Skip to content

Commit

Permalink
[AUTO-CHERRYPICK] Add Patch in terraform for CVE-2024-6257. - branch …
Browse files Browse the repository at this point in the history 
…main (#9954)

Co-authored-by: Sumynwa <sumsharma@microsoft.com>
Co-authored-by: jslobodzian <joslobo@microsoft.com>
  • Loading branch information
@CBL-Mariner-Bot @Sumynwa @jslobodzian
3 people authored Jul 30, 2024
1 parent ca07e1b commit 2cfea6b
Show file tree
Hide file tree
Showing 2 changed files with 135 additions and 2 deletions.
128 changes: 128 additions & 0 deletions SPECS/terraform/CVE-2024-6257.patch
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,128 @@
From 9906874a23919a81eff097d84fdb8f98525ac880 Mon Sep 17 00:00:00 2001
From: dduzgun-security <deniz.duzgun@hashicorp.com>
Date: Thu, 20 Jun 2024 10:06:56 -0400
Subject: [PATCH 1/2] recreate git config during update to prevent config
alteration

Modified to apply to vendored code by: Sumedh Sharma <sumsharma@microsoft.com>
- Adjusted paths to work for vendored version
- Removed test code since it is not included in vendor trace
---
vendor/github.com/hashicorp/go-getter/get_git.go | 81 +++++++++++++++----
1 file changed, 67 insertions(+), 14 deletions(-)

diff --git a/vendor/github.com/hashicorp/go-getter/get_git.go b/vendor/github.com/hashicorp/go-getter/get_git.go
index 5227db7..51a898b 100644
--- a/vendor/github.com/hashicorp/go-getter/get_git.go
+++ b/vendor/github.com/hashicorp/go-getter/get_git.go
@@ -125,7 +125,7 @@ func (g *GitGetter) Get(dst string, u *url.URL) error {
return err
}
if err == nil {
- err = g.update(ctx, dst, sshKeyFile, ref, depth)
+ err = g.update(ctx, dst, sshKeyFile, u, ref, depth)
} else {
err = g.clone(ctx, dst, sshKeyFile, u, ref, depth)
}
@@ -228,28 +228,64 @@ func (g *GitGetter) clone(ctx context.Context, dst, sshKeyFile string, u *url.UR
return nil
}

-func (g *GitGetter) update(ctx context.Context, dst, sshKeyFile, ref string, depth int) error {
- // Determine if we're a branch. If we're NOT a branch, then we just
- // switch to master prior to checking out
- cmd := exec.CommandContext(ctx, "git", "show-ref", "-q", "--verify", "refs/heads/"+ref)
+func (g *GitGetter) update(ctx context.Context, dst, sshKeyFile string, u *url.URL, ref string, depth int) error {
+ // Remove all variations of .git directories
+ err := removeCaseInsensitiveGitDirectory(dst)
+ if err != nil {
+ return err
+ }
+
+ // Initialize the git repository
+ cmd := exec.CommandContext(ctx, "git", "init")
+ cmd.Dir = dst
+ err = getRunCommand(cmd)
+ if err != nil {
+ return err
+ }
+
+ // Add the git remote
+ cmd = exec.CommandContext(ctx, "git", "remote", "add", "origin", "--", u.String())
+ cmd.Dir = dst
+ err = getRunCommand(cmd)
+ if err != nil {
+ return err
+ }
+
+ // Fetch the remote ref
+ cmd = exec.CommandContext(ctx, "git", "fetch", "--tags")
+ cmd.Dir = dst
+ err = getRunCommand(cmd)
+ if err != nil {
+ return err
+ }
+
+ // Fetch the remote ref
+ cmd = exec.CommandContext(ctx, "git", "fetch", "origin", "--", ref)
cmd.Dir = dst
+ err = getRunCommand(cmd)
+ if err != nil {
+ return err
+ }

- if getRunCommand(cmd) != nil {
- // Not a branch, switch to default branch. This will also catch
- // non-existent branches, in which case we want to switch to default
- // and then checkout the proper branch later.
- ref = findDefaultBranch(ctx, dst)
+ // Reset the branch to the fetched ref
+ cmd = exec.CommandContext(ctx, "git", "reset", "--hard", "FETCH_HEAD")
+ cmd.Dir = dst
+ err = getRunCommand(cmd)
+ if err != nil {
+ return err
}

- // We have to be on a branch to pull
- if err := g.checkout(ctx, dst, ref); err != nil {
+ // Checkout ref branch
+ err = g.checkout(ctx, dst, ref)
+ if err != nil {
return err
}

+ // Pull the latest changes from the ref branch
if depth > 0 {
- cmd = exec.CommandContext(ctx, "git", "pull", "--depth", strconv.Itoa(depth), "--ff-only")
+ cmd = exec.CommandContext(ctx, "git", "pull", "origin", "--depth", strconv.Itoa(depth), "--ff-only", "--", ref)
} else {
- cmd = exec.CommandContext(ctx, "git", "pull", "--ff-only")
+ cmd = exec.CommandContext(ctx, "git", "pull", "origin", "--ff-only", "--", ref)
}

cmd.Dir = dst
@@ -374,3 +410,20 @@ func checkGitVersion(ctx context.Context, min string) error {

return nil
}
+
+// removeCaseInsensitiveGitDirectory removes all .git directory variations
+func removeCaseInsensitiveGitDirectory(dst string) error {
+ files, err := os.ReadDir(dst)
+ if err != nil {
+ return fmt.Errorf("Failed to read the destination directory %s during git update", dst)
+ }
+ for _, f := range files {
+ if strings.EqualFold(f.Name(), ".git") && f.IsDir() {
+ err := os.RemoveAll(filepath.Join(dst, f.Name()))
+ if err != nil {
+ return fmt.Errorf("Failed to remove the .git directory in the destination directory %s during git update", dst)
+ }
+ }
+ }
+ return nil
+}
--
2.25.1

9 changes: 7 additions & 2 deletions SPECS/terraform/terraform.spec
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
Summary: Infrastructure as code deployment management tool
Name: terraform
Version: 1.3.2
Release: 16%{?dist}
Release: 17%{?dist}
License: MPLv2.0
Vendor: Microsoft Corporation
Distribution: Mariner
Expand Down Expand Up @@ -29,7 +29,9 @@ Source0: https://github.com/hashicorp/terraform/archive/refs/tags/v%{vers
Source1: %{name}-%{version}-vendor.tar.gz
Patch0: CVE-2023-44487.patch
Patch1: CVE-2024-3817.patch
Patch2: CVE-2024-6104.patch
Patch2: CVE-2024-6257.patch
Patch3: CVE-2024-6104.patch


%global debug_package %{nil}
%define our_gopath %{_topdir}/.gopath
Expand Down Expand Up @@ -63,6 +65,9 @@ install -p -m 755 -t %{buildroot}%{_bindir} ./terraform
%{_bindir}/terraform

%changelog
* Thu Jul 25 2024 Sumedh Sharma <sumsharma@microsoft.com> - 1.3.2-17
- Patch CVE-2024-6257 in vendored hashicorp/go-getter

* Mon Jul 29 2024 Sumedh Sharma <sumsharma@microsoft.com> - 1.3.2-16
- Patch CVE-2024-6104

Expand Down

0 comments on commit 2cfea6b

Please sign in to comment.