From ff23873ee402b1af83bb4ca082df95f6f5fd62e9 Mon Sep 17 00:00:00 2001 From: Sumedh Alok Sharma Date: Wed, 8 Jan 2025 01:09:20 +0530 Subject: [PATCH] Patch telegraf for CVE-2024-45337 & CVE-2024-45338 (#11781) Co-authored-by: jslobodzian (cherry picked from commit b94dca48c58ae7a0f7175ef3becc9b0a6fe10a88) --- SPECS/telegraf/CVE-2024-45337.patch | 79 ++++++++++++++++++++++++++++ SPECS/telegraf/CVE-2024-45338.patch | 80 +++++++++++++++++++++++++++++ SPECS/telegraf/telegraf.spec | 7 ++- 3 files changed, 165 insertions(+), 1 deletion(-) create mode 100644 SPECS/telegraf/CVE-2024-45337.patch create mode 100644 SPECS/telegraf/CVE-2024-45338.patch diff --git a/SPECS/telegraf/CVE-2024-45337.patch b/SPECS/telegraf/CVE-2024-45337.patch new file mode 100644 index 00000000000..1c99f069547 --- /dev/null +++ b/SPECS/telegraf/CVE-2024-45337.patch @@ -0,0 +1,79 @@ +From b4f1988a35dee11ec3e05d6bf3e90b695fbd8909 Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker +Date: Tue, 3 Dec 2024 09:03:03 -0800 +Subject: [PATCH] ssh: make the public key cache a 1-entry FIFO cache + +Users of the the ssh package seem to extremely commonly misuse the +PublicKeyCallback API, assuming that the key passed in the last call +before a connection is established is the key used for authentication. +Some users then make authorization decisions based on this key. This +property is not documented, and may not be correct, due to the caching +behavior of the package, resulting in users making incorrect +authorization decisions about the connection. + +This change makes the cache a one entry FIFO cache, making the assumed +property, that the last call to PublicKeyCallback represents the key +actually used for authentication, actually hold. + +Thanks to Damien Tournoud, Patrick Dawkins, Vince Parker, and +Jules Duvivier from the Platform.sh / Upsun engineering team +for reporting this issue. + +Fixes golang/go#70779 +Fixes CVE-2024-45337 + +Change-Id: Ife7c7b4045d8b6bcd7e3a417bdfae370c709797f +Reviewed-on: https://go-review.googlesource.com/c/crypto/+/635315 +Reviewed-by: Roland Shoemaker +Auto-Submit: Gopher Robot +Reviewed-by: Damien Neil +Reviewed-by: Nicola Murino +LUCI-TryBot-Result: Go LUCI +--- + vendor/golang.org/x/crypto/ssh/server.go | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/vendor/golang.org/x/crypto/ssh/server.go b/vendor/golang.org/x/crypto/ssh/server.go +index c2dfe326..39dcc095 100644 +--- a/vendor/golang.org/x/crypto/ssh/server.go ++++ b/vendor/golang.org/x/crypto/ssh/server.go +@@ -149,7 +149,7 @@ func (s *ServerConfig) AddHostKey(key Signer) { + } + + // cachedPubKey contains the results of querying whether a public key is +-// acceptable for a user. ++// acceptable for a user. This is a FIFO cache. + type cachedPubKey struct { + user string + pubKeyData []byte +@@ -157,7 +157,13 @@ type cachedPubKey struct { + perms *Permissions + } + +-const maxCachedPubKeys = 16 ++// maxCachedPubKeys is the number of cache entries we store. ++// ++// Due to consistent misuse of the PublicKeyCallback API, we have reduced this ++// to 1, such that the only key in the cache is the most recently seen one. This ++// forces the behavior that the last call to PublicKeyCallback will always be ++// with the key that is used for authentication. ++const maxCachedPubKeys = 1 + + // pubKeyCache caches tests for public keys. Since SSH clients + // will query whether a public key is acceptable before attempting to +@@ -179,9 +185,10 @@ func (c *pubKeyCache) get(user string, pubKeyData []byte) (cachedPubKey, bool) { + + // add adds the given tuple to the cache. + func (c *pubKeyCache) add(candidate cachedPubKey) { +- if len(c.keys) < maxCachedPubKeys { +- c.keys = append(c.keys, candidate) ++ if len(c.keys) >= maxCachedPubKeys { ++ c.keys = c.keys[1:] + } ++ c.keys = append(c.keys, candidate) + } + + // ServerConn is an authenticated SSH connection, as seen from the +-- +2.25.1 + diff --git a/SPECS/telegraf/CVE-2024-45338.patch