[2.0] Resolve telegraf CVE-2024-27289 (#9235)

Co-authored-by: Henry Li <lihl@microsoft.com>

Author: henryli001

SPECS/telegraf/CVE-2024-27289.patch

@@ -0,0 +1,15 @@
+diff --git a/vendor/github.com/jackc/pgx/v4/internal/sanitize/sanitize.go b/vendor/github.com/jackc/pgx/v4/internal/sanitize/sanitize.go
+index 5eef456..4c345d5 100644
+--- a/vendor/github.com/jackc/pgx/v4/internal/sanitize/sanitize.go
++++ b/vendor/github.com/jackc/pgx/v4/internal/sanitize/sanitize.go
+@@ -58,6 +58,10 @@ func (q *Query) Sanitize(args ...interface{}) (string, error) {
+ 				return "", fmt.Errorf("invalid arg type: %T", arg)
+ 			}
+ 			argUse[argIdx] = true
++
++			// Prevent SQL injection via Line Comment Creation
++			// https://github.com/jackc/pgx/security/advisories/GHSA-m7wr-2xf7-cm9p
++			str = "(" + str + ")"
+ 		default:
+ 			return "", fmt.Errorf("invalid Part type: %T", part)
+ 		}

SPECS/telegraf/telegraf.spec

@@ -1,7 +1,7 @@
 Summary:        agent for collecting, processing, aggregating, and writing metrics.
 Name:           telegraf
 Version:        1.29.4
-Release:        3%{?dist}
+Release:        4%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -12,6 +12,7 @@ Source0:        %{url}/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
 Source1:        %{name}-%{version}-vendor.tar.gz
 Patch0:         CVE-2023-45288.patch
 Patch1:         CVE-2024-28110.patch
+Patch2:         CVE-2024-27289.patch
 BuildRequires:  golang
 BuildRequires:  iana-etc
 BuildRequires:  systemd-devel
@@ -82,6 +83,9 @@ fi
 %dir %{_sysconfdir}/%{name}/telegraf.d
 
 %changelog
+* Fri May 24 2024 Henry Li <lihl@microsoft.com> - 1.29.4-4
+- Add patch to resolve CVE-2024-27289
+
 * Mon May 06 2024 Henry Li <lihl@microsoft.com> - 1.29.4-3
 - Re-add patch for CVE-2024-28110