[AUTO-CHERRYPICK] Fix CVE-2024-24786 for influxdb - branch main (#11656)

CBL-Mariner-Bot · KavyaSree2610 · web-flow · commit 14eade5e40b6 · 2024-12-22T16:34:39.000-05:00
Co-authored-by: KavyaSree2610 &lt;92566732+KavyaSree2610@users.noreply.github.com&gt;
diff --git a/SPECS/influxdb/CVE-2024-24786.patch b/SPECS/influxdb/CVE-2024-24786.patch
@@ -0,0 +1,41 @@
+From 867d49d8c566b0f1284f8295ba1286d6c5e93edf Mon Sep 17 00:00:00 2001
+From: kavyasree <kkaitepalli@microsoft.com>
+Date: Mon, 9 Dec 2024 17:03:26 +0530
+Subject: [PATCH] Modified patch
+
+---
+ .../protobuf/encoding/protojson/well_known_types.go           | 4 ++++
+ .../protobuf/internal/encoding/json/decode.go                 | 2 +-
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go
+index c85f846..634ba41 100644
+--- a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go
++++ b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go
+@@ -348,6 +348,10 @@ func (d decoder) skipJSONValue() error {
+ 				}
+ 			}
+ 		}
++	case json.EOF:
++		// This can only happen if there's a bug in Decoder.Read.
++		// Avoid an infinite loop if this does happen.
++		return errors.New("unexpected EOF")
+ 	}
+ 	return nil
+ }
+diff --git a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go
+index b13fd29..b2be4e8 100644
+--- a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go
++++ b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go
+@@ -121,7 +121,7 @@ func (d *Decoder) Read() (Token, error) {
+ 
+ 	case ObjectClose:
+ 		if len(d.openStack) == 0 ||
+-			d.lastToken.kind == comma ||
++			d.lastToken.kind&(Name|comma) != 0 ||
+ 			d.openStack[len(d.openStack)-1] != ObjectOpen {
+ 			return Token{}, d.newSyntaxError(tok.pos, unexpectedFmt, tok.RawString())
+ 		}
+-- 
+2.34.1
+
diff --git a/SPECS/influxdb/influxdb.spec b/SPECS/influxdb/influxdb.spec
@@ -18,7 +18,7 @@
 Summary:        Scalable datastore for metrics, events, and real-time analytics
 Name:           influxdb
 Version:        2.6.1
-Release:        17%{?dist}
+Release:        18%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -57,6 +57,7 @@ Source5:        config.yaml
 Source6:        influxdb-user.conf
 Patch0:         CVE-2024-6104.patch
 Patch1:         CVE-2022-32149.patch
+Patch2:         CVE-2024-24786.patch
 BuildRequires:  clang
 BuildRequires:  golang <= 1.18.8
 BuildRequires:  kernel-headers
@@ -146,6 +147,9 @@ go test ./...
 %{_tmpfilesdir}/influxdb.conf
 
 %changelog
+* Mon Dec 09 2024 Kavya Sree Kaitepalli <kkaitepalli@microsoft.com> - 2.6.1-18
+- Patch for CVE-2024-24786
+
 * Tue Sep 17 2024 Sumedh Sharma <sumsharma@microsoft.com> - 2.6.1-17
 - Add patch to resolve CVE-2022-32149
 
