3.0-dev - influxdb fix CVE-2021-4238 (#9452)

Co-authored-by: CBL-Mariner Servicing Account <cblmargh@microsoft.com>
2024-06-19 16:06:25 -07:00 · 2024-06-19 16:06:25 -07:00 · 137d10598d
--- a/SPECS/influxdb/CVE-2021-4238.patch
+++ b/SPECS/influxdb/CVE-2021-4238.patch
@ -0,0 +1,49 @@
+Partial backport of 869801f20f9f1e7ecdbdb6422049d8241270d5e1
+
+diff --git a/vendor/github.com/aokoli/goutils/randomstringutils.go b/vendor/github.com/aokoli/goutils/randomstringutils.go
+index 1364e0c..8c6ccab 100644
+--- a/vendor/github.com/aokoli/goutils/randomstringutils.go
+++ b/vendor/github.com/aokoli/goutils/randomstringutils.go
+@@ -20,7 +20,6 @@ import (
+ 	"fmt"
+ 	"math"
+ 	"math/rand"
+-	"regexp"
+ 	"time"
+ 	"unicode"
+ )
+@@ -75,12 +74,10 @@ func RandomNumeric(count int) (string, error) {
+ 
+ /*
+ RandomAlphabetic creates a random string whose length is the number of characters specified.
+-Characters will be chosen from the set of alpha-numeric characters as indicated by the arguments.
+Characters will be chosen from the set of alphabetic characters.
+ 
+ Parameters:
+ 	count - the length of random string to create
+-	letters - if true, generated string may include alphabetic characters
+-	numbers - if true, generated string may include numeric characters
+ 
+ Returns:
+ 	string - the random string
+@@ -106,19 +103,8 @@ func RandomAlphaNumeric(count int) (string, error) {
+ 	if err != nil {
+ 		return "", fmt.Errorf("Error: %s", err)
+ 	}
+-	match, err := regexp.MatchString("([0-9]+)", RandomString)
+-	if err != nil {
+-		panic(err)
+-	}
+ 
+-	if !match {
+-		//Get the position between 0 and the length of the string-1  to insert a random number
+-		position := rand.Intn(count)
+-		//Insert a random number between [0-9] in the position
+-		RandomString = RandomString[:position] + string('0'+rand.Intn(10)) + RandomString[position+1:]
+-		return RandomString, err
+-	}
+-	return RandomString, err
+	return RandomString[:count], nil
+ 
+ }
+ 
--- a/SPECS/influxdb/influxdb.spec
+++ b/SPECS/influxdb/influxdb.spec
@ -18,7 +18,7 @@
 Summary:        Scalable datastore for metrics, events, and real-time analytics
 Name:           influxdb
 Version:        2.7.3
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@ -55,6 +55,7 @@ Source3:        influxdb.service
 Source4:        influxdb.tmpfiles
 Source5:        config.yaml
 Source6:        influxdb-user.conf
+Patch0:         CVE-2021-4238.patch
 BuildRequires:  clang
 BuildRequires:  golang
 BuildRequires:  kernel-headers
@ -84,7 +85,7 @@ Conflicts:      influxdb
 Go sources and other development files for InfluxDB

 %prep
-%autosetup -a 1
+%autosetup -p1 -a 1

 mkdir -pv static
 tar -xf %{SOURCE2} -C static/ --no-same-owner
@ -144,6 +145,9 @@ go test ./...
 %{_tmpfilesdir}/influxdb.conf

 %changelog
+* Wed Jun 19 2024 Nicolas Guibourge <nicolasg@microsoft.com> - 2.7.3-3
+- Address CVE-2021-4238
+
 * Thu Mar 07 2024 Andrew Phelps <anphel@microsoft.com> - 2.7.3-2
 - Remove restriction on golang BR version