[MEDIUM] Patch helm for CVE-2025-32386 & CVE-2025-22872 (#13454)

Co-authored-by: Kanishk Bansal <103916909+Kanishk-Bansal@users.noreply.github.com>

Author: archana25-ms

SPECS/helm/CVE-2025-22872.patch

@@ -0,0 +1,42 @@
+From c87c77a12e5554d376945bd488e56d4fc5b9e5ac Mon Sep 17 00:00:00 2001
+From: archana25-ms <v-shettigara@microsoft.com>
+Date: Tue, 22 Apr 2025 06:32:35 +0000
+Subject: [PATCH] Address CVE-2025-22872
+Upstream Patch Reference: https://github.com/golang/net/commit/e1fcd82abba34df74614020343be8eb1fe85f0d9
+
+---
+ vendor/golang.org/x/net/html/token.go | 18 ++++++++++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+
+diff --git a/vendor/golang.org/x/net/html/token.go b/vendor/golang.org/x/net/html/token.go
+index 3c57880..6598c1f 100644
+--- a/vendor/golang.org/x/net/html/token.go
++++ b/vendor/golang.org/x/net/html/token.go
+@@ -839,8 +839,22 @@ func (z *Tokenizer) readStartTag() TokenType {
+ 	if raw {
+ 		z.rawTag = strings.ToLower(string(z.buf[z.data.start:z.data.end]))
+ 	}
+-	// Look for a self-closing token like "<br/>".
+-	if z.err == nil && z.buf[z.raw.end-2] == '/' {
++	// Look for a self-closing token (e.g. <br/>).
++	//
++	// Originally, we did this by just checking that the last character of the
++	// tag (ignoring the closing bracket) was a solidus (/) character, but this
++	// is not always accurate.
++	//
++	// We need to be careful that we don't misinterpret a non-self-closing tag
++	// as self-closing, as can happen if the tag contains unquoted attribute
++	// values (i.e. <p a=/>).
++	//
++	// To avoid this, we check that the last non-bracket character of the tag
++	// (z.raw.end-2) isn't the same character as the last non-quote character of
++	// the last attribute of the tag (z.pendingAttr[1].end-1), if the tag has
++	// attributes.
++	nAttrs := len(z.attr)
++	if z.err == nil && z.buf[z.raw.end-2] == '/' && (nAttrs == 0 || z.raw.end-2 != z.attr[nAttrs-1][1].end-1) {
+ 		return SelfClosingTagToken
+ 	}
+ 	return StartTagToken
+-- 
+2.45.3
+

