From 57506f34f395226b07dc10e6cf63bc0a3ef72f9e Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Thu, 25 Jul 2024 15:53:12 -0700 Subject: [PATCH] [AUTO-CHERRYPICK] telegraf: Add patch for CVE-2024-37298 - branch main (#9823) Co-authored-by: Sumynwa --- SPECS/telegraf/CVE-2024-37298.patch | 64 +++++++++++++++++++++++++++++ SPECS/telegraf/telegraf.spec | 6 ++- 2 files changed, 69 insertions(+), 1 deletion(-) create mode 100644 SPECS/telegraf/CVE-2024-37298.patch diff --git a/SPECS/telegraf/CVE-2024-37298.patch b/SPECS/telegraf/CVE-2024-37298.patch new file mode 100644 index 0000000000..2e0173134c --- /dev/null +++ b/SPECS/telegraf/CVE-2024-37298.patch @@ -0,0 +1,64 @@ +From cd59f2f12cbdfa9c06aa63e425d1fe4a806967ff Mon Sep 17 00:00:00 2001 +From: Bharat Rajani +Date: Sun, 30 Jun 2024 02:04:06 +0530 +Subject: [PATCH] Merge pull request from GHSA-3669-72x9-r9p3 + +* fixes the security advisory by limiting the slice creation based on configurable maxSize + +* address review comment +--- + decoder.go | 18 ++++++- + 1 file changed, 18 insertions(+), 1 deletion(-) + +diff --git a/vendor/github.com/gorilla/schema/decoder.go b/vendor/github.com/gorilla/schema/decoder.go +index ed85641..54c88ec 100644 +--- a/vendor/github.com/gorilla/schema/decoder.go ++++ b/vendor/github.com/gorilla/schema/decoder.go +@@ -12,9 +12,13 @@ import ( + "strings" + ) + ++const ( ++ defaultMaxSize = 16000 ++) ++ + // NewDecoder returns a new Decoder. + func NewDecoder() *Decoder { +- return &Decoder{cache: newCache()} ++ return &Decoder{cache: newCache(), maxSize: defaultMaxSize} + } + + // Decoder decodes values from a map[string][]string to a struct. +@@ -22,6 +26,7 @@ type Decoder struct { + cache *cache + zeroEmpty bool + ignoreUnknownKeys bool ++ maxSize int + } + + // SetAliasTag changes the tag used to locate custom field aliases. +@@ -54,6 +59,13 @@ func (d *Decoder) IgnoreUnknownKeys(i bool) { + d.ignoreUnknownKeys = i + } + ++// MaxSize limits the size of slices for URL nested arrays or object arrays. ++// Choose MaxSize carefully; large values may create many zero-value slice elements. ++// Example: "items.100000=apple" would create a slice with 100,000 empty strings. ++func (d *Decoder) MaxSize(size int) { ++ d.maxSize = size ++} ++ + // RegisterConverter registers a converter function for a custom type. + func (d *Decoder) RegisterConverter(value interface{}, converterFunc Converter) { + d.cache.registerConverter(value, converterFunc) +@@ -302,6 +314,10 @@ func (d *Decoder) decode(v reflect.Value, path string, parts []pathPart, values + // Slice of structs. Let's go recursive. + if len(parts) > 1 { + idx := parts[0].index ++ // a defensive check to avoid creating a large slice based on user input index ++ if idx > d.maxSize { ++ return fmt.Errorf("%v index %d is larger than the configured maxSize %d", v.Kind(), idx, d.maxSize) ++ } + if v.IsNil() || v.Len() < idx+1 { + value := reflect.MakeSlice(t, idx+1, idx+1) + if v.Len() < idx+1 { diff --git a/SPECS/telegraf/telegraf.spec b/SPECS/telegraf/telegraf.spec index acbf695306..416fb8b195 100644 --- a/SPECS/telegraf/telegraf.spec +++ b/SPECS/telegraf/telegraf.spec @@ -1,7 +1,7 @@ Summary: agent for collecting, processing, aggregating, and writing metrics. Name: telegraf Version: 1.29.4 -Release: 6%{?dist} +Release: 7%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Mariner @@ -14,6 +14,7 @@ Patch0: CVE-2023-45288.patch Patch1: CVE-2024-28110.patch Patch2: CVE-2024-27289.patch Patch3: CVE-2024-35255.patch +Patch4: CVE-2024-37298.patch BuildRequires: golang BuildRequires: iana-etc BuildRequires: systemd-devel @@ -84,6 +85,9 @@ fi %dir %{_sysconfdir}/%{name}/telegraf.d %changelog +* Thu Jul 11 2024 Sumedh Sharma - 1.29.4-7 +- Add patch for CVE-2024-37298 + * Tue Jun 18 2024 Saul Paredes - 1.29.4-6 - Patch CVE-2024-35255