[AUTOPATCHER-CORE] Upgrade helm to 3.10.3 to fix CVE-2022-23524 - (#4535)

* Upgrade helm to 3.10.3 to fix CVE-2022-23524 * Fixed the helm vendor signatures Co-authored-by: Betty Lakes <bettylakes@microsoft.com>
2023-01-05 12:21:28 -08:00 · 2023-01-05 12:21:28 -08:00 · 8eb2670cd2
--- a/SPECS/helm/CVE-2022-23525.patch
+++ b/SPECS/helm/CVE-2022-23525.patch
@ -1,147 +0,0 @@
-From 256e976331db4b7335ef721e411e7b59c5317ccb Mon Sep 17 00:00:00 2001
-From: Martin Hickey <martin.hickey@ie.ibm.com>
-Date: Wed, 9 Nov 2022 16:11:43 +0000
-Subject: [PATCH] Update repo handling
-
-Signed-off-by: Martin Hickey <martin.hickey@ie.ibm.com>
---
- pkg/repo/index.go      |  8 ++++++++
- pkg/repo/index_test.go | 33 +++++++++++++++++++++++++++++++++
- pkg/repo/repo.go       |  3 +++
- pkg/repo/repo_test.go  | 31 +++++++++++++++++++++++++++++++
- 4 files changed, 75 insertions(+)
-
-diff --git a/pkg/repo/index.go b/pkg/repo/index.go
-index 1b65ac497c1..60cfe5801ff 100644
--- a/pkg/repo/index.go
-+++ b/pkg/repo/index.go
-@@ -118,6 +118,10 @@ func LoadIndexFile(path string) (*IndexFile, error) {
- // MustAdd adds a file to the index
- // This can leave the index in an unsorted state
- func (i IndexFile) MustAdd(md *chart.Metadata, filename, baseURL, digest string) error {
-+	if i.Entries == nil {
-+		return errors.New("entries not initialized")
-+	}
-+
- 	if md.APIVersion == "" {
- 		md.APIVersion = chart.APIVersionV1
- 	}
-@@ -339,6 +343,10 @@ func loadIndex(data []byte, source string) (*IndexFile, error) {
- 
- 	for name, cvs := range i.Entries {
- 		for idx := len(cvs) - 1; idx >= 0; idx-- {
-+			if cvs[idx] == nil {
-+				log.Printf("skipping loading invalid entry for chart %q from %s: empty entry", name, source)
-+				continue
-+			}
- 			if cvs[idx].APIVersion == "" {
- 				cvs[idx].APIVersion = chart.APIVersionV1
- 			}
-diff --git a/pkg/repo/index_test.go b/pkg/repo/index_test.go
-index a75a4177aef..2403e9a71ab 100644
--- a/pkg/repo/index_test.go
-+++ b/pkg/repo/index_test.go
-@@ -59,6 +59,15 @@ entries:
-       version: 1.0.0
-       home: https://github.com/something
-       digest: "sha256:1234567890abcdef"
-+`
-+	indexWithEmptyEntry = `
-+apiVersion: v1
-+entries:
-+  grafana:
-+  - apiVersion: v2
-+    name: grafana
-+  foo:
-+  -
- `
- )
- 
-@@ -152,6 +161,12 @@ func TestLoadIndex_Duplicates(t *testing.T) {
- 	}
- }
- 
-+func TestLoadIndex_EmptyEntry(t *testing.T) {
-+	if _, err := loadIndex([]byte(indexWithEmptyEntry), "indexWithEmptyEntry"); err != nil {
-+		t.Errorf("unexpected error: %s", err)
-+	}
-+}
-+
- func TestLoadIndex_Empty(t *testing.T) {
- 	if _, err := loadIndex([]byte(""), "indexWithEmpty"); err == nil {
- 		t.Errorf("Expected an error when index.yaml is empty.")
-@@ -526,3 +541,21 @@ func TestIndexWrite(t *testing.T) {
- 		t.Fatal("Index files doesn't contain expected content")
- 	}
- }
-+
-+func TestAddFileIndexEntriesNil(t *testing.T) {
-+	i := NewIndexFile()
-+	i.APIVersion = chart.APIVersionV1
-+	i.Entries = nil
-+	for _, x := range []struct {
-+		md       *chart.Metadata
-+		filename string
-+		baseURL  string
-+		digest   string
-+	}{
-+		{&chart.Metadata{APIVersion: "v2", Name: " ", Version: "8033-5.apinie+s.r"}, "setter-0.1.9+beta.tgz", "http://example.com/charts", "sha256:1234567890abc"},
-+	} {
-+		if err := i.MustAdd(x.md, x.filename, x.baseURL, x.digest); err == nil {
-+			t.Errorf("expected err to be non-nil when entries not initialized")
-+		}
-+	}
-+}
-diff --git a/pkg/repo/repo.go b/pkg/repo/repo.go
-index 6f1e90dad24..ee80d04f428 100644
--- a/pkg/repo/repo.go
-+++ b/pkg/repo/repo.go
-@@ -100,6 +100,9 @@ func (r *File) Remove(name string) bool {
- 	cp := []*Entry{}
- 	found := false
- 	for _, rf := range r.Repositories {
-+		if rf == nil {
-+			continue
-+		}
- 		if rf.Name == name {
- 			found = true
- 			continue
-diff --git a/pkg/repo/repo_test.go b/pkg/repo/repo_test.go
-index f87d2c202bc..7080a7cef88 100644
--- a/pkg/repo/repo_test.go
-+++ b/pkg/repo/repo_test.go
-@@ -225,3 +225,34 @@ func TestRepoNotExists(t *testing.T) {
- 		t.Errorf("expected prompt `couldn't load repositories file`")
- 	}
- }
-+
-+func TestRemoveRepositoryInvalidEntries(t *testing.T) {
-+	sampleRepository := NewFile()
-+	sampleRepository.Add(
