Fix for CVE-2024-25620 in cert-manager (#10118)

SPECS/cert-manager/CVE-2024-25620.patch

@@ -0,0 +1,110 @@
+From e90f3034faa9a6a23131df5665570d221e3092f3 Mon Sep 17 00:00:00 2001
+From: Bhagyashri Pathak <bhapathak@microsoft.com>
+Date: Thu, 8 Aug 2024 10:27:21 +0530
+Subject: [PATCH] CVE-2024-25620 patch 
+
+---
+ cmd/ctl/vendor/helm.sh/helm/v3/pkg/chart/metadata.go  |  4 ++++
+ .../helm.sh/helm/v3/pkg/chartutil/errors.go   |  8 ++++++++
+ cmd/ctl/vendor/helm.sh/helm/v3/pkg/chartutil/save.go  | 20 +++++++++++++++++++
+ .../helm/v3/pkg/lint/rules/chartfile.go       |  4 ++++
+ 4 files changed, 36 insertions(+)
+
+diff --git a/cmd/ctl/vendor/helm.sh/helm/v3/pkg/chart/metadata.go b/cmd/ctl/vendor/helm.sh/helm/v3/pkg/chart/metadata.go
+index ae572ab..3834b4c 100644
+--- a/cmd/ctl/vendor/helm.sh/helm/v3/pkg/chart/metadata.go
++++ b/cmd/ctl/vendor/helm.sh/helm/v3/pkg/chart/metadata.go
+@@ -16,6 +16,7 @@ limitations under the License.
+ package chart
+
+ import (
++	"path/filepath"
+ 	"strings"
+ 	"unicode"
+
+@@ -110,6 +111,9 @@ func (md *Metadata) Validate() error {
+ 	if md.Name == "" {
+ 		return ValidationError("chart.metadata.name is required")
+ 	}
++	if md.Name != filepath.Base(md.Name) {
++		return ValidationErrorf("chart.metadata.name %q is invalid", md.Name)
++	}
+ 	if md.Version == "" {
+ 		return ValidationError("chart.metadata.version is required")
+ 	}
+diff --git a/cmd/ctl/vendor/helm.sh/helm/v3/pkg/chartutil/errors.go b/cmd/ctl/vendor/helm.sh/helm/v3/pkg/chartutil/errors.go
+index fcdcc27..0a4046d 100644
+--- a/cmd/ctl/vendor/helm.sh/helm/v3/pkg/chartutil/errors.go
++++ b/cmd/ctl/vendor/helm.sh/helm/v3/pkg/chartutil/errors.go
+@@ -33,3 +33,11 @@ type ErrNoValue struct {
+ }
+
+ func (e ErrNoValue) Error() string { return fmt.Sprintf("%q is not a value", e.Key) }
++
++type ErrInvalidChartName struct {
++	Name string
++}
++
++func (e ErrInvalidChartName) Error() string {
++	return fmt.Sprintf("%q is not a valid chart name", e.Name)
++}
+diff --git a/cmd/ctl/vendor/helm.sh/helm/v3/pkg/chartutil/save.go b/cmd/ctl/vendor/helm.sh/helm/v3/pkg/chartutil/save.go
+index 2ce4edd..4ee9070 100644
+--- a/cmd/ctl/vendor/helm.sh/helm/v3/pkg/chartutil/save.go
++++ b/cmd/ctl/vendor/helm.sh/helm/v3/pkg/chartutil/save.go
+@@ -39,6 +39,10 @@ var headerBytes = []byte("+aHR0cHM6Ly95b3V0dS5iZS96OVV6MWljandyTQo=")
+ // directory, writing the chart's contents to that subdirectory.
+ func SaveDir(c *chart.Chart, dest string) error {
+ 	// Create the chart directory
++	err := validateName(c.Name())
++	if err != nil {
++		return err
++	}
+ 	outdir := filepath.Join(dest, c.Name())
+ 	if fi, err := os.Stat(outdir); err == nil && !fi.IsDir() {
+ 		return errors.Errorf("file %s already exists and is not a directory", outdir)
+@@ -149,6 +153,10 @@ func Save(c *chart.Chart, outDir string) (string, error) {
+ }
+
+ func writeTarContents(out *tar.Writer, c *chart.Chart, prefix string) error {
++	err := validateName(c.Name())
++	if err != nil {
++		return err
++	}
+ 	base := filepath.Join(prefix, c.Name())
+
+ 	// Pull out the dependencies of a v1 Chart, since there's no way
+@@ -242,3 +250,15 @@ func writeToTar(out *tar.Writer, name string, body []byte) error {
+ 	_, err := out.Write(body)
+ 	return err
+ }
++
++// If the name has directory name has characters which would change the location
++// they need to be removed.
++func validateName(name string) error {
++	nname := filepath.Base(name)
++
++	if nname != name {
++		return ErrInvalidChartName{name}
++	}
++
++	return nil
++}
+diff --git a/cmd/ctl/vendor/helm.sh/helm/v3/pkg/lint/rules/chartfile.go b/cmd/ctl/vendor/helm.sh/helm/v3/pkg/lint/rules/chartfile.go
+index b49f2ce..f8f033c 100644
+--- a/cmd/ctl/vendor/helm.sh/helm/v3/pkg/lint/rules/chartfile.go
++++ b/cmd/ctl/vendor/helm.sh/helm/v3/pkg/lint/rules/chartfile.go
+@@ -107,6 +107,10 @@ func validateChartName(cf *chart.Metadata) error {
+ 	if cf.Name == "" {
+ 		return errors.New("name is required")
+ 	}
++	name := filepath.Base(cf.Name)
++	if name != cf.Name {
++		return fmt.Errorf("chart name %q is invalid", cf.Name)
++	}
+ 	return nil
+ }
+
+-- 
+2.34.1
+

