Patch telegraf for CVE-2025-22872 [Medium] (#13525)

Signed-off-by: Mayank Singh <mayansingh@microsoft.com>
Co-authored-by: Mayank Singh <mayansingh@microsoft.com>

Author: mayankfz

SPECS/telegraf/CVE-2025-22872.patch

@@ -0,0 +1,42 @@
+From c3bde8676a99155b88f7d0342e1e6b36a3f83324 Mon Sep 17 00:00:00 2001
+From: Mayank Singh <mayansingh@microsoft.com>
+Date: Tue, 22 Apr 2025 05:00:39 +0000
+Subject: [PATCH] Address CVE-2025-22872.patch
+Upstream Reference Link: https://github.com/golang/net/commit/e1fcd82abba34df74614020343be8eb1fe85f0d9
+
+---
+ vendor/golang.org/x/net/html/token.go | 18 ++++++++++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+
+diff --git a/vendor/golang.org/x/net/html/token.go b/vendor/golang.org/x/net/html/token.go
+index 3c57880d..6598c1f7 100644
+--- a/vendor/golang.org/x/net/html/token.go
++++ b/vendor/golang.org/x/net/html/token.go
+@@ -839,8 +839,22 @@ func (z *Tokenizer) readStartTag() TokenType {
+ 	if raw {
+ 		z.rawTag = strings.ToLower(string(z.buf[z.data.start:z.data.end]))
+ 	}
+-	// Look for a self-closing token like "<br/>".
+-	if z.err == nil && z.buf[z.raw.end-2] == '/' {
++	// Look for a self-closing token (e.g. <br/>).
++	//
++	// Originally, we did this by just checking that the last character of the
++	// tag (ignoring the closing bracket) was a solidus (/) character, but this
++	// is not always accurate.
++	//
++	// We need to be careful that we don't misinterpret a non-self-closing tag
++	// as self-closing, as can happen if the tag contains unquoted attribute
++	// values (i.e. <p a=/>).
++	//
++	// To avoid this, we check that the last non-bracket character of the tag
++	// (z.raw.end-2) isn't the same character as the last non-quote character of
++	// the last attribute of the tag (z.pendingAttr[1].end-1), if the tag has
++	// attributes.
++	nAttrs := len(z.attr)
++	if z.err == nil && z.buf[z.raw.end-2] == '/' && (nAttrs == 0 || z.raw.end-2 != z.attr[nAttrs-1][1].end-1) {
+ 		return SelfClosingTagToken
+ 	}
+ 	return StartTagToken
+-- 
+2.45.3
+

SPECS/telegraf/telegraf.spec

@@ -1,7 +1,7 @@
 Summary:        agent for collecting, processing, aggregating, and writing metrics.
 Name:           telegraf
 Version:        1.31.0
-Release:        9%{?dist}
+Release:        10%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -22,6 +22,7 @@ Patch7:         CVE-2024-51744.patch
 Patch8:         CVE-2025-30204.patch
 Patch9:         CVE-2025-27144.patch
 Patch10:        CVE-2025-30215.patch
+Patch11:        CVE-2025-22872.patch
 
 BuildRequires:  golang
 BuildRequires:  systemd-devel
@@ -42,10 +43,7 @@ the community can easily add support for collecting metrics from well known serv
 Postgres, or Redis) and third party APIs (like Mailchimp, AWS CloudWatch, or Google Analytics).
 
 %prep
-%autosetup -N
-# setup vendor before patching
-tar -xf %{SOURCE1} --no-same-owner
-%autopatch -p1
+%autosetup -a1 -p1
 
 %build
 go build -mod=vendor ./cmd/telegraf
@@ -89,6 +87,9 @@ fi
 %dir %{_sysconfdir}/%{name}/telegraf.d
 
 %changelog
+* Tue Apr 22 2025 Mayank Singh <mayansingh@microsoft.com> - 1.31.0-10
+- Fix CVE-2025-22872 with an upstream patch
+
 * Thu Apr 17 2025 Sudipta Pandit <sudpandit@microsoft.com> - 1.31.0-9
 - Patch CVE-2025-30215