-+		&Entry{
-+			Name: "stable",
-+			URL:  "https://example.com/stable/charts",
-+		},
-+		&Entry{
-+			Name: "incubator",
-+			URL:  "https://example.com/incubator",
-+		},
-+		&Entry{},
-+		nil,
-+		&Entry{
-+			Name: "test",
-+			URL:  "https://example.com/test",
-+		},
-+	)
-+
-+	removeRepository := "stable"
-+	found := sampleRepository.Remove(removeRepository)
-+	if !found {
-+		t.Errorf("expected repository %s not found", removeRepository)
-+	}
-+
-+	found = sampleRepository.Has(removeRepository)
-+	if found {
-+		t.Errorf("repository %s not deleted", removeRepository)
-+	}
-+}
--- a/SPECS/helm/CVE-2022-23526.patch
+++ b/SPECS/helm/CVE-2022-23526.patch
@ -1,74 +0,0 @@
-From 775af2a0ceadef1bc8f627cdb70fadb3c69b8d86 Mon Sep 17 00:00:00 2001
-From: Martin Hickey <martin.hickey@ie.ibm.com>
-Date: Fri, 21 Oct 2022 18:04:05 +0100
-Subject: [PATCH] Update schema validation handling
-
-Signed-off-by: Martin Hickey <martin.hickey@ie.ibm.com>
---
- pkg/chartutil/jsonschema.go                   |  8 ++++++-
- pkg/chartutil/jsonschema_test.go              | 24 +++++++++++++++++++
- .../testdata/test-values-invalid.schema.json  |  1 +
- 3 files changed, 32 insertions(+), 1 deletion(-)
- create mode 100644 pkg/chartutil/testdata/test-values-invalid.schema.json
-
-diff --git a/pkg/chartutil/jsonschema.go b/pkg/chartutil/jsonschema.go
-index 753dc98c1eb..7b9768fd3cc 100644
--- a/pkg/chartutil/jsonschema.go
-+++ b/pkg/chartutil/jsonschema.go
-@@ -55,7 +55,13 @@ func ValidateAgainstSchema(chrt *chart.Chart, values map[string]interface{}) err
- }
- 
- // ValidateAgainstSingleSchema checks that values does not violate the structure laid out in this schema
-func ValidateAgainstSingleSchema(values Values, schemaJSON []byte) error {
-+func ValidateAgainstSingleSchema(values Values, schemaJSON []byte) (reterr error) {
-+	defer func() {
-+		if r := recover(); r != nil {
-+			reterr = fmt.Errorf("unable to validate schema: %s", r)
-+		}
-+	}()
-+
- 	valuesData, err := yaml.Marshal(values)
- 	if err != nil {
- 		return err
-diff --git a/pkg/chartutil/jsonschema_test.go b/pkg/chartutil/jsonschema_test.go
-index a0acd5a7f29..d71668ac888 100644
--- a/pkg/chartutil/jsonschema_test.go
-+++ b/pkg/chartutil/jsonschema_test.go
-@@ -38,6 +38,30 @@ func TestValidateAgainstSingleSchema(t *testing.T) {
- 	}
- }
- 
-+func TestValidateAgainstInvalidSingleSchema(t *testing.T) {
-+	values, err := ReadValuesFile("./testdata/test-values.yaml")
-+	if err != nil {
-+		t.Fatalf("Error reading YAML file: %s", err)
-+	}
-+	schema, err := ioutil.ReadFile("./testdata/test-values-invalid.schema.json")
-+	if err != nil {
-+		t.Fatalf("Error reading YAML file: %s", err)
-+	}
-+
-+	var errString string
-+	if err := ValidateAgainstSingleSchema(values, schema); err == nil {
-+		t.Fatalf("Expected an error, but got nil")
-+	} else {
-+		errString = err.Error()
-+	}
-+
-+	expectedErrString := "unable to validate schema: runtime error: invalid " +
-+		"memory address or nil pointer dereference"
-+	if errString != expectedErrString {
-+		t.Errorf("Error string :\n`%s`\ndoes not match expected\n`%s`", errString, expectedErrString)
-+	}
-+}
-+
- func TestValidateAgainstSingleSchemaNegative(t *testing.T) {
- 	values, err := ReadValuesFile("./testdata/test-values-negative.yaml")
- 	if err != nil {
-diff --git a/pkg/chartutil/testdata/test-values-invalid.schema.json b/pkg/chartutil/testdata/test-values-invalid.schema.json
-new file mode 100644
-index 00000000000..35a16a2c415
--- /dev/null
-+++ b/pkg/chartutil/testdata/test-values-invalid.schema.json
-@@ -0,0 +1 @@
-+   1E1111111
--- a/SPECS/helm/helm.signatures.json
+++ b/SPECS/helm/helm.signatures.json
@ -1,6 +1,6 @@
 {
- "Signatures": {
-  "helm-3.9.4-vendor.tar.gz": "eab3443b9cbabdc6a85e94384b5fef5d6ecdbcb36b6c49507413d2dd181fa76f",
-  "helm-3.9.4.tar.gz": "0b606a7a17d1c81f0b80a92bda71b971ad7fa9bfe8dde2aab04ca013a5c7a005"
- }
-}
+  "Signatures": {
+    "helm-3.10.3-vendor.tar.gz": "06b243397a162aa335c726d112261e6f5ca5067100ea66773ad3aa2a3d59897e",
+    "helm-3.10.3.tar.gz": "a61ede2b1b9a0d3a7c1cc19cca99db109eb5b787eee0e147bd3bfa2c4e337eb1"
+  }
+}
--- a/SPECS/helm/helm.spec
+++ b/SPECS/helm/helm.spec
@ -1,8 +1,8 @@
 %global debug_package %{nil}

