From 2cfea6b9b000ae042fed4189b1947851cd6b2d1b Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Mon, 29 Jul 2024 20:49:01 -0700 Subject: [PATCH] [AUTO-CHERRYPICK] Add Patch in terraform for CVE-2024-6257. - branch main (#9954) Co-authored-by: Sumynwa Co-authored-by: jslobodzian --- SPECS/terraform/CVE-2024-6257.patch | 128 ++++++++++++++++++++++++++++ SPECS/terraform/terraform.spec | 9 +- 2 files changed, 135 insertions(+), 2 deletions(-) create mode 100644 SPECS/terraform/CVE-2024-6257.patch diff --git a/SPECS/terraform/CVE-2024-6257.patch b/SPECS/terraform/CVE-2024-6257.patch new file mode 100644 index 00000000000..0ace61192bd --- /dev/null +++ b/SPECS/terraform/CVE-2024-6257.patch @@ -0,0 +1,128 @@ +From 9906874a23919a81eff097d84fdb8f98525ac880 Mon Sep 17 00:00:00 2001 +From: dduzgun-security +Date: Thu, 20 Jun 2024 10:06:56 -0400 +Subject: [PATCH 1/2] recreate git config during update to prevent config + alteration + +Modified to apply to vendored code by: Sumedh Sharma + - Adjusted paths to work for vendored version + - Removed test code since it is not included in vendor trace +--- + vendor/github.com/hashicorp/go-getter/get_git.go | 81 +++++++++++++++---- + 1 file changed, 67 insertions(+), 14 deletions(-) + +diff --git a/vendor/github.com/hashicorp/go-getter/get_git.go b/vendor/github.com/hashicorp/go-getter/get_git.go +index 5227db7..51a898b 100644 +--- a/vendor/github.com/hashicorp/go-getter/get_git.go ++++ b/vendor/github.com/hashicorp/go-getter/get_git.go +@@ -125,7 +125,7 @@ func (g *GitGetter) Get(dst string, u *url.URL) error { + return err + } + if err == nil { +- err = g.update(ctx, dst, sshKeyFile, ref, depth) ++ err = g.update(ctx, dst, sshKeyFile, u, ref, depth) + } else { + err = g.clone(ctx, dst, sshKeyFile, u, ref, depth) + } +@@ -228,28 +228,64 @@ func (g *GitGetter) clone(ctx context.Context, dst, sshKeyFile string, u *url.UR + return nil + } + +-func (g *GitGetter) update(ctx context.Context, dst, sshKeyFile, ref string, depth int) error { +- // Determine if we're a branch. If we're NOT a branch, then we just +- // switch to master prior to checking out +- cmd := exec.CommandContext(ctx, "git", "show-ref", "-q", "--verify", "refs/heads/"+ref) ++func (g *GitGetter) update(ctx context.Context, dst, sshKeyFile string, u *url.URL, ref string, depth int) error { ++ // Remove all variations of .git directories ++ err := removeCaseInsensitiveGitDirectory(dst) ++ if err != nil { ++ return err ++ } ++ ++ // Initialize the git repository ++ cmd := exec.CommandContext(ctx, "git", "init") ++ cmd.Dir = dst ++ err = getRunCommand(cmd) ++ if err != nil { ++ return err ++ } ++ ++ // Add the git remote ++ cmd = exec.CommandContext(ctx, "git", "remote", "add", "origin", "--", u.String()) ++ cmd.Dir = dst ++ err = getRunCommand(cmd) ++ if err != nil { ++ return err ++ } ++ ++ // Fetch the remote ref ++ cmd = exec.CommandContext(ctx, "git", "fetch", "--tags") ++ cmd.Dir = dst ++ err = getRunCommand(cmd) ++ if err != nil { ++ return err ++ } ++ ++ // Fetch the remote ref ++ cmd = exec.CommandContext(ctx, "git", "fetch", "origin", "--", ref) + cmd.Dir = dst ++ err = getRunCommand(cmd) ++ if err != nil { ++ return err ++ } + +- if getRunCommand(cmd) != nil { +- // Not a branch, switch to default branch. This will also catch +- // non-existent branches, in which case we want to switch to default +- // and then checkout the proper branch later. +- ref = findDefaultBranch(ctx, dst) ++ // Reset the branch to the fetched ref ++ cmd = exec.CommandContext(ctx, "git", "reset", "--hard", "FETCH_HEAD") ++ cmd.Dir = dst ++ err = getRunCommand(cmd) ++ if err != nil { ++ return err + } + +- // We have to be on a branch to pull +- if err := g.checkout(ctx, dst, ref); err != nil { ++ // Checkout ref branch ++ err = g.checkout(ctx, dst, ref) ++ if err != nil { + return err + } + ++ // Pull the latest changes from the ref branch + if depth > 0 { +- cmd = exec.CommandContext(ctx, "git", "pull", "--depth", strconv.Itoa(depth), "--ff-only") ++ cmd = exec.CommandContext(ctx, "git", "pull", "origin", "--depth", strconv.Itoa(depth), "--ff-only", "--", ref) + } else { +- cmd = exec.CommandContext(ctx, "git", "pull", "--ff-only") ++ cmd = exec.CommandContext(ctx, "git", "pull", "origin", "--ff-only", "--", ref) + } + + cmd.Dir = dst +@@ -374,3 +410,20 @@ func checkGitVersion(ctx context.Context, min string) error { + + return nil + } ++ ++// removeCaseInsensitiveGitDirectory removes all .git directory variations ++func removeCaseInsensitiveGitDirectory(dst string) error { ++ files, err := os.ReadDir(dst) ++ if err != nil { ++ return fmt.Errorf("Failed to read the destination directory %s during git update", dst) ++ } ++ for _, f := range files { ++ if strings.EqualFold(f.Name(), ".git") && f.IsDir() { ++ err := os.RemoveAll(filepath.Join(dst, f.Name())) ++ if err != nil { ++ return fmt.Errorf("Failed to remove the .git directory in the destination directory %s during git update", dst) ++ } ++ } ++ } ++ return nil ++} +-- +2.25.1 + diff --git a/SPECS/terraform/terraform.spec b/SPECS/terraform/terraform.spec index 4bc2dae11fd..d347de8d122 100644 --- a/SPECS/terraform/terraform.spec +++ b/SPECS/terraform/terraform.spec @@ -1,7 +1,7 @@ Summary: Infrastructure as code deployment management tool Name: terraform Version: 1.3.2 -Release: 16%{?dist} +Release: 17%{?dist} License: MPLv2.0 Vendor: Microsoft Corporation Distribution: Mariner @@ -29,7 +29,9 @@ Source0: https://github.com/hashicorp/terraform/archive/refs/tags/v%{vers Source1: %{name}-%{version}-vendor.tar.gz Patch0: CVE-2023-44487.patch Patch1: CVE-2024-3817.patch -Patch2: CVE-2024-6104.patch +Patch2: CVE-2024-6257.patch +Patch3: CVE-2024-6104.patch + %global debug_package %{nil} %define our_gopath %{_topdir}/.gopath @@ -63,6 +65,9 @@ install -p -m 755 -t %{buildroot}%{_bindir} ./terraform %{_bindir}/terraform %changelog +* Thu Jul 25 2024 Sumedh Sharma - 1.3.2-17 +- Patch CVE-2024-6257 in vendored hashicorp/go-getter + * Mon Jul 29 2024 Sumedh Sharma - 1.3.2-16 - Patch CVE-2024-6104