[AUTO-CHERRYPICK] Fix for CVE 2024 25620 in cert-manager - branch main (#10127)

Co-authored-by: bhagyapathak <bhagyapathak@users.noreply.github.com>
Co-authored-by: Pawel Winogrodzki <pawelwi@microsoft.com>

Author: 3 people

SPECS/cert-manager/CVE-2024-25620.patch

@@ -0,0 +1,110 @@
+From e90f3034faa9a6a23131df5665570d221e3092f3 Mon Sep 17 00:00:00 2001
+From: Bhagyashri Pathak <bhapathak@microsoft.com>
+Date: Thu, 8 Aug 2024 10:27:21 +0530
+Subject: [PATCH] CVE-2024-25620 patch 
+
+---
+ vendor/helm.sh/helm/v3/pkg/chart/metadata.go  |  4 ++++
+ .../helm.sh/helm/v3/pkg/chartutil/errors.go   |  8 ++++++++
+ vendor/helm.sh/helm/v3/pkg/chartutil/save.go  | 20 +++++++++++++++++++
+ .../helm/v3/pkg/lint/rules/chartfile.go       |  4 ++++
+ 4 files changed, 36 insertions(+)
+
+diff --git a/vendor/helm.sh/helm/v3/pkg/chart/metadata.go b/vendor/helm.sh/helm/v3/pkg/chart/metadata.go
+index ae572ab..3834b4c 100644
+--- a/vendor/helm.sh/helm/v3/pkg/chart/metadata.go
++++ b/vendor/helm.sh/helm/v3/pkg/chart/metadata.go
+@@ -16,6 +16,7 @@ limitations under the License.
+ package chart
+ 
+ import (
++	"path/filepath"
+ 	"strings"
+ 	"unicode"
+ 
+@@ -110,6 +111,9 @@ func (md *Metadata) Validate() error {
+ 	if md.Name == "" {
+ 		return ValidationError("chart.metadata.name is required")
+ 	}
++	if md.Name != filepath.Base(md.Name) {
++		return ValidationErrorf("chart.metadata.name %q is invalid", md.Name)
++	}
+ 	if md.Version == "" {
+ 		return ValidationError("chart.metadata.version is required")
+ 	}
+diff --git a/vendor/helm.sh/helm/v3/pkg/chartutil/errors.go b/vendor/helm.sh/helm/v3/pkg/chartutil/errors.go
+index fcdcc27..0a4046d 100644
+--- a/vendor/helm.sh/helm/v3/pkg/chartutil/errors.go
++++ b/vendor/helm.sh/helm/v3/pkg/chartutil/errors.go
+@@ -33,3 +33,11 @@ type ErrNoValue struct {
+ }
+ 
+ func (e ErrNoValue) Error() string { return fmt.Sprintf("%q is not a value", e.Key) }
++
++type ErrInvalidChartName struct {
++	Name string
++}
++
++func (e ErrInvalidChartName) Error() string {
++	return fmt.Sprintf("%q is not a valid chart name", e.Name)
++}
+diff --git a/vendor/helm.sh/helm/v3/pkg/chartutil/save.go b/vendor/helm.sh/helm/v3/pkg/chartutil/save.go
+index 2ce4edd..4ee9070 100644
+--- a/vendor/helm.sh/helm/v3/pkg/chartutil/save.go
++++ b/vendor/helm.sh/helm/v3/pkg/chartutil/save.go
+@@ -39,6 +39,10 @@ var headerBytes = []byte("+aHR0cHM6Ly95b3V0dS5iZS96OVV6MWljandyTQo=")
+ // directory, writing the chart's contents to that subdirectory.
+ func SaveDir(c *chart.Chart, dest string) error {
+ 	// Create the chart directory
++	err := validateName(c.Name())
++	if err != nil {
++		return err
++	}
+ 	outdir := filepath.Join(dest, c.Name())
+ 	if fi, err := os.Stat(outdir); err == nil && !fi.IsDir() {
+ 		return errors.Errorf("file %s already exists and is not a directory", outdir)
+@@ -149,6 +153,10 @@ func Save(c *chart.Chart, outDir string) (string, error) {
+ }
+ 
+ func writeTarContents(out *tar.Writer, c *chart.Chart, prefix string) error {
++	err := validateName(c.Name())
++	if err != nil {
++		return err
++	}
+ 	base := filepath.Join(prefix, c.Name())
+ 
+ 	// Pull out the dependencies of a v1 Chart, since there's no way
+@@ -242,3 +250,15 @@ func writeToTar(out *tar.Writer, name string, body []byte) error {
+ 	_, err := out.Write(body)
+ 	return err
+ }
++
++// If the name has directory name has characters which would change the location
++// they need to be removed.
++func validateName(name string) error {
++	nname := filepath.Base(name)
++
++	if nname != name {
++		return ErrInvalidChartName{name}
++	}
++
++	return nil
++}
+diff --git a/vendor/helm.sh/helm/v3/pkg/lint/rules/chartfile.go b/vendor/helm.sh/helm/v3/pkg/lint/rules/chartfile.go
+index b49f2ce..f8f033c 100644
+--- a/vendor/helm.sh/helm/v3/pkg/lint/rules/chartfile.go
++++ b/vendor/helm.sh/helm/v3/pkg/lint/rules/chartfile.go
+@@ -107,6 +107,10 @@ func validateChartName(cf *chart.Metadata) error {
+ 	if cf.Name == "" {
+ 		return errors.New("name is required")
+ 	}
++	name := filepath.Base(cf.Name)
++	if name != cf.Name {
++		return fmt.Errorf("chart name %q is invalid", cf.Name)
++	}
+ 	return nil
+ }
+ 
+-- 
+2.34.1
+

SPECS/cert-manager/cert-manager.spec

@@ -1,7 +1,7 @@
 Summary:        Automatically provision and manage TLS certificates in Kubernetes
 Name:           cert-manager
 Version:        1.11.2
-Release:        12%{?dist}
+Release:        13%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -22,7 +22,8 @@ Source1:        %{name}-%{version}-govendor.tar.gz
 Patch0:         CVE-2023-48795.patch
 Patch1:         CVE-2023-45288.patch
 Patch2:         CVE-2024-26147.patch
-Patch3:         CVE-2024-6104.patch
+Patch3:         CVE-2024-25620.patch
+Patch4:         CVE-2024-6104.patch
 BuildRequires:  golang
 Requires:       %{name}-acmesolver
 Requires:       %{name}-cainjector
@@ -115,9 +116,12 @@ install -D -m0755 bin/webhook %{buildroot}%{_bindir}/
 %{_bindir}/webhook
 
 %changelog
-* Wed Jul 31 2023 Bala <balakumaran.kannan@microsoft.com> - 1.11.2-12
+* Mon Aug 19 2023 Bala <balakumaran.kannan@microsoft.com> - 1.11.2-13
 - Patch for CVE-2024-6104
 
+* Wed Aug 07 2024 Bhagyashri Pathak <bhapathak@microsoft.com> - 1.11.2-12
+- Patch for CVE-2024-25620
+
 * Thu Jun 06 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 1.11.2-11
 - Bump release to rebuild with go 1.21.11