[AUTO-CHERRYPICK] telegraf: Add patch for CVE-2024-37298 - branch main (#9823)

CBL-Mariner-Bot · Sumynwa · web-flow · commit 57506f34f395 · 2024-07-25T18:53:12.000-04:00
Co-authored-by: Sumynwa &lt;sumsharma@microsoft.com&gt;
diff --git a/SPECS/telegraf/CVE-2024-37298.patch b/SPECS/telegraf/CVE-2024-37298.patch
@@ -0,0 +1,64 @@
+From cd59f2f12cbdfa9c06aa63e425d1fe4a806967ff Mon Sep 17 00:00:00 2001
+From: Bharat Rajani <bharat.ramrajani@gmail.com>
+Date: Sun, 30 Jun 2024 02:04:06 +0530
+Subject: [PATCH] Merge pull request from GHSA-3669-72x9-r9p3
+
+* fixes the security advisory by limiting the slice creation based on configurable maxSize
+
+* address review comment
+---
+ decoder.go      |  18 ++++++-
+ 1 file changed, 18 insertions(+), 1 deletion(-)
+
+diff --git a/vendor/github.com/gorilla/schema/decoder.go b/vendor/github.com/gorilla/schema/decoder.go
+index ed85641..54c88ec 100644
+--- a/vendor/github.com/gorilla/schema/decoder.go
++++ b/vendor/github.com/gorilla/schema/decoder.go
+@@ -12,9 +12,13 @@ import (
+ 	"strings"
+ )
+ 
++const (
++	defaultMaxSize = 16000
++)
++
+ // NewDecoder returns a new Decoder.
+ func NewDecoder() *Decoder {
+-	return &Decoder{cache: newCache()}
++	return &Decoder{cache: newCache(), maxSize: defaultMaxSize}
+ }
+ 
+ // Decoder decodes values from a map[string][]string to a struct.
+@@ -22,6 +26,7 @@ type Decoder struct {
+ 	cache             *cache
+ 	zeroEmpty         bool
+ 	ignoreUnknownKeys bool
++	maxSize           int
+ }
+ 
+ // SetAliasTag changes the tag used to locate custom field aliases.
+@@ -54,6 +59,13 @@ func (d *Decoder) IgnoreUnknownKeys(i bool) {
+ 	d.ignoreUnknownKeys = i
+ }
+ 
++// MaxSize limits the size of slices for URL nested arrays or object arrays.
++// Choose MaxSize carefully; large values may create many zero-value slice elements.
++// Example: "items.100000=apple" would create a slice with 100,000 empty strings.
++func (d *Decoder) MaxSize(size int) {
++	d.maxSize = size
++}
++
+ // RegisterConverter registers a converter function for a custom type.
+ func (d *Decoder) RegisterConverter(value interface{}, converterFunc Converter) {
+ 	d.cache.registerConverter(value, converterFunc)
+@@ -302,6 +314,10 @@ func (d *Decoder) decode(v reflect.Value, path string, parts []pathPart, values
+ 	// Slice of structs. Let's go recursive.
+ 	if len(parts) > 1 {
+ 		idx := parts[0].index
++		// a defensive check to avoid creating a large slice based on user input index
++		if idx > d.maxSize {
++			return fmt.Errorf("%v index %d is larger than the configured maxSize %d", v.Kind(), idx, d.maxSize)
++		}
+ 		if v.IsNil() || v.Len() < idx+1 {
+ 			value := reflect.MakeSlice(t, idx+1, idx+1)
+ 			if v.Len() < idx+1 {
diff --git a/SPECS/telegraf/telegraf.spec b/SPECS/telegraf/telegraf.spec
@@ -1,7 +1,7 @@
 Summary:        agent for collecting, processing, aggregating, and writing metrics.
 Name:           telegraf
 Version:        1.29.4
-Release:        6%{?dist}
+Release:        7%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -14,6 +14,7 @@ Patch0:         CVE-2023-45288.patch
 Patch1:         CVE-2024-28110.patch
 Patch2:         CVE-2024-27289.patch
 Patch3:         CVE-2024-35255.patch
+Patch4:         CVE-2024-37298.patch
 BuildRequires:  golang
 BuildRequires:  iana-etc
 BuildRequires:  systemd-devel
@@ -84,6 +85,9 @@ fi
 %dir %{_sysconfdir}/%{name}/telegraf.d
 
 %changelog
+* Thu Jul 11 2024 Sumedh Sharma <sumsharma@microsoft.com> - 1.29.4-7
+- Add patch for CVE-2024-37298
+
 * Tue Jun 18 2024 Saul Paredes <saulparedes@microsoft.com> - 1.29.4-6
 - Patch CVE-2024-35255
 
