Patch CVE-2024-26147 for cert-manager (#9268)

mbykhovtsev-ms · web-flow · commit ebc77031e57b · 2024-05-30T18:57:31.000-07:00
diff --git a/SPECS/cert-manager/CVE-2024-26147.patch b/SPECS/cert-manager/CVE-2024-26147.patch
@@ -0,0 +1,43 @@
+From d02be38fc6c54828d5eec15efe058c61f3df4a60 Mon Sep 17 00:00:00 2001
+From: Mykhailo Bykhovtsev <mbykhovtsev@microsoft.com>
+Date: Thu, 30 May 2024 16:33:17 -0700
+Subject: [PATCH] backport patch CVE-2024-26147. Based off commit https://github.com/helm/helm/commit/bb4cc9125503a923afb7988f3eb478722a8580af
+
+---
+ vendor/helm.sh/helm/v3/pkg/plugin/plugin.go | 4 ++++
+ vendor/helm.sh/helm/v3/pkg/repo/index.go    | 4 ++++
+ 2 files changed, 8 insertions(+)
+
+diff --git a/vendor/helm.sh/helm/v3/pkg/plugin/plugin.go b/vendor/helm.sh/helm/v3/pkg/plugin/plugin.go
+index 1399b71..df580db 100644
+--- a/vendor/helm.sh/helm/v3/pkg/plugin/plugin.go
++++ b/vendor/helm.sh/helm/v3/pkg/plugin/plugin.go
+@@ -173,6 +173,10 @@ var validPluginName = regexp.MustCompile("^[A-Za-z0-9_-]+$")
+ 
+ // validatePluginData validates a plugin's YAML data.
+ func validatePluginData(plug *Plugin, filepath string) error {
++	// When metadata section missing, initialize with no data
++	if plug.Metadata == nil {
++		plug.Metadata = &Metadata{}
++	}
+ 	if !validPluginName.MatchString(plug.Metadata.Name) {
+ 		return fmt.Errorf("invalid plugin name at %q", filepath)
+ 	}
+diff --git a/vendor/helm.sh/helm/v3/pkg/repo/index.go b/vendor/helm.sh/helm/v3/pkg/repo/index.go
+index 60cfe58..94852bb 100644
+--- a/vendor/helm.sh/helm/v3/pkg/repo/index.go
++++ b/vendor/helm.sh/helm/v3/pkg/repo/index.go
+@@ -347,6 +347,10 @@ func loadIndex(data []byte, source string) (*IndexFile, error) {
+ 				log.Printf("skipping loading invalid entry for chart %q from %s: empty entry", name, source)
+ 				continue
+ 			}
++			// When metadata section missing, initialize with no data
++			if cvs[idx].Metadata == nil {
++				cvs[idx].Metadata = &chart.Metadata{}
++			}
+ 			if cvs[idx].APIVersion == "" {
+ 				cvs[idx].APIVersion = chart.APIVersionV1
+ 			}
+-- 
+2.34.1
+
diff --git a/SPECS/cert-manager/cert-manager.spec b/SPECS/cert-manager/cert-manager.spec
@@ -1,7 +1,7 @@
 Summary:        Automatically provision and manage TLS certificates in Kubernetes
 Name:           cert-manager
 Version:        1.11.2
-Release:        9%{?dist}
+Release:        10%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -21,6 +21,7 @@ Source0:        https://github.com/jetstack/%{name}/archive/refs/tags/v%{version
 Source1:        %{name}-%{version}-govendor.tar.gz
 Patch0:         CVE-2023-48795.patch
 Patch1:         CVE-2023-45288.patch
+Patch2:         CVE-2024-26147.patch
 BuildRequires:  golang
 Requires:       %{name}-acmesolver
 Requires:       %{name}-cainjector
@@ -113,6 +114,9 @@ install -D -m0755 bin/webhook %{buildroot}%{_bindir}/
 %{_bindir}/webhook
 
 %changelog
+* Thu May 30 2024 Mykhailo Bykhovtsev <mbykhovtsev@microsoft.com> - 1.11.2-10
+- Patch for CVE-2024-26147
+
 * Thu Apr 18 2024 Chris Gunn <chrisgun@microsoft.com> - 1.11.2-9
 - Fix for CVE-2023-45288
 
