[AUTO-CHERRYPICK] Patch reaper for CVE-2024-12905 [HIGH] - branch main (#13350)

CBL-Mariner-Bot · sandeepkarambelkar · web-flow · commit 42923d3dd721 · 2025-04-10T16:56:23.000-04:00
Co-authored-by: Sandeep Karambelkar &lt;skarambelkar@microsoft.com&gt;
diff --git a/SPECS/reaper/CVE-2024-12905.patch b/SPECS/reaper/CVE-2024-12905.patch
@@ -0,0 +1,76 @@
+From 7f2ff2574edbb046718122175286c08cf53511ba Mon Sep 17 00:00:00 2001
+From: Mathias Buus <mathiasbuus@gmail.com>
+Date: Sun, 12 Jan 2025 11:53:11 +0100
+Subject: [PATCH] refactor and throw on bad symlink
+
+Upstream Patch Reference : https://github.com/mafintosh/tar-fs/commit/a1dd7e7c7f4b4a8bd2ab60f513baca573b44e2ed
+---
+ .../bower/lib/node_modules/tar-fs/index.js        | 15 ++++++++++++---
+ .../bower/lib/node_modules/tar-fs/test/index.js   |  2 +-
+ 2 files changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/tmp_local/lib/node_modules/bower/lib/node_modules/tar-fs/index.js b/tmp_local/lib/node_modules/bower/lib/node_modules/tar-fs/index.js
+index 4d67485..3fd93bc 100644
+--- a/tmp_local/lib/node_modules/bower/lib/node_modules/tar-fs/index.js
++++ b/tmp_local/lib/node_modules/bower/lib/node_modules/tar-fs/index.js
+@@ -173,6 +173,8 @@ exports.extract = function (cwd, opts) {
+   if (!cwd) cwd = '.'
+   if (!opts) opts = {}
+ 
++  cwd = path.resolve(cwd)
++
+   var xfs = opts.fs || fs
+   var ignore = opts.ignore || opts.filter || noop
+   var map = opts.map || noop
+@@ -254,6 +256,9 @@ exports.extract = function (cwd, opts) {
+     var onsymlink = function () {
+       if (win32) return next() // skip symlinks on win for now before it can be tested
+       xfs.unlink(name, function () {
++        var dst = path.resolve(path.dirname(name), header.linkname)
++        if (!inCwd(dst)) return next(new Error(name + ' is not a valid symlink'))
++
+         xfs.symlink(header.linkname, name, stat)
+       })
+     }
+@@ -261,11 +266,11 @@ exports.extract = function (cwd, opts) {
+     var onlink = function () {
+       if (win32) return next() // skip links on win for now before it can be tested
+       xfs.unlink(name, function () {
+-        var srcpath = path.join(cwd, path.join('/', header.linkname))
++        var dst = path.join(cwd, path.join('/', header.linkname))
+ 
+-        xfs.link(srcpath, name, function (err) {
++        xfs.link(dst, name, function (err) {
+           if (err && err.code === 'EPERM' && opts.hardlinkAsFilesFallback) {
+-            stream = xfs.createReadStream(srcpath)
++            stream = xfs.createReadStream(dst)
+             return onfile()
+           }
+ 
+@@ -274,6 +279,10 @@ exports.extract = function (cwd, opts) {
+       })
+     }
+ 
++    var inCwd = function (dst) {
++      return dst.startsWith(cwd)
++    }
++
+     var onfile = function () {
+       var ws = xfs.createWriteStream(name)
+       var rs = mapStream(stream, header)
+diff --git a/tmp_local/lib/node_modules/bower/lib/node_modules/tar-fs/test/index.js b/tmp_local/lib/node_modules/bower/lib/node_modules/tar-fs/test/index.js
+index a03844e..cbe2ac2 100644
+--- a/tmp_local/lib/node_modules/bower/lib/node_modules/tar-fs/test/index.js
++++ b/tmp_local/lib/node_modules/bower/lib/node_modules/tar-fs/test/index.js
+@@ -304,7 +304,7 @@ test('do not extract invalid tar', function (t) {
+   fs.createReadStream(a)
+     .pipe(tar.extract(out))
+     .on('error', function (err) {
+-      t.ok(/is not a valid path/i.test(err.message))
++      t.ok(/is not a valid symlink/i.test(err.message))
+       fs.stat(path.join(out, '../bar'), function (err) {
+         t.ok(err)
+         t.end()
+-- 
+2.40.4
+
diff --git a/SPECS/reaper/reaper.spec b/SPECS/reaper/reaper.spec
@@ -6,7 +6,7 @@
 Summary:        Reaper for cassandra is a tool for running Apache Cassandra repairs against single or multi-site clusters.
 Name:           reaper
 Version:        3.1.1
-Release:        17%{?dist}
+Release:        18%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -48,6 +48,7 @@ Patch12:        CVE-2020-28458.patch
 Patch13:        CVE-2024-52798.patch
 Patch14:        CVE-2020-24025.patch
 Patch15:        CVE-2024-28863.patch
+Patch16:        CVE-2024-12905.patch
 
 BuildRequires:  git
 BuildRequires:  javapackages-tools
@@ -113,6 +114,7 @@ popd
 pushd $tmp_local_dir/n/versions/node/14.18.0/lib/node_modules/
 %autopatch -p1 15
 popd
+%autopatch -p1 16
 
 rsync -azvhr $tmp_local_dir/ "%{_prefix}/local"
 rm -rf $tmp_local_dir
@@ -190,6 +192,9 @@ fi
 %{_unitdir}/cassandra-%{name}.service
 
 %changelog
+* Fri Apr 04 2025 Sandeep Karambelkar (skarambelkar@microsoft.com> - 3.1.1-18
+- Add patch to fix CVE-2024-12905
+
 * Thu Mar 13 2025 Kevin Lockwood <v-klockwood@microsoft.com> - 3.1.1-17
 - Patch CVE-2024-28863
 
