!104 backport fix cve-2022-41723 for openEuler-20.03-LTS-SP4

From: @running-tortoise 
Reviewed-by: @wubijie123 
Signed-off-by: @wubijie123

0005-backport-fix-CVE-2022-41723.patch

@@ -0,0 +1,143 @@
+From 33fc2e1988454d3a2f9d887161884f76f344178f Mon Sep 17 00:00:00 2001
+From: lvxiangcong <lvxiangcong@kylinos.cn>
+Date: Fri, 14 Feb 2025 14:29:45 +0800
+Subject: [PATCH] backport fix cve-2022-41723
+
+---
+ vendor/golang.org/x/net/http2/hpack/hpack.go | 80 ++++++++++++--------
+ 1 file changed, 50 insertions(+), 30 deletions(-)
+
+diff --git a/vendor/golang.org/x/net/http2/hpack/hpack.go b/vendor/golang.org/x/net/http2/hpack/hpack.go
+index 85f18a2..0d3fd2b 100644
+--- a/vendor/golang.org/x/net/http2/hpack/hpack.go
++++ b/vendor/golang.org/x/net/http2/hpack/hpack.go
+@@ -359,6 +359,7 @@ func (d *Decoder) parseFieldLiteral(n uint8, it indexType) error {
+ 
+ 	var hf HeaderField
+ 	wantStr := d.emitEnabled || it.indexed()
++	var undecodedName undecodedString
+ 	if nameIdx > 0 {
+ 		ihf, ok := d.at(nameIdx)
+ 		if !ok {
+@@ -366,15 +367,27 @@ func (d *Decoder) parseFieldLiteral(n uint8, it indexType) error {
+ 		}
+ 		hf.Name = ihf.Name
+ 	} else {
+-		hf.Name, buf, err = d.readString(buf, wantStr)
++		undecodedName, buf, err = d.readString(buf)
+ 		if err != nil {
+ 			return err
+ 		}
+ 	}
+-	hf.Value, buf, err = d.readString(buf, wantStr)
++	undecodedValue, buf, err := d.readString(buf)
+ 	if err != nil {
+ 		return err
+ 	}
++	if wantStr {
++		if nameIdx <= 0 {
++			hf.Name, err = d.decodeString(undecodedName)
++			if err != nil {
++				return err
++			}
++		}
++		hf.Value, err = d.decodeString(undecodedValue)
++		if err != nil {
++			return err
++		}
++	}
+ 	d.buf = buf
+ 	if it.indexed() {
+ 		d.dynTab.add(hf)
+@@ -383,6 +396,7 @@ func (d *Decoder) parseFieldLiteral(n uint8, it indexType) error {
+ 	return d.callEmit(hf)
+ }
+ 
++
+ func (d *Decoder) callEmit(hf HeaderField) error {
+ 	if d.maxStrLen != 0 {
+ 		if len(hf.Name) > d.maxStrLen || len(hf.Value) > d.maxStrLen {
+@@ -459,46 +473,52 @@ func readVarInt(n byte, p []byte) (i uint64, remain []byte, err error) {
+ 	return 0, origP, errNeedMore
+ }
+ 
+-// readString decodes an hpack string from p.
++// readString reads an hpack string from p.
+ //
+-// wantStr is whether s will be used. If false, decompression and
+-// []byte->string garbage are skipped if s will be ignored
+-// anyway. This does mean that huffman decoding errors for non-indexed
+-// strings past the MAX_HEADER_LIST_SIZE are ignored, but the server
+-// is returning an error anyway, and because they're not indexed, the error
+-// won't affect the decoding state.
+-func (d *Decoder) readString(p []byte, wantStr bool) (s string, remain []byte, err error) {
++// It returns a reference to the encoded string data to permit deferring decode costs
++// until after the caller verifies all data is present.
++func (d *Decoder) readString(p []byte) (u undecodedString, remain []byte, err error) {
+ 	if len(p) == 0 {
+-		return "", p, errNeedMore
++		return u, p, errNeedMore
+ 	}
+ 	isHuff := p[0]&128 != 0
+ 	strLen, p, err := readVarInt(7, p)
+ 	if err != nil {
+-		return "", p, err
++		return u, p, err
+ 	}
+ 	if d.maxStrLen != 0 && strLen > uint64(d.maxStrLen) {
+-		return "", nil, ErrStringLength
++		// Returning an error here means Huffman decoding errors
++		// for non-indexed strings past the maximum string length
++		// are ignored, but the server is returning an error anyway
++		// and because the string is not indexed the error will not
++		// affect the decoding state.
++		return u, nil, ErrStringLength
+ 	}
+ 	if uint64(len(p)) < strLen {
+-		return "", p, errNeedMore
+-	}
+-	if !isHuff {
+-		if wantStr {
+-			s = string(p[:strLen])
+-		}
+-		return s, p[strLen:], nil
++		return u, p, errNeedMore
+ 	}
++	u.isHuff = isHuff
++	u.b = p[:strLen]
++	return u, p[strLen:], nil
++}
+ 
+-	if wantStr {
+-		buf := bufPool.Get().(*bytes.Buffer)
+-		buf.Reset() // don't trust others
+-		defer bufPool.Put(buf)
+-		if err := huffmanDecode(buf, d.maxStrLen, p[:strLen]); err != nil {
+-			buf.Reset()
+-			return "", nil, err
+-		}
++type undecodedString struct {
++	isHuff bool
++	b      []byte
++}
++
++func (d *Decoder) decodeString(u undecodedString) (string, error) {
++	if !u.isHuff {
++		return string(u.b), nil
++	}
++	buf := bufPool.Get().(*bytes.Buffer)
++	buf.Reset() // don't trust others
++	var s string
++	err := huffmanDecode(buf, d.maxStrLen, u.b)
++	if err == nil {
+ 		s = buf.String()
+-		buf.Reset() // be nice to GC
+ 	}
+-	return s, p[strLen:], nil
++	buf.Reset() // be nice to GC
++	bufPool.Put(buf)
++	return s, err
+ }
+-- 
+2.46.0
+

