Patch telegraf for CVE-2024-45337 & CVE-2024-45338 (#11781)

Co-authored-by: jslobodzian <[email protected]> (cherry picked from commit b94dca4)
microsoft · Jan 7, 2025 · ff23873 · ff23873
1 parent 535e99c
commit ff23873
Show file tree

Hide file tree

Showing 3 changed files with 165 additions and 1 deletion.
diff --git a/SPECS/telegraf/CVE-2024-45337.patch b/SPECS/telegraf/CVE-2024-45337.patch
@@ -0,0 +1,79 @@
+From b4f1988a35dee11ec3e05d6bf3e90b695fbd8909 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <[email protected]>
+Date: Tue, 3 Dec 2024 09:03:03 -0800
+Subject: [PATCH] ssh: make the public key cache a 1-entry FIFO cache
+
+Users of the the ssh package seem to extremely commonly misuse the
+PublicKeyCallback API, assuming that the key passed in the last call
+before a connection is established is the key used for authentication.
+Some users then make authorization decisions based on this key. This
+property is not documented, and may not be correct, due to the caching
+behavior of the package, resulting in users making incorrect
+authorization decisions about the connection.
+
+This change makes the cache a one entry FIFO cache, making the assumed
+property, that the last call to PublicKeyCallback represents the key
+actually used for authentication, actually hold.
+
+Thanks to Damien Tournoud, Patrick Dawkins, Vince Parker, and
+Jules Duvivier from the Platform.sh / Upsun engineering team
+for reporting this issue.
+
+Fixes golang/go#70779
+Fixes CVE-2024-45337
+
+Change-Id: Ife7c7b4045d8b6bcd7e3a417bdfae370c709797f
+Reviewed-on: https://go-review.googlesource.com/c/crypto/+/635315
+Reviewed-by: Roland Shoemaker <[email protected]>
+Auto-Submit: Gopher Robot <[email protected]>
+Reviewed-by: Damien Neil <[email protected]>
+Reviewed-by: Nicola Murino <[email protected]>
+LUCI-TryBot-Result: Go LUCI <[email protected]>
+---
+ vendor/golang.org/x/crypto/ssh/server.go | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/vendor/golang.org/x/crypto/ssh/server.go b/vendor/golang.org/x/crypto/ssh/server.go
+index c2dfe326..39dcc095 100644
+--- a/vendor/golang.org/x/crypto/ssh/server.go
++++ b/vendor/golang.org/x/crypto/ssh/server.go
+@@ -149,7 +149,7 @@ func (s *ServerConfig) AddHostKey(key Signer) {
+ }
+
+ // cachedPubKey contains the results of querying whether a public key is
+-// acceptable for a user.
++// acceptable for a user. This is a FIFO cache.
+ type cachedPubKey struct {
+ 	user       string
+ 	pubKeyData []byte
+@@ -157,7 +157,13 @@ type cachedPubKey struct {
+ 	perms      *Permissions
+ }
+
+-const maxCachedPubKeys = 16
++// maxCachedPubKeys is the number of cache entries we store.
++//
++// Due to consistent misuse of the PublicKeyCallback API, we have reduced this
++// to 1, such that the only key in the cache is the most recently seen one. This
++// forces the behavior that the last call to PublicKeyCallback will always be
++// with the key that is used for authentication.
++const maxCachedPubKeys = 1
+
+ // pubKeyCache caches tests for public keys.  Since SSH clients
+ // will query whether a public key is acceptable before attempting to
+@@ -179,9 +185,10 @@ func (c *pubKeyCache) get(user string, pubKeyData []byte) (cachedPubKey, bool) {
+
+ // add adds the given tuple to the cache.
+ func (c *pubKeyCache) add(candidate cachedPubKey) {
+-	if len(c.keys) < maxCachedPubKeys {
+-		c.keys = append(c.keys, candidate)
++	if len(c.keys) >= maxCachedPubKeys {
++		c.keys = c.keys[1:]
+ 	}
++	c.keys = append(c.keys, candidate)
+ }
+
+ // ServerConn is an authenticated SSH connection, as seen from the
+-- 
+2.25.1
+
diff --git a/SPECS/telegraf/CVE-2024-45338.patch b/SPECS/telegraf/CVE-2024-45338.patch
@@ -0,0 +1,80 @@
+From 8e66b04771e35c4e4125e8c60334b34e2423effb Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <[email protected]>
+Date: Wed, 04 Dec 2024 09:35:55 -0800
