fluent-bit: Address CVE-2024-25431 #11096
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Merge Checklist
All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)
*-static
subpackages, etc.) have had theirRelease
tag incremented../cgmanifest.json
,./toolkit/scripts/toolchain/cgmanifest.json
,.github/workflows/cgmanifest.json
)./LICENSES-AND-NOTICES/SPECS/data/licenses.json
,./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md
,./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON
)*.signatures.json
filessudo make go-tidy-all
andsudo make go-test-coverage
passSummary
What does the PR accomplish, why was it needed?
This PR fixes CVE-2024-25431.
Original patch from the upstream can be found here. However there is an indentation difference in a few lines in the
if (initialize)
code block as follows -Upstream code (which was then modified to create the original upstream patch) -
Code in our version 3.0.6 of fluent-bit -
In our current code, the line:
module->functions[initialize->index - module->import_function_count]
is one continuous line with the assignment, while in the patch it's split across multiple lines with different indentation. Hence, I created a new patch for all these changes from the upstream patch for this CVE fix.
Change Log
Does this affect the toolchain?
NO
Associated issues
Links to CVEs
Test Methodology