[AUTO-CHERRYPICK] Patch terraform to resolve CVE-2022-32149 & CVE-202…

…3-4782 - branch main (#10755)

Co-authored-by: Sumedh Alok Sharma <[email protected]>

SPECS/terraform/CVE-2022-32149.patch

@@ -0,0 +1,61 @@
+From 434eadcdbc3b0256971992e8c70027278364c72c Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <[email protected]>
+Date: Fri, 02 Sep 2022 09:35:37 -0700
+Subject: [PATCH] language: reject excessively large Accept-Language strings
+
+The BCP 47 tag parser has quadratic time complexity due to inherent
+aspects of its design. Since the parser is, by design, exposed to
+untrusted user input, this can be leveraged to force a program to
+consume significant time parsing Accept-Language headers.
+
+The parser cannot be easily rewritten to fix this behavior for
+various reasons. Instead the solution implemented in this CL is to
+limit the total complexity of tags passed into ParseAcceptLanguage
+by limiting the number of dashes in the string to 1000. This should
+be more than enough for the majority of real world use cases, where
+the number of tags being sent is likely to be in the single digits.
+
+Thanks to the OSS-Fuzz project for discovering this issue and to Adam
+Korczynski (ADA Logics) for writing the fuzz case and for reporting the
+issue.
+
+Fixes CVE-2022-32149
+Fixes golang/go#56152
+
+Change-Id: I7bda1d84cee2b945039c203f26869d58ee9374ae
+Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1565112
+Reviewed-by: Damien Neil <[email protected]>
+Reviewed-by: Tatiana Bradley <[email protected]>
+Reviewed-on: https://go-review.googlesource.com/c/text/+/442235
+TryBot-Result: Gopher Robot <[email protected]>
+Auto-Submit: Roland Shoemaker <[email protected]>
+Run-TryBot: Roland Shoemaker <[email protected]>
+
+Modified to apply to vendored code by: Sumedh Sharma <[email protected]>
+ - Adjusted paths
+ - Removed reference to parse_test.go
+---
+
+diff --git a/vendor/golang.org/x/text/language/parse.go b/vendor/golang.org/x/text/language/parse.go
+index 59b0410..b982d9e 100644
+--- a/vendor/golang.org/x/text/language/parse.go
++++ b/vendor/golang.org/x/text/language/parse.go
+@@ -147,6 +147,7 @@
+ }
+
+ var errInvalidWeight = errors.New("ParseAcceptLanguage: invalid weight")
++var errTagListTooLarge = errors.New("tag list exceeds max length")
+
+ // ParseAcceptLanguage parses the contents of an Accept-Language header as
+ // defined in http://www.ietf.org/rfc/rfc2616.txt and returns a list of Tags and
+@@ -164,6 +165,10 @@
+ 		}
+ 	}()
+
++	if strings.Count(s, "-") > 1000 {
++		return nil, nil, errTagListTooLarge
++	}
++
+ 	var entry string
+ 	for s != "" {
+ 		if entry, s = split(s, ','); entry == "" {

