From 77e717d96ae9cd559bb9e3ef5cd8470a7cdccec2 Mon Sep 17 00:00:00 2001 From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com> Date: Fri, 24 Jan 2025 15:21:47 -0800 Subject: [PATCH] [AUTO-CHERRYPICK] Patch terraform to fix CVE-2023-0475 - branch main (#12049) Co-authored-by: Sandeep Karambelkar --- SPECS/terraform/CVE-2023-0475.patch | 580 ++++++++++++++++++++++++++++ SPECS/terraform/terraform.spec | 11 +- 2 files changed, 586 insertions(+), 5 deletions(-) create mode 100644 SPECS/terraform/CVE-2023-0475.patch diff --git a/SPECS/terraform/CVE-2023-0475.patch b/SPECS/terraform/CVE-2023-0475.patch new file mode 100644 index 00000000000..217ffc12d6a --- /dev/null +++ b/SPECS/terraform/CVE-2023-0475.patch @@ -0,0 +1,580 @@ +From cf15d8405d9a700e9c25df7194d095b7dfdff914 Mon Sep 17 00:00:00 2001 +From: Kent 'picat' Gruber +Date: Wed, 8 Feb 2023 09:48:46 -0500 +Subject: [PATCH] Add decompression bomb mitigation options + +--- + decompress_bzip2.go | 9 +++- + decompress_gzip.go | 9 +++- + decompress_tar.go | 45 ++++++++++++++--- + decompress_tbz2.go | 16 +++++- + decompress_tgz.go | 16 +++++- + decompress_txz.go | 16 +++++- + decompress_tzst.go | 19 +++++-- + decompress_xz.go | 11 ++-- + decompress_zip.go | 33 ++++++++++-- + decompress_zstd.go | 14 ++++-- + get_file_copy.go | 6 ++- + get_gcs.go | 9 +++- + get_s3.go | 7 ++- + 16 files changed, 283 insertions(+), 33 deletions(-) + +diff --git a/vendor/github.com/hashicorp/go-getter/decompress_bzip2.go b/vendor/github.com/hashicorp/go-getter/decompress_bzip2.go +index a5373e4e1..6db0b3577 100644 +--- a/vendor/github.com/hashicorp/go-getter/decompress_bzip2.go ++++ b/vendor/github.com/hashicorp/go-getter/decompress_bzip2.go +@@ -9,7 +9,12 @@ import ( + + // Bzip2Decompressor is an implementation of Decompressor that can + // decompress bz2 files. +-type Bzip2Decompressor struct{} ++type Bzip2Decompressor struct { ++ // FileSizeLimit limits the size of a decompressed file. ++ // ++ // The zero value means no limit. ++ FileSizeLimit int64 ++} + + func (d *Bzip2Decompressor) Decompress(dst, src string, dir bool, umask os.FileMode) error { + // Directory isn't supported at all +@@ -33,5 +38,5 @@ func (d *Bzip2Decompressor) Decompress(dst, src string, dir bool, umask os.FileM + bzipR := bzip2.NewReader(f) + + // Copy it out +- return copyReader(dst, bzipR, 0622, umask) ++ return copyReader(dst, bzipR, 0622, umask, d.FileSizeLimit) + } +diff --git a/vendor/github.com/hashicorp/go-getter/decompress_gzip.go b/vendor/github.com/hashicorp/go-getter/decompress_gzip.go +index 669e5eafd..f94f2bcff 100644 +--- a/vendor/github.com/hashicorp/go-getter/decompress_gzip.go ++++ b/vendor/github.com/hashicorp/go-getter/decompress_gzip.go +@@ -9,7 +9,12 @@ import ( + + // GzipDecompressor is an implementation of Decompressor that can + // decompress gzip files. +-type GzipDecompressor struct{} ++type GzipDecompressor struct { ++ // FileSizeLimit limits the size of a decompressed file. ++ // ++ // The zero value means no limit. ++ FileSizeLimit int64 ++} + + func (d *GzipDecompressor) Decompress(dst, src string, dir bool, umask os.FileMode) error { + // Directory isn't supported at all +@@ -37,5 +42,5 @@ func (d *GzipDecompressor) Decompress(dst, src string, dir bool, umask os.FileMo + defer gzipR.Close() + + // Copy