etcd.spec

@@ -31,7 +31,7 @@ system.}
 %global gosupfiles      integration/fixtures/* etcdserver/api/v2http/testdata/*
 
 Name:           etcd
-Release:        6
+Release:        7
 Summary:        Distributed reliable key-value store for the most critical data of a distributed system
 
 # Upstream license specification: Apache-2.0
@@ -48,6 +48,7 @@ Patch1:         0001-Convert-int-to-string-using-strconv.Itoa.patch
 Patch2:		0002-Etcd-on-unsupported-platform-without-ETCD_UNSUPPORTED_ARCH=arm64-set.patch
 Patch3:         0003-backport-Suppress-noisy-basic-auth-token-deletion-log.patch
 Patch4:         0004-backport-fix-CVE-2022-3064.patch
+Patch5:         0005-backport-fix-CVE-2022-41723.patch
 
 
 BuildRequires:  golang
@@ -68,6 +69,7 @@ Requires(pre):  shadow-utils
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
+%patch5 -p1
 # For compatibility
 cp -aR etcdserver/api/snap snap
 cp -aR etcdserver/api/membership etcdserver/membership
@@ -153,6 +155,12 @@ getent passwd %{name} >/dev/null || useradd -r -g %{name} -d %{_sharedstatedir}/
 %endif
 
 %changelog
+* Fri Feb 14 2025 lvxiangcong<lvxiangcong@kylinos.cn> - 3.4.14-7
+- Type:CVE
+- CVE:CVE-2022-41723
+- SUG:NA
+- DESC: backport fix CVE-2022-41723 for openEuler-20.03-LTS-SP4
+
 * Fri Feb 14 2025 lvxiangcong<lvxiangcong@kylinos.cn> - 3.4.14-6
 - Type:CVE
 - CVE:CVE-2022-3064