0/core/iwasm/interpreter/wasm_loader.c ++++ b/lib/wasm-micro-runtime-WAMR-1.3.0/core/iwasm/interpreter/wasm_loader.c +@@ -219,7 +219,10 @@ type2str(uint8 type) + static bool + is_32bit_type(uint8 type) + { +- if (type == VALUE_TYPE_I32 || type == VALUE_TYPE_F32 ++ if (type == VALUE_TYPE_I32 ++ || type == VALUE_TYPE_F32 ++ /* the operand stack is in polymorphic state */ ++ || type == VALUE_TYPE_ANY + #if WASM_ENABLE_REF_TYPES != 0 + || type == VALUE_TYPE_FUNCREF || type == VALUE_TYPE_EXTERNREF + #endif +@@ -6690,6 +6693,7 @@ wasm_loader_check_br(WASMLoaderContext *loader_ctx, uint32 depth, + int32 i, available_stack_cell; + uint16 cell_num; + ++ bh_assert(loader_ctx->csp_num > 0); + if (loader_ctx->csp_num < depth + 1) { + set_error_buf(error_buf, error_buf_size, + "unknown label, " +@@ -7758,8 +7762,7 @@ re_scan: + } + + if (available_stack_cell > 0) { +- if (is_32bit_type(*(loader_ctx->frame_ref - 1)) +- || *(loader_ctx->frame_ref - 1) == VALUE_TYPE_ANY) { ++ if (is_32bit_type(*(loader_ctx->frame_ref - 1))) { + loader_ctx->frame_ref--; + loader_ctx->stack_cell_num--; + #if WASM_ENABLE_FAST_INTERP != 0 +diff --git a/lib/wasm-micro-runtime-WAMR-1.3.0/core/iwasm/interpreter/wasm_mini_loader.c b/lib/wasm-micro-runtime-WAMR-1.3.0/core/iwasm/interpreter/wasm_mini_loader.c +index 47ec549..157a82c 100644 +--- a/lib/wasm-micro-runtime-WAMR-1.3.0/core/iwasm/interpreter/wasm_mini_loader.c ++++ b/lib/wasm-micro-runtime-WAMR-1.3.0/core/iwasm/interpreter/wasm_mini_loader.c +@@ -51,7 +51,10 @@ set_error_buf(char *error_buf, uint32 error_buf_size, const char *string) + static bool + is_32bit_type(uint8 type) + { +- if (type == VALUE_TYPE_I32 || type == VALUE_TYPE_F32 ++ if (type == VALUE_TYPE_I32 ++ || type == VALUE_TYPE_F32 ++ /* the operand stack is in polymorphic state */ ++ || type == VALUE_TYPE_ANY + #if WASM_ENABLE_REF_TYPES != 0 + || type == VALUE_TYPE_FUNCREF || type == VALUE_TYPE_EXTERNREF + #endif +@@ -3930,7 +3933,7 @@ wasm_loader_pop_frame_ref(WASMLoaderContext *ctx, uint8 type, char *error_buf, + ctx->frame_ref--; + ctx->stack_cell_num--; + +- if (is_32bit_type(type) || *ctx->frame_ref == VALUE_TYPE_ANY) ++ if (is_32bit_type(type)) + return true; + + ctx->frame_ref--; +@@ -5839,13 +5842,11 @@ re_scan: + case WASM_OP_BR_TABLE: + { + uint8 *ret_types = NULL; +- uint32 ret_count = 0; ++ uint32 ret_count = 0, depth = 0; + #if WASM_ENABLE_FAST_INTERP == 0 +- uint8 *p_depth_begin, *p_depth; +- uint32 depth, j; + BrTableCache *br_table_cache = NULL; +- +- p_org = p - 1; ++ uint8 *p_depth_begin, *p_depth, *p_opcode = p - 1; ++ uint32 j; + #endif + + read_leb_uint32(p, p_end, count); +@@ -5854,6 +5855,16 @@ re_scan: + #endif + POP_I32(); + ++ /* Get each depth and check it */ ++ p_org = p; ++ for (i = 0; i <= count; i++) { ++ read_leb_uint32(p, p_end, depth); ++ bh_assert(loader_ctx->csp_num > 0); ++ bh_assert(loader_ctx->csp_num - 1 >= depth); ++ (void)depth; ++ } ++ p = p_org; ++ + #if WASM_ENABLE_FAST_INTERP == 0 + p_depth_begin = p_depth = p; + #endif +@@ -5879,8 +5890,8 @@ re_scan: + error_buf, error_buf_size))) { + goto fail; + } +- *p_org = EXT_OP_BR_TABLE_CACHE; +- br_table_cache->br_table_op_addr = p_org; ++ *p_opcode = EXT_OP_BR_TABLE_CACHE; ++ br_table_cache->br_table_op_addr = p_opcode; + br_table_cache->br_count = count; + /* Copy previous depths which are one byte */ + for (j = 0; j < i; j++) { +@@ -6099,8 +6110,7 @@ re_scan: + && !cur_block->is_stack_polymorphic)); + + if (available_stack_cell > 0) { +- if (is_32bit_type(*(loader_ctx->frame_ref - 1)) +- || *(loader_ctx->frame_ref - 1) == VALUE_TYPE_ANY) { ++ if (is_32bit_type(*(loader_ctx->frame_ref - 1))) { + loader_ctx->frame_ref--; + loader_ctx->stack_cell_num--; + #if WASM_ENABLE_FAST_INTERP != 0 diff --git a/SPECS/fluent-bit/fluent-bit.spec b/SPECS/fluent-bit/fluent-bit.spec index df3c7a6defb..6c6c5e3daf2 100644 --- a/SPECS/fluent-bit/fluent-bit.spec +++ b/SPECS/fluent-bit/fluent-bit.spec @@ -1,12 +1,13 @@ Summary: Fast and Lightweight Log processor and forwarder for Linux, BSD and OSX Name: fluent-bit Version: 2.2.3 -Release: 1%{?dist} +Release: 2%{?dist} License: Apache-2.0 Vendor: Microsoft Corporation Distribution: Mariner URL: https://fluentbit.io Source0: https://github.com/fluent/%{name}/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz +Patch0: CVE-2024-34250.patch BuildRequires: bison BuildRequires: cmake BuildRequires: cyrus-sasl-devel @@ -80,6 +81,9 @@ Development files for %{name} %{_libdir}/fluent-bit/*.so %changelog +* Wed May 30 2024 Sindhu Karri - 2.2.3-2 +- Fix CVE-2024-34250 with a patch + * Tue May 28 2024 CBL-Mariner Servicing Account - 2.2.3-1 - Auto-upgrade to 2.2.3 - CVE-2024-4323