 Name:          helm
-Version:       3.9.4
-Release:       5%{?dist}
+Version:       3.10.3
+Release:       1%{?dist}
 Summary:       The Kubernetes Package Manager
 Group:         Applications/Networking
 License:       Apache 2.0
@ -25,10 +25,6 @@ Source0:       %{name}-%{version}.tar.gz
 #           -cf %%{name}-%%{version}-vendor.tar.gz vendor
 #
 Source1:       %{name}-%{version}-vendor.tar.gz
-# CVE-2022-23525 has been patched in 3.10.3: https://github.com/helm/helm/commit/638ebffbc2e445156f3978f02fd83d9af1e56f5b
-Patch0:        CVE-2022-23525.patch
-# CVE-2022-23526 has been patched in 3.10.3: https://github.com/helm/helm/commit/bafafa8bb1b571b61d7a9528da8d40c307dade3d
-Patch1:        CVE-2022-23526.patch
 BuildRequires: golang >= 1.15.5

 %description
@ -59,6 +55,9 @@ install -m 755 ./helm %{buildroot}%{_bindir}
 go test -v ./cmd/helm

 %changelog
+* Wed Jan 04 2023 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 3.10.3-1
+- Auto-upgrade to 3.10.3 - to fix CVE-2022-23524
+
 * Thu Dec 22 2022 Nan Liu <liunan@microsoft.com> - 3.9.4-5
 - Enable the check tests

--- a/cgmanifest.json
+++ b/cgmanifest.json
@ -4780,8 +4780,8 @@
        "type": "other",
        "other": {
          "name": "helm",
-          "version": "3.9.4",
-          "downloadUrl": "https://github.com/helm/helm/archive/v3.9.4.tar.gz"
+          "version": "3.10.3",
+          "downloadUrl": "https://github.com/helm/helm/archive/v3.10.3.tar.gz"
        }
      }
    },