+Subject: [PATCH] html: use strings.EqualFold instead of lowering ourselves
+
+Instead of using strings.ToLower and == to check case insensitive
+equality, just use strings.EqualFold, even when the strings are only
+ASCII. This prevents us unnecessarily lowering extremely long strings,
+which can be a somewhat expensive operation, even if we're only
+attempting to compare equality with five characters.
+
+Thanks to Guido Vranken for reporting this issue.
+
+Fixes golang/go#70906
+Fixes CVE-2024-45338
+
+Change-Id: I323b919f912d60dab6a87cadfdcac3e6b54cd128
+Reviewed-on: https://go-review.googlesource.com/c/net/+/637536
+LUCI-TryBot-Result: Go LUCI <[email protected]>
+Auto-Submit: Gopher Robot <[email protected]>
+Reviewed-by: Roland Shoemaker <[email protected]>
+Reviewed-by: Tatiana Bradley <[email protected]>
+---
+ vendor/golang.org/x/net/html/doctype.go | 2 +-
+ vendor/golang.org/x/net/html/foreign.go | 3 +--
+ vendor/golang.org/x/net/html/parse.go   | 4 ++--
+ 3 files changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go
+index c484e5a9..bca3ae9a 100644
+--- a/vendor/golang.org/x/net/html/doctype.go
++++ b/vendor/golang.org/x/net/html/doctype.go
+@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) {
+ 			}
+ 		}
+ 		if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" &&
+-			strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" {
++			strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") {
+ 			quirks = true
+ 		}
+ 	}
+diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go
+index 9da9e9dc..e8515d8e 100644
+--- a/vendor/golang.org/x/net/html/foreign.go
++++ b/vendor/golang.org/x/net/html/foreign.go
+@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool {
+ 		if n.Data == "annotation-xml" {
+ 			for _, a := range n.Attr {
+ 				if a.Key == "encoding" {
+-					val := strings.ToLower(a.Val)
+-					if val == "text/html" || val == "application/xhtml+xml" {
++					if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") {
+ 						return true
+ 					}
+ 				}
+diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go
+index 46a89eda..5b8374bf 100644
+--- a/vendor/golang.org/x/net/html/parse.go
++++ b/vendor/golang.org/x/net/html/parse.go
+@@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool {
+ 			if p.tok.DataAtom == a.Input {
+ 				for _, t := range p.tok.Attr {
+ 					if t.Key == "type" {
+-						if strings.ToLower(t.Val) == "hidden" {
++						if strings.EqualFold(t.Val, "hidden") {
+ 							// Skip setting framesetOK = false
+ 							return true
+ 						}
+@@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool {
+ 			return inHeadIM(p)
+ 		case a.Input:
+ 			for _, t := range p.tok.Attr {
+-				if t.Key == "type" && strings.ToLower(t.Val) == "hidden" {
++				if t.Key == "type" && strings.EqualFold(t.Val, "hidden") {
+ 					p.addElement()
+ 					p.oe.pop()
+ 					return true
+-- 
+2.25.1
+
diff --git a/SPECS/telegraf/telegraf.spec b/SPECS/telegraf/telegraf.spec
@@ -1,7 +1,7 @@
 Summary:        agent for collecting, processing, aggregating, and writing metrics.
 Name:           telegraf
 Version:        1.29.4
-Release:        9%{?dist}
+Release:        10%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -17,6 +17,8 @@ Patch3:         CVE-2024-35255.patch
 Patch4:         CVE-2024-37298.patch
 Patch5:         CVE-2024-24786.patch
 Patch6:         CVE-2024-28180.patch
+Patch7:         CVE-2024-45337.patch
+Patch8:         CVE-2024-45338.patch
 BuildRequires:  golang
 BuildRequires:  iana-etc
 BuildRequires:  systemd-devel
@@ -87,6 +89,9 @@ fi
 %dir %{_sysconfdir}/%{name}/telegraf.d
 
 %changelog
+* Mon Jan 06 2025 Sumedh Sharma <[email protected]> - 1.29.4-10
+- Add patch for CVE-2024-45337 & CVE-2024-45338.
+
 * Mon Sep 09 2024 CBL-Mariner Servicing Account <[email protected]> - 1.29.4-9
 - Bump release to rebuild with go 1.22.7