[AUTO-CHERRYPICK] telegraf: Add patch for CVE-2024-37298 - branch main (#9823)

Co-authored-by: Sumynwa <sumsharma@microsoft.com>
2024-07-25 15:53:12 -07:00 · 2024-07-25 15:53:12 -07:00 · 57506f34f3
--- a/SPECS/telegraf/CVE-2024-37298.patch
+++ b/SPECS/telegraf/CVE-2024-37298.patch
@ -0,0 +1,64 @@
+From cd59f2f12cbdfa9c06aa63e425d1fe4a806967ff Mon Sep 17 00:00:00 2001
+From: Bharat Rajani <bharat.ramrajani@gmail.com>
+Date: Sun, 30 Jun 2024 02:04:06 +0530
+Subject: [PATCH] Merge pull request from GHSA-3669-72x9-r9p3
+
+* fixes the security advisory by limiting the slice creation based on configurable maxSize
+
+* address review comment
+---
+ decoder.go      |  18 ++++++-
+ 1 file changed, 18 insertions(+), 1 deletion(-)
+
+diff --git a/vendor/github.com/gorilla/schema/decoder.go b/vendor/github.com/gorilla/schema/decoder.go
+index ed85641..54c88ec 100644
+--- a/vendor/github.com/gorilla/schema/decoder.go
+++ b/vendor/github.com/gorilla/schema/decoder.go
+@@ -12,9 +12,13 @@ import (
+ 	"strings"
+ )
+ 
+const (
+	defaultMaxSize = 16000
+)
+
+ // NewDecoder returns a new Decoder.
+ func NewDecoder() *Decoder {
+-	return &Decoder{cache: newCache()}
+	return &Decoder{cache: newCache(), maxSize: defaultMaxSize}
+ }
+ 
+ // Decoder decodes values from a map[string][]string to a struct.
+@@ -22,6 +26,7 @@ type Decoder struct {
+ 	cache             *cache
+ 	zeroEmpty         bool
+ 	ignoreUnknownKeys bool
+	maxSize           int
+ }
+ 
+ // SetAliasTag changes the tag used to locate custom field aliases.
+@@ -54,6 +59,13 @@ func (d *Decoder) IgnoreUnknownKeys(i bool) {
+ 	d.ignoreUnknownKeys = i
+ }
+ 
+// MaxSize limits the size of slices for URL nested arrays or object arrays.
+// Choose MaxSize carefully; large values may create many zero-value slice elements.
+// Example: "items.100000=apple" would create a slice with 100,000 empty strings.
+func (d *Decoder) MaxSize(size int) {
+	d.maxSize = size
+}
+
+ // RegisterConverter registers a converter function for a custom type.
+ func (d *Decoder) RegisterConverter(value interface{}, converterFunc Converter) {
+ 	d.cache.registerConverter(value, converterFunc)
+@@ -302,6 +314,10 @@ func (d *Decoder) decode(v reflect.Value, path string, parts []pathPart, values
+ 	// Slice of structs. Let's go recursive.
+ 	if len(parts) > 1 {
+ 		idx := parts[0].index
+		// a defensive check to avoid creating a large slice based on user input index
+		if idx > d.maxSize {
+			return fmt.Errorf("%v index %d is larger than the configured maxSize %d", v.Kind(), idx, d.maxSize)
+		}
+ 		if v.IsNil() || v.Len() < idx+1 {
+ 			value := reflect.MakeSlice(t, idx+1, idx+1)
+ 			if v.Len() < idx+1 {
--- a/SPECS/telegraf/telegraf.spec
+++ b/SPECS/telegraf/telegraf.spec
@ -1,7 +1,7 @@
 Summary:        agent for collecting, processing, aggregating, and writing metrics.
 Name:           telegraf
 Version:        1.29.4
-Release:        6%{?dist}
+Release:        7%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@ -14,6 +14,7 @@ Patch0:         CVE-2023-45288.patch
 Patch1:         CVE-2024-28110.patch
 Patch2:         CVE-2024-27289.patch
 Patch3:         CVE-2024-35255.patch
+Patch4:         CVE-2024-37298.patch
 BuildRequires:  golang
 BuildRequires:  iana-etc
 BuildRequires:  systemd-devel
@ -84,6 +85,9 @@ fi
 %dir %{_sysconfdir}/%{name}/telegraf.d

 %changelog
+* Thu Jul 11 2024 Sumedh Sharma <sumsharma@microsoft.com> - 1.29.4-7
+- Add patch for CVE-2024-37298
+
 * Tue Jun 18 2024 Saul Paredes <saulparedes@microsoft.com> - 1.29.4-6
 - Patch CVE-2024-35255