SPECS/helm/CVE-2025-32386.patch

@@ -0,0 +1,88 @@
+From e58d689dcb58dc14838b8d643b2d6b39d54420be Mon Sep 17 00:00:00 2001
+From: archana25-ms <v-shettigara@microsoft.com>
+Date: Thu, 17 Apr 2025 10:18:29 +0000
+Subject: [PATCH] Address CVE-2025-32386 & CVE-2025-32387
+Upstream Patch Reference: https://github.com/helm/helm/commit/d8ca55fc669645c10c0681d49723f4bb8c0b1ce7
+---
+ pkg/chart/loader/archive.go   | 32 +++++++++++++++++++++++++++++++-
+ pkg/chart/loader/directory.go |  4 ++++
+ 2 files changed, 35 insertions(+), 1 deletion(-)
+
+diff --git a/pkg/chart/loader/archive.go b/pkg/chart/loader/archive.go
+index 196e5f8..4cb994c 100644
+--- a/pkg/chart/loader/archive.go
++++ b/pkg/chart/loader/archive.go
+@@ -33,6 +33,15 @@ import (
+ 	"helm.sh/helm/v3/pkg/chart"
+ )
+ 
++// MaxDecompressedChartSize is the maximum size of a chart archive that will be
++// decompressed. This is the decompressed size of all the files.
++// The default value is 100 MiB.
++var MaxDecompressedChartSize int64 = 100 * 1024 * 1024 // Default 100 MiB
++
++// MaxDecompressedFileSize is the size of the largest file that Helm will attempt to load.
++// The size of the file is the decompressed version of it when it is stored in an archive.
++var MaxDecompressedFileSize int64 = 5 * 1024 * 1024 // Default 5 MiB
++
+ var drivePathPattern = regexp.MustCompile(`^[a-zA-Z]:/`)
+ 
+ // FileLoader loads a chart from a file
+@@ -119,6 +128,7 @@ func LoadArchiveFiles(in io.Reader) ([]*BufferedFile, error) {
+ 
+ 	files := []*BufferedFile{}
+ 	tr := tar.NewReader(unzipped)
++	remainingSize := MaxDecompressedChartSize
+ 	for {
+ 		b := bytes.NewBuffer(nil)
+ 		hd, err := tr.Next()
+@@ -178,10 +188,30 @@ func LoadArchiveFiles(in io.Reader) ([]*BufferedFile, error) {
+ 			return nil, errors.New("chart yaml not in base directory")
+ 		}
+ 
+-		if _, err := io.Copy(b, tr); err != nil {
++		if hd.Size > remainingSize {
++			return nil, fmt.Errorf("decompressed chart is larger than the maximum size %d", MaxDecompressedChartSize)
++		}
++
++		if hd.Size > MaxDecompressedFileSize {
++			return nil, fmt.Errorf("decompressed chart file %q is larger than the maximum file size %d", hd.Name, MaxDecompressedFileSize)
++		}
++
++		limitedReader := io.LimitReader(tr, remainingSize)
++
++		bytesWritten, err := io.Copy(b, limitedReader)
++		if err != nil {
+ 			return nil, err
+ 		}
+ 
++		remainingSize -= bytesWritten
++		// When the bytesWritten are less than the file size it means the limit reader ended
++		// copying early. Here we report that error. This is important if the last file extracted
++		// is the one that goes over the limit. It assumes the Size stored in the tar header
++		// is correct, something many applications do.
++		if bytesWritten < hd.Size || remainingSize <= 0 {
++			return nil, fmt.Errorf("decompressed chart is larger than the maximum size %d", MaxDecompressedChartSize)
++		}
++
+ 		data := bytes.TrimPrefix(b.Bytes(), utf8bom)
+ 
+ 		files = append(files, &BufferedFile{Name: n, Data: data})
+diff --git a/pkg/chart/loader/directory.go b/pkg/chart/loader/directory.go
+index 9bcbee6..fd8e02e 100644
+--- a/pkg/chart/loader/directory.go
++++ b/pkg/chart/loader/directory.go
+@@ -101,6 +101,10 @@ func LoadDir(dir string) (*chart.Chart, error) {
+ 			return fmt.Errorf("cannot load irregular file %s as it has file mode type bits set", name)
+ 		}
+ 
++		if fi.Size() > MaxDecompressedFileSize {
++			return fmt.Errorf("chart file %q is larger than the maximum file size %d", fi.Name(), MaxDecompressedFileSize)
++		}
++
+ 		data, err := os.ReadFile(name)
+ 		if err != nil {
+ 			return errors.Wrapf(err, "error reading %s", n)
+-- 
+2.45.3
+

SPECS/helm/helm.spec

@@ -2,15 +2,14 @@
 
 Name:          helm
 Version:       3.14.2
-Release:       5%{?dist}
+Release:       6%{?dist}
 Summary:       The Kubernetes Package Manager
 Group:         Applications/Networking
 License:       Apache 2.0
 Vendor:        Microsoft Corporation
 Distribution:  Mariner
 Url:           https://github.com/helm/helm
-#Source0:      https://github.com/%{name}/%{name}/archive/v%{version}.tar.gz
-Source0:       %{name}-%{version}.tar.gz
+Source0:       https://github.com/helm/helm/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
 # Below is a manually created tarball, no download link.
 # We're using pre-populated Go modules from this tarball, since network is disabled during build time.
 # How to re-build this file:
@@ -27,13 +26,15 @@ Source0:       %{name}-%{version}.tar.gz
 Source1:       %{name}-%{version}-vendor.tar.gz
 Patch0:        CVE-2023-45288.patch
 Patch1:        CVE-2024-45338.patch
+Patch2:        CVE-2025-32386.patch
+Patch3:        CVE-2025-22872.patch
 BuildRequires: golang
 
 %description
 Helm is a tool that streamlines installing and managing Kubernetes applications. Think of it like apt/yum/homebrew for Kubernetes.
 
 %prep
-%autosetup -p1 -a 1
+%autosetup -p1 -a1
 
 %build
 export VERSION=%{version}
@@ -56,6 +57,9 @@ install -m 755 ./helm %{buildroot}%{_bindir}
 go test -v ./cmd/helm
 
 %changelog
+* Thu Apr 17 2025 Archana Shettigar <v-shettigara@microsoft.com> - 3.14.2-6
+- Patch CVE-2025-32386 & CVE-2025-22872
+
 * Fri Jan 03 2025 Sumedh Sharma <sumsharma@microsoft.com> - 3.14.2-5
 - Add patch for CVE-2024-45338
 

cgmanifest.json

@@ -5231,7 +5231,7 @@
         "other": {
           "name": "helm",
           "version": "3.14.2",
-          "downloadUrl": "https://github.com/helm/helm/archive/v3.14.2.tar.gz"
+          "downloadUrl": "https://github.com/helm/helm/archive/refs/tags/v3.14.2.tar.gz"
         }
       }
     },