b/SPECS/telegraf/CVE-2024-45338.patch new file mode 100644 index 00000000000..f091755ef68 --- /dev/null +++ b/SPECS/telegraf/CVE-2024-45338.patch @@ -0,0 +1,80 @@ +From 8e66b04771e35c4e4125e8c60334b34e2423effb Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker +Date: Wed, 04 Dec 2024 09:35:55 -0800 +Subject: [PATCH] html: use strings.EqualFold instead of lowering ourselves + +Instead of using strings.ToLower and == to check case insensitive +equality, just use strings.EqualFold, even when the strings are only +ASCII. This prevents us unnecessarily lowering extremely long strings, +which can be a somewhat expensive operation, even if we're only +attempting to compare equality with five characters. + +Thanks to Guido Vranken for reporting this issue. + +Fixes golang/go#70906 +Fixes CVE-2024-45338 + +Change-Id: I323b919f912d60dab6a87cadfdcac3e6b54cd128 +Reviewed-on: https://go-review.googlesource.com/c/net/+/637536 +LUCI-TryBot-Result: Go LUCI +Auto-Submit: Gopher Robot +Reviewed-by: Roland Shoemaker +Reviewed-by: Tatiana Bradley +--- + vendor/golang.org/x/net/html/doctype.go | 2 +- + vendor/golang.org/x/net/html/foreign.go | 3 +-- + vendor/golang.org/x/net/html/parse.go | 4 ++-- + 3 files changed, 4 insertions(+), 5 deletions(-) + +diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go +index c484e5a9..bca3ae9a 100644 +--- a/vendor/golang.org/x/net/html/doctype.go ++++ b/vendor/golang.org/x/net/html/doctype.go +@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) { + } + } + if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" && +- strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" { ++ strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") { + quirks = true + } + } +diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go +index 9da9e9dc..e8515d8e 100644 +--- a/vendor/golang.org/x/net/html/foreign.go ++++ b/vendor/golang.org/x/net/html/foreign.go +@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool { + if n.Data == "annotation-xml" { + for _, a := range n.Attr { + if a.Key == "encoding" { +- val := strings.ToLower(a.Val) +- if val == "text/html" || val == "application/xhtml+xml" { ++ if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") { + return true + } + } +diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go +index 46a89eda..5b8374bf 100644 +--- a/vendor/golang.org/x/net/html/parse.go ++++ b/vendor/golang.org/x/net/html/parse.go +@@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool { + if p.tok.DataAtom == a.Input { + for _, t := range p.tok.Attr { + if t.Key == "type" { +- if strings.ToLower(t.Val) == "hidden" { ++ if strings.EqualFold(t.Val, "hidden") { + // Skip setting framesetOK = false + return true + } +@@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool { + return inHeadIM(p) + case a.Input: + for _, t := range p.tok.Attr { +- if t.Key == "type" && strings.ToLower(t.Val) == "hidden" { ++ if t.Key == "type" && strings.EqualFold(t.Val, "hidden") { + p.addElement() + p.oe.pop() + return true +-- +2.25.1 + diff --git a/SPECS/telegraf/telegraf.spec b/SPECS/telegraf/telegraf.spec index 2a71676daa0..456d9d9e5a6 100644 --- a/SPECS/telegraf/telegraf.spec +++ b/SPECS/telegraf/telegraf.spec @@ -1,7 +1,7 @@ Summary: agent for collecting, processing, aggregating, and writing metrics. Name: telegraf Version: 1.29.4 -Release: 9%{?dist} +Release: 10%{?dist} License: MIT Vendor: Microsoft Corporation Distribution: Mariner @@ -17,6 +17,8 @@ Patch3: CVE-2024-35255.patch Patch4: CVE-2024-37298.patch Patch5: CVE-2024-24786.patch Patch6: CVE-2024-28180.patch +Patch7: CVE-2024-45337.patch +Patch8: CVE-2024-45338.patch BuildRequires: golang BuildRequires: iana-etc BuildRequires: systemd-devel @@ -87,6 +89,9 @@ fi %dir %{_sysconfdir}/%{name}/telegraf.d %changelog +* Mon Jan 06 2025 Sumedh Sharma - 1.29.4-10 +- Add patch for CVE-2024-45337 & CVE-2024-45338. + * Mon Sep 09 2024 CBL-Mariner Servicing Account - 1.29.4-9 - Bump release to rebuild with go 1.22.7