[AUTO-CHERRYPICK] cf-cli: patch CVE-2021-43565 - branch main (#9902)

Co-authored-by: Archana Choudhary <36061892+arc9693@users.noreply.github.com>
Co-authored-by: Riken Maharjan <106988478+rikenm1@users.noreply.github.com>

Author: 3 people

SPECS/cf-cli/CVE-2021-43565.patch

@@ -0,0 +1,56 @@
+From 5770296d904e90f15f38f77dfc2e43fdf5efc083 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <roland@golang.org>
+Date: Tue, 9 Nov 2021 11:45:57 -0800
+Subject: [PATCH] ssh: don't assume packet plaintext size
+
+When reading GCM and ChaChaPoly1305 packets, don't make assumptions
+about the size of the enciphered plaintext. This fixes two panics
+caused by standards non-compliant malformed packets.
+
+Thanks to Rod Hynes, Psiphon Inc. for reporting this issue.
+
+Fixes golang/go#49932
+Fixes CVE-2021-43565
+
+Change-Id: I660cff39d197e0d04ec44d11d792b22d954df2ef
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1262659
+Reviewed-by: Katie Hockman <katiehockman@google.com>
+Reviewed-by: Julie Qiu <julieqiu@google.com>
+Reviewed-on: https://go-review.googlesource.com/c/crypto/+/368814
+Trust: Roland Shoemaker <roland@golang.org>
+Trust: Katie Hockman <katie@golang.org>
+Run-TryBot: Roland Shoemaker <roland@golang.org>
+TryBot-Result: Gopher Robot <gobot@golang.org>
+Reviewed-by: Julie Qiu <julie@golang.org>
+Reviewed-by: Katie Hockman <katie@golang.org>
+---
+ ssh/cipher.go      |   8 ++++
+ ssh/cipher_test.go | 100 +++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 108 insertions(+)
+
+diff --git a/vendor/golang.org/x/crypto/ssh/cipher.go b/vendor/golang.org/x/crypto/ssh/cipher.go
+index bddbde5dbd..f8bdf4984c 100644
+--- a/vendor/golang.org/x/crypto/ssh/cipher.go
++++ b/vendor/golang.org/x/crypto/ssh/cipher.go
+@@ -394,6 +394,10 @@ func (c *gcmCipher) readCipherPacket(seqNum uint32, r io.Reader) ([]byte, error)
+ 	}
+ 	c.incIV()
+ 
++	if len(plain) == 0 {
++		return nil, errors.New("ssh: empty packet")
++	}
++
+ 	padding := plain[0]
+ 	if padding < 4 {
+ 		// padding is a byte, so it automatically satisfies
+@@ -710,6 +714,10 @@ func (c *chacha20Poly1305Cipher) readCipherPacket(seqNum uint32, r io.Reader) ([
+ 	plain := c.buf[4:contentEnd]
+ 	s.XORKeyStream(plain, plain)
+ 
++	if len(plain) == 0 {
++		return nil, errors.New("ssh: empty packet")
++	}
++
+ 	padding := plain[0]
+ 	if padding < 4 {
+ 		// padding is a byte, so it automatically satisfies

SPECS/cf-cli/cf-cli.spec

@@ -1,7 +1,7 @@
 Summary:        The official command line client for Cloud Foundry.
 Name:           cf-cli
 Version:        8.4.0
-Release:        18%{?dist}
+Release:        19%{?dist}
 License:        Apache-2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -29,6 +29,7 @@ Source0:        https://github.com/cloudfoundry/cli/archive/refs/tags/v%{version
 Source1:        cli-%{version}-vendor.tar.gz
 Patch0:         CVE-2023-44487.patch
 Patch1:         CVE-2021-44716.patch
+Patch2:         CVE-2021-43565.patch
 
 BuildRequires:  golang
 %global debug_package %{nil}
@@ -63,9 +64,13 @@ install -p -m 755 -t %{buildroot}%{_bindir} ./out/cf
 %{_bindir}/cf
 
 %changelog
+* Mon Jul 22 2024 Archana Choudhary <archana1@microsoft.com> - 8.4.0-19.cm2
+- Patch CVE-2021-43565
+
 * Wed Jul 17 2024 Muhammad Falak R Wani <mwani@microsoft.com> - 8.4.0-18
 - Drop requirement on a specific version of golang
 
+
 * Thu Jun 06 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 8.4.0-17
 - Bump release to rebuild with go 1.21.11