[AUTO-CHERRYPICK] Reverted packer to version 1.9.5 and patched its CVEs. - branch main (#9854)

Co-authored-by: Pawel Winogrodzki <pawelwi@microsoft.com>
Co-authored-by: Riken Maharjan <106988478+rikenm1@users.noreply.github.com>

Author: 3 people

SPECS/packer/CVE-2022-3064.patch

@@ -0,0 +1,65 @@
+From 0360b25ae53f9398cfca462f91698d1887a1ae76 Mon Sep 17 00:00:00 2001
+From: Pawel Winogrodzki <pawelwi@microsoft.com>
+Date: Mon, 1 Jul 2024 16:33:53 -0700
+Subject: [PATCH] Port CVE-2022-3064 fix from go-yaml to zclconf.
+
+This patch is ported from go-yaml's fix for CVE-2022-3064:
+https://github.com/go-yaml/yaml/commit/f221b8435cfb71e54062f6c6e99e9ade30b124d5
+
+The patch only applies to "scannerc.go", which seems to have been
+copied from go-yaml by zclconf.
+---
+ .../github.com/zclconf/go-cty-yaml/scannerc.go   | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/vendor/github.com/zclconf/go-cty-yaml/scannerc.go b/vendor/github.com/zclconf/go-cty-yaml/scannerc.go
+index ea82e3e..8eb8303 100644
+--- a/vendor/github.com/zclconf/go-cty-yaml/scannerc.go
++++ b/vendor/github.com/zclconf/go-cty-yaml/scannerc.go
+@@ -906,6 +906,9 @@ func yaml_parser_remove_simple_key(parser *yaml_parser_t) bool {
+ 	return true
+ }
+ 
++// max_flow_level limits the flow_level
++const max_flow_level = 10000
++
+ // Increase the flow level and resize the simple key list if needed.
+ func yaml_parser_increase_flow_level(parser *yaml_parser_t) bool {
+ 	// Reset the simple key on the next level.
+@@ -913,6 +916,11 @@ func yaml_parser_increase_flow_level(parser *yaml_parser_t) bool {
+ 
+ 	// Increase the flow level.
+ 	parser.flow_level++
++	if parser.flow_level > max_flow_level {
++		return yaml_parser_set_scanner_error(parser,
++			"while increasing flow level", parser.simple_keys[len(parser.simple_keys)-1].mark,
++			fmt.Sprintf("exceeded max depth of %d", max_flow_level))
++	}
+ 	return true
+ }
+ 
+@@ -925,6 +933,9 @@ func yaml_parser_decrease_flow_level(parser *yaml_parser_t) bool {
+ 	return true
+ }
+ 
++// max_indents limits the indents stack size
++const max_indents = 10000
++
+ // Push the current indentation level to the stack and set the new level
+ // the current column is greater than the indentation level.  In this case,
+ // append or insert the specified token into the token queue.
+@@ -939,6 +950,11 @@ func yaml_parser_roll_indent(parser *yaml_parser_t, column, number int, typ yaml
+ 		// indentation level.
+ 		parser.indents = append(parser.indents, parser.indent)
+ 		parser.indent = column
++		if len(parser.indents) > max_indents {
++			return yaml_parser_set_scanner_error(parser,
++				"while increasing indent level", parser.simple_keys[len(parser.simple_keys)-1].mark,
++				fmt.Sprintf("exceeded max depth of %d", max_indents))
++		}
+ 
+ 		// Create a token and insert it into the queue.
+ 		token := yaml_token_t{
+-- 
+2.34.1
+