SPECS/terraform/CVE-2023-4782.patch

@@ -0,0 +1,91 @@
+From 0f2314fb62193c4be94328cc026fcb7ec1e9b893 Mon Sep 17 00:00:00 2001
+From: CJ Horton <[email protected]>
+Date: Wed, 30 Aug 2023 09:37:06 -0700
+Subject: [PATCH] initwd: require valid module name (#33745)
+
+We install remote modules prior to showing any validation errors during init
+so that we can show errors about the core version requirement before we do
+anything else. Unfortunately, this means that we don't validate module names
+until after remote modules have been installed, which may cause unexpected
+problems if we can't convert the module name into a valid path.
+---
+ internal/initwd/module_install.go             |  7 +++++++
+ internal/initwd/module_install_test.go        | 18 +++++++++++++++++++
+ .../invalid-module-name/child/main.tf         |  3 +++
+ .../testdata/invalid-module-name/main.tf      |  3 +++
+ 4 files changed, 31 insertions(+)
+ create mode 100644 internal/initwd/testdata/invalid-module-name/child/main.tf
+ create mode 100644 internal/initwd/testdata/invalid-module-name/main.tf
+
+diff --git a/internal/initwd/module_install.go b/internal/initwd/module_install.go
+index adc5dec..779deb9 100644
+--- a/internal/initwd/module_install.go
++++ b/internal/initwd/module_install.go
+@@ -11,6 +11,7 @@ import (
+ 	"strings"
+
+ 	version "github.com/hashicorp/go-version"
++	"github.com/hashicorp/hcl/v2/hclsyntax"
+ 	"github.com/hashicorp/terraform-config-inspect/tfconfig"
+ 	"github.com/hashicorp/terraform/internal/addrs"
+ 	"github.com/hashicorp/terraform/internal/earlyconfig"
+@@ -119,6 +120,12 @@ func (i *ModuleInstaller) installDescendentModules(ctx context.Context, rootMod
+
+ 	cfg, cDiags := earlyconfig.BuildConfig(rootMod, earlyconfig.ModuleWalkerFunc(
+ 		func(req *earlyconfig.ModuleRequest) (*tfconfig.Module, *version.Version, tfdiags.Diagnostics) {
++			if !hclsyntax.ValidIdentifier(req.Name) {
++				// A module with an invalid name shouldn't be installed at all. This is
++				// mostly a concern for remote modules, since we need to be able to convert
++				// the name to a valid path.
++				return nil, nil, diags
++			}
+
+ 			key := manifest.ModuleKey(req.Path)
+ 			instPath := i.packageInstallPath(req.Path)
+diff --git a/internal/initwd/module_install_test.go b/internal/initwd/module_install_test.go
+index b05c561..4edb323 100644
+--- a/internal/initwd/module_install_test.go
++++ b/internal/initwd/module_install_test.go
+@@ -110,6 +110,24 @@ func TestModuleInstaller_error(t *testing.T) {
+ 	}
+ }
+
++func TestModuleInstaller_invalidModuleName(t *testing.T) {
++	fixtureDir := filepath.Clean("testdata/invalid-module-name")
++	dir, done := tempChdir(t, fixtureDir)
++	defer done()
++
++	hooks := &testInstallHooks{}
++
++	modulesDir := filepath.Join(dir, ".terraform/modules")
++	inst := NewModuleInstaller(modulesDir, nil)
++	_, diags := inst.InstallModules(context.Background(), dir, false, hooks)
++
++	if !diags.HasErrors() {
++		t.Fatal("expected error")
++	} else {
++		assertDiagnosticSummary(t, diags, "Invalid module instance name")
++	}
++}
++
+ func TestModuleInstaller_packageEscapeError(t *testing.T) {
+ 	fixtureDir := filepath.Clean("testdata/load-module-package-escape")
+ 	dir, done := tempChdir(t, fixtureDir)
+diff --git a/internal/initwd/testdata/invalid-module-name/child/main.tf b/internal/initwd/testdata/invalid-module-name/child/main.tf
+new file mode 100644
+index 000000000000..6187fa659d2c
+--- /dev/null
++++ b/internal/initwd/testdata/invalid-module-name/child/main.tf
+@@ -0,0 +1,3 @@
++output "boop" {
++  value = "beep"
++}
+diff --git a/internal/initwd/testdata/invalid-module-name/main.tf b/internal/initwd/testdata/invalid-module-name/main.tf
+new file mode 100644
+index 000000000000..316afe474c5c
+--- /dev/null
++++ b/internal/initwd/testdata/invalid-module-name/main.tf
+@@ -0,0 +1,3 @@
++module "../invalid" {
++  source  = "./child"
++}

SPECS/terraform/terraform.spec

@@ -1,7 +1,7 @@
 Summary:        Infrastructure as code deployment management tool
 Name:           terraform
 Version:        1.3.2
-Release:        18%{?dist}
+Release:        19%{?dist}
 License:        MPLv2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -31,7 +31,8 @@ Patch0:         CVE-2023-44487.patch
 Patch1:         CVE-2024-3817.patch
 Patch2:         CVE-2024-6257.patch
 Patch3:         CVE-2024-6104.patch
-
+Patch4:         CVE-2022-32149.patch
+Patch5:         CVE-2023-4782.patch
 
 %global debug_package %{nil}
 %define our_gopath %{_topdir}/.gopath
@@ -65,6 +66,9 @@ install -p -m 755 -t %{buildroot}%{_bindir} ./terraform
 %{_bindir}/terraform
 
 %changelog
+* Thu Oct 10 2024 Sumedh Sharma <[email protected]> - 1.3.2-19
+- Add patch to resolve CVE-2023-4782 & CVE-2022-32149
+
 * Mon Sep 09 2024 CBL-Mariner Servicing Account <[email protected]> - 1.3.2-18
 - Bump release to rebuild with go 1.22.7