[AUTO-CHERRYPICK] Fix CVE-2025-22869 for terraform [HIGH] - branch main (#12899)

Co-authored-by: Sudipta Pandit <sudpandit@microsoft.com>

Author: CBL-Mariner-Bot

SPECS/terraform/CVE-2025-22869.patch

@@ -0,0 +1,95 @@
+From 82e574ecb3fd33a4eb564742966f01704084692e Mon Sep 17 00:00:00 2001
+From: Sudipta Pandit <sudpandit@microsoft.com>
+Date: Tue, 11 Mar 2025 00:17:38 +0530
+Subject: [PATCH] Backport upstream patch for CVE-2025-22869.patch
+
+---
+ vendor/golang.org/x/crypto/ssh/handshake.go | 30 +++++++++++++++++----
+ 1 file changed, 25 insertions(+), 5 deletions(-)
+
+diff --git a/vendor/golang.org/x/crypto/ssh/handshake.go b/vendor/golang.org/x/crypto/ssh/handshake.go
+index 653dc4d..a1e1536 100644
+--- a/vendor/golang.org/x/crypto/ssh/handshake.go
++++ b/vendor/golang.org/x/crypto/ssh/handshake.go
+@@ -24,6 +24,11 @@ const debugHandshake = false
+ // quickly.
+ const chanSize = 16
+ 
++// maxPendingPackets sets the maximum number of packets to queue while waiting
++// for KEX to complete. This limits the total pending data to maxPendingPackets
++// * maxPacket bytes, which is ~16.8MB.
++const maxPendingPackets = 64
++
+ // keyingTransport is a packet based transport that supports key
+ // changes. It need not be thread-safe. It should pass through
+ // msgNewKeys in both directions.
+@@ -59,6 +64,7 @@ type handshakeTransport struct {
+ 	readError error
+ 
+ 	mu             sync.Mutex
++	writeCond      *sync.Cond
+ 	writeError     error
+ 	sentInitPacket []byte
+ 	sentInitMsg    *kexInitMsg
+@@ -112,6 +118,7 @@ func newHandshakeTransport(conn keyingTransport, config *Config, clientVersion,
+ 
+ 		config: config,
+ 	}
++	t.writeCond = sync.NewCond(&t.mu)
+ 	t.resetReadThresholds()
+ 	t.resetWriteThresholds()
+ 
+@@ -234,6 +241,7 @@ func (t *handshakeTransport) recordWriteError(err error) {
+ 	defer t.mu.Unlock()
+ 	if t.writeError == nil && err != nil {
+ 		t.writeError = err
++		t.writeCond.Broadcast()
+ 	}
+ }
+ 
+@@ -337,6 +345,8 @@ write:
+ 			}
+ 		}
+ 		t.pendingPackets = t.pendingPackets[:0]
++		// Unblock writePacket if waiting for KEX.
++		t.writeCond.Broadcast()
+ 		t.mu.Unlock()
+ 	}
+ 
+@@ -518,11 +528,20 @@ func (t *handshakeTransport) writePacket(p []byte) error {
+ 	}
+ 
+ 	if t.sentInitMsg != nil {
+-		// Copy the packet so the writer can reuse the buffer.
+-		cp := make([]byte, len(p))
+-		copy(cp, p)
+-		t.pendingPackets = append(t.pendingPackets, cp)
+-		return nil
++		if len(t.pendingPackets) < maxPendingPackets {
++			// Copy the packet so the writer can reuse the buffer.
++			cp := make([]byte, len(p))
++			copy(cp, p)
++			t.pendingPackets = append(t.pendingPackets, cp)
++			return nil
++		}
++		for t.sentInitMsg != nil {
++			// Block and wait for KEX to complete or an error.
++			t.writeCond.Wait()
++			if t.writeError != nil {
++				return t.writeError
++			}
++		}
+ 	}
+ 
+ 	if t.writeBytesLeft > 0 {
+@@ -539,6 +558,7 @@ func (t *handshakeTransport) writePacket(p []byte) error {
+ 
+ 	if err := t.pushPacket(p); err != nil {
+ 		t.writeError = err
++		t.writeCond.Broadcast()
+ 	}
+ 
+ 	return nil
+-- 
+2.34.1
+

SPECS/terraform/terraform.spec

@@ -1,7 +1,7 @@
 Summary:        Infrastructure as code deployment management tool
 Name:           terraform
 Version:        1.3.2
-Release:        22%{?dist}
+Release:        23%{?dist}
 License:        MPLv2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -36,6 +36,7 @@ Patch5:         CVE-2023-4782.patch
 Patch6:         CVE-2024-24786.patch
 Patch7:         CVE-2024-45338.patch
 Patch8:         CVE-2023-0475.patch
+Patch9:         CVE-2025-22869.patch
 
 %global debug_package %{nil}
 %define our_gopath %{_topdir}/.gopath
@@ -66,6 +67,9 @@ install -p -m 755 -t %{buildroot}%{_bindir} ./terraform
 %{_bindir}/terraform
 
 %changelog
+* Mon Mar 10 2025 Sudipta Pandit <sudpandit@microsoft.com> - 1.3.2-23
+- Add patch for CVE-2025-22869
+
 * Tue Jan 21 2025 Sandeep Karambelkar <skarambelkar@microsoft.com> - 1.3.2-22
 - Add Patch for CVE-2023-0475