SPECS/cert-manager/cert-manager.spec

@@ -1,7 +1,7 @@
 Summary:        Automatically provision and manage TLS certificates in Kubernetes
 Name:           cert-manager
 Version:        1.12.12
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -13,6 +13,7 @@ Source0:        https://github.com/jetstack/%{name}/archive/refs/tags/v%{version
 # 1. wget https://github.com/jetstack/%%{name}/archive/refs/tags/v%%{version}.tar.gz -O %%{name}-%%{version}.tar.gz
 # 2. <repo-root>/SPECS/cert-manager/generate_source_tarball.sh --srcTarball %%{name}-%%{version}.tar.gz --pkgVersion %%{version}
 Source1:        %{name}-%{version}-vendor.tar.gz
+Patch0:         CVE-2024-25620.patch
 BuildRequires:  golang
 Requires:       %{name}-acmesolver
 Requires:       %{name}-cainjector
@@ -57,8 +58,9 @@ Summary:        cert-manager's webhook binary
 Webhook component providing API validation, mutation and conversion functionality for cert-manager.
 
 %prep
-%autosetup -p1
+%setup -q -a 1
-%setup -q -T -D -a 1
+%autopatch -p1
+
 
 %build
 
@@ -76,7 +78,6 @@ install -D -m0755 bin/cainjector %{buildroot}%{_bindir}/
 install -D -m0755 bin/controller %{buildroot}%{_bindir}/
 install -D -m0755 bin/cmctl %{buildroot}%{_bindir}/
 install -D -m0755 bin/webhook %{buildroot}%{_bindir}/
-
 %files
 
 %files acmesolver
@@ -105,6 +106,9 @@ install -D -m0755 bin/webhook %{buildroot}%{_bindir}/
 %{_bindir}/webhook
 
 %changelog
+* Wed Aug 07 2024 Bhagyashri Pathak <bhapathak@microsoft.com> - 1.12.12-2
+- Patch for CVE-2024-25620
+
 * Wed Jul 10 2024 Tobias Brick <tobiasb@microsoft.com> - 1.12.12-1
 - Upgrade to 1.12.12 to fix CVE-2024-26147 and CVE-2023-45142