diff --git a/SPECS/terraform/CVE-2022-32149.patch b/SPECS/terraform/CVE-2022-32149.patch new file mode 100644 index 00000000000..ff0fbab0103 --- /dev/null +++ b/SPECS/terraform/CVE-2022-32149.patch @@ -0,0 +1,61 @@ +From 434eadcdbc3b0256971992e8c70027278364c72c Mon Sep 17 00:00:00 2001 +From: Roland Shoemaker +Date: Fri, 02 Sep 2022 09:35:37 -0700 +Subject: [PATCH] language: reject excessively large Accept-Language strings + +The BCP 47 tag parser has quadratic time complexity due to inherent +aspects of its design. Since the parser is, by design, exposed to +untrusted user input, this can be leveraged to force a program to +consume significant time parsing Accept-Language headers. + +The parser cannot be easily rewritten to fix this behavior for +various reasons. Instead the solution implemented in this CL is to +limit the total complexity of tags passed into ParseAcceptLanguage +by limiting the number of dashes in the string to 1000. This should +be more than enough for the majority of real world use cases, where +the number of tags being sent is likely to be in the single digits. + +Thanks to the OSS-Fuzz project for discovering this issue and to Adam +Korczynski (ADA Logics) for writing the fuzz case and for reporting the +issue. + +Fixes CVE-2022-32149 +Fixes golang/go#56152 + +Change-Id: I7bda1d84cee2b945039c203f26869d58ee9374ae +Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1565112 +Reviewed-by: Damien Neil +Reviewed-by: Tatiana Bradley +Reviewed-on: https://go-review.googlesource.com/c/text/+/442235 +TryBot-Result: Gopher Robot +Auto-Submit: Roland Shoemaker +Run-TryBot: Roland Shoemaker + +Modified to apply to vendored code by: Sumedh Sharma + - Adjusted paths + - Removed reference to parse_test.go +--- + +diff --git a/vendor/golang.org/x/text/language/parse.go b/vendor/golang.org/x/text/language/parse.go +index 59b0410..b982d9e 100644 +--- a/vendor/golang.org/x/text/language/parse.go ++++ b/vendor/golang.org/x/text/language/parse.go +@@ -147,6 +147,7 @@ + } + + var errInvalidWeight = errors.New("ParseAcceptLanguage: invalid weight") ++var errTagListTooLarge = errors.New("tag list exceeds max length") + + // ParseAcceptLanguage parses the contents of an Accept-Language header as + // defined in http://www.ietf.org/rfc/rfc2616.txt and returns a list of Tags and +@@ -164,6 +165,10 @@ + } + }() + ++ if strings.Count(s, "-") > 1000 { ++ return nil, nil, errTagListTooLarge ++ } ++ + var entry string + for s != "" { + if entry, s = split(s, ','); entry == "" { diff --git a/SPECS/terraform/CVE-2023-4782.patch b/SPECS/terraform/CVE-2023-4782.patch new file mode 100644 index 00000000000..577f2a1e566 --- /dev/null +++ b/SPECS/terraform/CVE-2023-4782.patch @@ -0,0 +1,91 @@ +From 0f2314fb62193c4be94328cc026fcb7ec1e9b893 Mon Sep 17 00:00:00 2001 +From: CJ Horton <17039873+radditude@users.noreply.github.com> +Date: Wed, 30 Aug 2023 09:37:06 -0700 +Subject: [PATCH] initwd: require valid module name (#33745) + +We install remote modules prior to showing any validation errors during init +so that we can show errors about the core version requirement before we do +anything else. Unfortunately, this means that we don't validate module names +until after remote modules have been installed, which may cause unexpected +problems if we can't convert the module name into a valid path. +--- + internal/initwd/module_install.go | 7 +++++++ + internal/initwd/module_install_test.go | 18 +++++++++++++++++++ + .../invalid-module-name/child/main.tf | 3 +++ + .../testdata/invalid-module-name/main.tf | 3 +++ + 4 files changed, 31 insertions(+) + create mode 100644 internal/initwd/testdata/invalid-module-name/child/main.tf + create mode 100644 internal/initwd/testdata/invalid-module-name/main.tf + +diff --git a/internal/initwd/module_install.go b/internal/initwd/module_install.go +index adc5dec..779deb9 100644 +--- a/internal/initwd/module_install.go ++++ b/internal/initwd/module_install.go +@@ -11,6 +11,7 @@ import ( + "strings" + + version "github.com/hashicorp/go-version" ++ "github.com/hashicorp/hcl/v2/hclsyntax" + "github.com/hashicorp/terraform-config-inspect/tfconfig" + "github.com/hashicorp/terraform/internal/addrs" + "github.com/hashicorp/terraform/internal/earlyconfig" +@@ -119,6 +120,12 @@ func (i *ModuleInstaller) installDescendentModules(ctx context.Context, rootMod + + cfg, cDiags := earlyconfig.BuildConfig(rootMod, earlyconfig.ModuleWalkerFunc( + func(req *earlyconfig.ModuleRequest) (*tfconfig.Module, *version.Version, tfdiags.Diagnostics) { ++ if !hclsyntax.ValidIdentifier(req.Name) { ++ // A module with an invalid name shouldn't be installed at all. This is ++ // mostly a concern for remote modules, since we need to be able to convert ++ // the name to a valid path. ++ return nil, nil, diags ++ } + + key := manifest.ModuleKey(req.Path) + instPath := i.packageInstallPath(req.Path) +diff --git a/internal/initwd/module_install_test.go b/internal/initwd/module_install_test.go +index b05c561..4edb323 100644 +--- a/internal/initwd/module_install_test.go ++++ b/internal/initwd/module_install_test.go +@@ -110,6 +110,24 @@ func TestModuleInstaller_error(t *testing.T) { + } + } + ++func TestModuleInstaller_invalidModuleName(t *testing.T) { ++ fixtureDir := filepath.Clean("testdata/invalid-module-name") ++ dir, done := tempChdir(t, fixtureDir) ++ defer done() ++ ++ hooks := &testInstallHooks{} ++ ++ modulesDir := filepath.Join(dir, ".terraform/modules") ++ inst := NewModuleInstaller(modulesDir, nil) ++ _, diags := inst.InstallModules(context.Background(), dir, false, hooks) ++ ++ if !diags.HasErrors() { ++ t.Fatal("expected error") ++ } else { ++ assertDiagnosticSummary(t, diags, "Invalid module instance name") ++ } ++} ++ + func TestModuleInstaller_packageEscapeError(t *testing.T) { + fixtureDir := filepath.Clean("testdata/load-module-package-escape") + dir, done := tempChdir(t, fixtureDir) +diff --git a/internal/initwd/testdata/invalid-module-name/child/main.tf b/internal/initwd/testdata/invalid-module-name/child/main.tf +new file mode 100644 +index 000000000000..6187fa659d2c +--- /dev/null ++++ b/internal/initwd/testdata/invalid-module-name/child/main.tf +@@ -0,0 +1,3 @@ ++output "boop" { ++ value = "beep" ++} +diff --git a/internal/initwd/testdata/invalid-module-name/main.tf b/internal/initwd/testdata/invalid-module-name/main.tf +new file mode 100644 +index 000000000000..316afe474c5c +--- /dev/null ++++ b/internal/initwd/testdata/invalid-module-name/main.tf +@@ -0,0 +1,3 @@ ++module "../invalid" { ++ source = "./child" ++} diff --git a/SPECS/terraform/terraform.spec b/SPECS/terraform/terraform.spec index 6f227491d64..b3e3f146d51 100644 --- a/SPECS/terraform/terraform.spec +++ b/SPECS/terraform/terraform.spec @@ -1,7 +1,7 @@ Summary: Infrastructure as code deployment management tool Name: terraform Version: 1.3.2 -Release: 18%{?dist} +Release: 19%{?dist} License: MPLv2.0 Vendor: Microsoft Corporation Distribution: Mariner @@ -31,7 +31,8 @@ Patch0: CVE-2023-44487.patch Patch1: CVE-2024-3817.patch Patch2: CVE-2024-6257.patch Patch3: CVE-2024-6104.patch - +Patch4: CVE-2022-32149.patch +Patch5: CVE-2023-4782.patch %global debug_package %{nil} %define our_gopath %{_topdir}/.gopath @@ -65,6 +66,9 @@ install -p -m 755 -t %{buildroot}%{_bindir} ./terraform %{_bindir}/terraform %changelog +* Thu Oct 10 2024 Sumedh Sharma - 1.3.2-19 +- Add patch to resolve CVE-2023-4782 & CVE-2022-32149 + * Mon Sep 09 2024 CBL-Mariner Servicing Account - 1.3.2-18 - Bump release to rebuild with go 1.22.7