it out +- return copyReader(dst, gzipR, 0622, umask) ++ return copyReader(dst, gzipR, 0622, umask, d.FileSizeLimit) + } +diff --git a/vendor/github.com/hashicorp/go-getter/decompress_tar.go b/vendor/github.com/hashicorp/go-getter/decompress_tar.go +index ee1d29ca9..b5188c0e5 100644 +--- a/vendor/github.com/hashicorp/go-getter/decompress_tar.go ++++ b/vendor/github.com/hashicorp/go-getter/decompress_tar.go +@@ -11,12 +11,25 @@ import ( + + // untar is a shared helper for untarring an archive. The reader should provide + // an uncompressed view of the tar archive. +-func untar(input io.Reader, dst, src string, dir bool, umask os.FileMode) error { ++func untar(input io.Reader, dst, src string, dir bool, umask os.FileMode, fileSizeLimit int64, filesLimit int) error { + tarR := tar.NewReader(input) + done := false + dirHdrs := []*tar.Header{} + now := time.Now() ++ ++ var ( ++ fileSize int64 ++ filesCount int ++ ) ++ + for { ++ if filesLimit > 0 { ++ filesCount++ ++ if filesCount > filesLimit { ++ return fmt.Errorf("tar archive contains too many files: %d > %d", filesCount, filesLimit) ++ } ++ } ++ + hdr, err := tarR.Next() + if err == io.EOF { + if !done { +@@ -45,7 +58,15 @@ func untar(input io.Reader, dst, src string, dir bool, umask os.FileMode) error + path = filepath.Join(path, hdr.Name) + } + +- if hdr.FileInfo().IsDir() { ++ fileInfo := hdr.FileInfo() ++ ++ fileSize += fileInfo.Size() ++ ++ if fileSizeLimit > 0 && fileSize > fileSizeLimit { ++ return fmt.Errorf("tar archive larger than limit: %d", fileSizeLimit) ++ } ++ ++ if fileInfo.IsDir() { + if !dir { + return fmt.Errorf("expected a single file: %s", src) + } +@@ -81,8 +102,8 @@ func untar(input io.Reader, dst, src string, dir bool, umask os.FileMode) error + // Mark that we're done so future in single file mode errors + done = true + +- // Open the file for writing +- err = copyReader(path, tarR, hdr.FileInfo().Mode(), umask) ++ // Size limit is tracked using the returned file info. ++ err = copyReader(path, tarR, hdr.FileInfo().Mode(), umask, 0) + if err != nil { + return err + } +@@ -127,7 +148,19 @@ func untar(input io.Reader, dst, src string, dir bool, umask os.FileMode) error + + // TarDecompressor is an implementation of Decompressor that can + // unpack tar files. +-type TarDecompressor struct{} ++type TarDecompressor struct { ++ // FileSizeLimit limits the total size of all ++ // decompressed files. ++ // ++ // The zero value means no limit. ++ FileSizeLimit int64 ++ ++ // FilesLimit limits the number of files that are ++ // allowed to be decompressed. ++ // ++ // The zero value means no limit. ++ FilesLimit int ++} + + func (d *TarDecompressor) Decompress(dst, src string, dir bool, umask os.FileMode) error { + // If we're going into a directory we should make that first +@@ -146,5 +179,5 @@ func (d *TarDecompressor) Decompress(dst, src string, dir bool, umask os.FileMod + } + defer f.Close() + +- return untar(f, dst, src, dir, umask) ++ return untar(f, dst, src, dir, umask, d.FileSizeLimit, d.FilesLimit) + } +diff --git a/vendor/github.com/hashicorp/go-getter/decompress_tbz2.go b/vendor/github.com/hashicorp/go-getter/decompress_tbz2.go +index e2e5458c9..78609c9ff 100644 +--- a/vendor/github.com/hashicorp/go-getter/decompress_tbz2.go ++++ b/vendor/github.com/hashicorp/go-getter/decompress_tbz2.go +@@ -8,7 +8,19 @@ import ( + + // TarBzip2Decompressor is an implementation of Decompressor that can + // decompress tar.bz2 files. +-type TarBzip2Decompressor struct{} ++type TarBzip2Decompressor struct { ++ // FileSizeLimit limits the total size of all ++ // decompressed files. ++ // ++ // The zero value means no limit. ++ FileSizeLimit int64 ++ ++ // FilesLimit limits the number of files that are ++ // allowed to be decompressed. ++ // ++ // The zero value means no limit. ++ FilesLimit int ++} + + func (d *TarBzip2Decompressor) Decompress(dst, src string, dir bool, umask os.FileMode) error { + // If we're going into a directory we should make that first +@@ -29,5 +41,5 @@ func (d *TarBzip2Decompressor) Decompress(dst, src string, dir bool, umask os.Fi + + // Bzip2 compression is second + bzipR := bzip2.NewReader(f) +- return untar(bzipR, dst, src, dir, umask) ++ return untar(bzipR, dst, src, dir, umask, d.FileSizeLimit, d.FilesLimit) + } +diff --git a/vendor/github.com/hashicorp/go-getter/decompress_tgz.go b/vendor/github.com/hashicorp/go-getter/decompress_tgz.go +index 84c4aa33d..848f5e372 100644 +--- a/vendor/github.com/hashicorp/go-getter/decompress_tgz.go ++++ b/vendor/github.com/hashicorp/go-getter/decompress_tgz.go +@@ -9,7 +9,19 @@ import ( + + // TarGzipDecompressor is an implementation of Decompressor that can + // decompress tar.gzip files. +-type TarGzipDecompressor struct{} ++type TarGzipDecompressor struct { ++ // FileSizeLimit limits the total size of all ++ // decompressed files. ++ // ++ // The zero value means no limit. ++ FileSizeLimit int64 ++ ++ // FilesLimit limits the number of files that are ++ // allowed to be decompressed. ++ // ++ // The zero value means no limit. ++ FilesLimit int ++} + + func (d *TarGzipDecompressor) Decompress(dst, src string, dir bool, umask os.FileMode) error { + // If we're going into a directory we should make that first +@@ -35,5 +47,5 @@ func (d *TarGzipDecompressor) Decompress(dst, src string, dir bool, umask os.Fil + } + defer gzipR.Close() + +- return untar(gzipR, dst, src, dir, umask) ++ return untar(gzipR, dst, src, dir, umask, d.FileSizeLimit, d.FilesLimit) + } +diff --git a/vendor/github.com/hashicorp/go-getter/decompress_txz.go b/vendor/github.com/hashicorp/go-getter/decompress_txz.go +index 24686f454..42f6179a8 100644 +--- a/vendor/github.com/hashicorp/go-getter/decompress_txz.go ++++ b/vendor/github.com/hashicorp/go-getter/decompress_txz.go +@@ -10,7 +10,19 @@ import ( + + // TarXzDecompressor is an implementation of Decompressor that can + // decompress tar.xz files. +-type TarXzDecompressor struct{} ++type TarXzDecompressor struct { ++ // FileSizeLimit limits the total size of all ++ // decompressed files. ++ // ++ // The zero value means no limit. ++ FileSizeLimit int64 ++ ++ // FilesLimit limits the number of files that are ++ // allowed to be decompressed. ++ // ++ // The zero value means no limit. ++ FilesLimit int ++} + + func (d *TarXzDecompressor) Decompress(dst, src string, dir bool, umask os.FileMode) error { + // If we're going into a directory we should make that first +@@ -35,5 +47,5 @@ func (d *TarXzDecompressor) Decompress(dst, src string, dir bool, umask os.FileM + return fmt.Errorf("Error opening an xz reader for %s: %s", src, err) + } + +- return untar(txzR, dst, src, dir, umask) ++ return untar(txzR, dst, src, dir, umask, d.FileSizeLimit, d.FilesLimit) + } +diff --git a/vendor/github.com/hashicorp/go-getter/decompress_tzst.go b/vendor/github.com/hashicorp/go-getter/decompress_tzst.go +index a9f3da51e..3b086ced2 100644 +--- a/vendor/github.com/hashicorp/go-getter/decompress_tzst.go ++++ b/vendor/github.com/hashicorp/go-getter/decompress_tzst.go +@@ -2,14 +2,27 @@ package getter + + import ( + "fmt" +- "github.com/klauspost/compress/zstd" + "os" + "path/filepath" ++ ++ "github.com/klauspost/compress/zstd" + ) + + // TarZstdDecompressor is an implementation of Decompressor that can + // decompress tar.zstd files. +-type TarZstdDecompressor struct{} ++type TarZstdDecompressor struct { ++ // FileSizeLimit limits the total size of all ++ // decompressed files. ++ // ++ // The zero value means no limit. ++ FileSizeLimit int64 ++ ++ // FilesLimit limits the number of files that are ++ // allowed to be decompressed. ++ // ++ // The zero value means no limit. ++ FilesLimit int ++} + + func (d *TarZstdDecompressor) Decompress(dst, src string, dir bool, umask os.FileMode) error { + // If we're going into a directory we should make that first +@@ -35,5 +48,5 @@ func (d *TarZstdDecompressor) Decompress(dst, src string, dir bool, umask os.Fil + } + defer zstdR.Close() + +- return untar(zstdR, dst, src, dir, umask) ++ return untar(zstdR, dst, src, dir, umask, d.FileSizeLimit, d.FilesLimit) + } +diff --git a/vendor/github.com/hashicorp/go-getter/decompress_xz.go b/vendor/github.com/hashicorp/go-getter/decompress_xz.go +index de5d6ce2b..89fafd6bc 100644 +--- a/vendor/github.com/hashicorp/go-getter/decompress_xz.go ++++ b/vendor/github.com/hashicorp/go-getter/decompress_xz.go +@@ -10,7 +10,12 @@ import ( + + // XzDecompressor is an implementation of Decompressor that can + // decompress xz files. +-type XzDecompressor struct{} ++type XzDecompressor struct { ++ // FileSizeLimit limits the size of a decompressed file. ++ // ++ // The zero value means no limit. ++ FileSizeLimit int64 ++} + + func (d *XzDecompressor) Decompress(dst, src string, dir bool, umask os.FileMode) error { + // Directory isn't supported at all +@@ -36,6 +41,6 @@ func (d *XzDecompressor) Decompress(dst, src string, dir bool, umask os.FileMode + return err + } + +- // Copy it out +- return copyReader(dst, xzR, 0622, umask) ++ // Copy it out, potentially using a file size limit. ++ return copyReader(dst, xzR, 0622, umask, d.FileSizeLimit) + } +diff --git a/vendor/github.com/hashicorp/go-getter/decompress_zip.go b/vendor/github.com/hashicorp/go-getter/decompress_zip.go +index 943610aee..3ae80f298 100644 +--- a/vendor/github.com/hashicorp/go-getter/decompress_zip.go ++++ b/vendor/github.com/hashicorp/go-getter/decompress_zip.go +@@ -9,7 +9,19 @@ import ( + + // ZipDecompressor is an implementation of Decompressor that can + // decompress zip files. +-type ZipDecompressor struct{} ++type ZipDecompressor struct { ++ // FileSizeLimit limits the total size of all ++ // decompressed files. ++ // ++ // The zero value means no limit. ++ FileSizeLimit int64 ++ ++ // FilesLimit limits the number of files that are ++ // allowed to be decompressed. ++ // ++ // The zero value means no limit. ++ FilesLimit int ++} + + func (d *ZipDecompressor) Decompress(dst, src string, dir bool, umask os.FileMode) error { + // If we're going into a directory we should make that first +@@ -37,6 +49,12 @@ func (d *ZipDecompressor) Decompress(dst, src string, dir bool, umask os.FileMod + return fmt.Errorf("expected a single file: %s", src) + } + ++ if d.FilesLimit > 0 && len(zipR.File) > d.FilesLimit { ++ return fmt.Errorf("zip archive contains too many files: %d > %d", len(zipR.File), d.FilesLimit) ++ } ++ ++ var fileSizeTotal int64 ++ + // Go through and unarchive + for _, f := range zipR.File { + path := dst +@@ -49,7 +67,15 @@ func (d *ZipDecompressor) Decompress(dst, src string, dir bool, umask os.FileMod + path = filepath.Join(path, f.Name) + } + +- if f.FileInfo().IsDir() { ++ fileInfo := f.FileInfo() ++ ++ fileSizeTotal += fileInfo.Size() ++ ++ if d.FileSizeLimit > 0 && fileSizeTotal > d.FileSizeLimit { ++ return fmt.Errorf("zip archive larger than limit: %d", d.FileSizeLimit) ++ } ++ ++ if fileInfo.IsDir() { + if !dir { + return fmt.Errorf("expected a single file: %s", src) + } +@@ -80,7 +106,8 @@ func (d *ZipDecompressor) Decompress(dst, src string, dir bool, umask os.FileMod + return err + } + +- err = copyReader(path, srcF, f.Mode(), umask) ++ // Size limit is tracked using the returned file info. ++ err = copyReader(path, srcF, f.Mode(), umask, 0) + srcF.Close() + if err != nil { + return err +diff --git a/vendor/github.com/hashicorp/go-getter/decompress_zstd.go b/vendor/github.com/hashicorp/go-getter/decompress_zstd.go +index 6ff6c86a9..3922d27bd 100644 +--- a/vendor/github.com/hashicorp/go-getter/decompress_zstd.go ++++ b/vendor/github.com/hashicorp/go-getter/decompress_zstd.go +@@ -2,14 +2,20 @@ package getter + + import ( + "fmt" +- "github.com/klauspost/compress/zstd" + "os" + "path/filepath" ++ ++ "github.com/klauspost/compress/zstd" + ) + + // ZstdDecompressor is an implementation of Decompressor that + // can decompress .zst files. +-type ZstdDecompressor struct{} ++type ZstdDecompressor struct { ++ // FileSizeLimit limits the size of a decompressed file. ++ // ++ // The zero value means no limit. ++ FileSizeLimit int64 ++} + + func (d *ZstdDecompressor) Decompress(dst, src string, dir bool, umask os.FileMode) error { + if dir { +@@ -35,6 +41,6 @@ func (d *ZstdDecompressor) Decompress(dst, src string, dir bool, umask os.FileMo + } + defer zstdR.Close() + +- // Copy it out +- return copyReader(dst, zstdR, 0622, umask) ++ // Copy it out, potentially using a file size limit. ++ return copyReader(dst, zstdR, 0622, umask, d.FileSizeLimit) + } +diff --git a/vendor/github.com/hashicorp/go-getter/get_file_copy.go b/vendor/github.com/hashicorp/go-getter/get_file_copy.go +index 6eeda23ca..d6145cbac 100644 +--- a/vendor/github.com/hashicorp/go-getter/get_file_copy.go ++++ b/vendor/github.com/hashicorp/go-getter/get_file_copy.go +@@ -31,13 +31,17 @@ func Copy(ctx context.Context, dst io.Writer, src io.Reader) (int64, error) { + } + + // copyReader copies from an io.Reader into a file, using umask to create the dst file +-func copyReader(dst string, src io.Reader, fmode, umask os.FileMode) error { ++func copyReader(dst string, src io.Reader, fmode, umask os.FileMode, fileSizeLimit int64) error { + dstF, err := os.OpenFile(dst, os.O_RDWR|os.O_CREATE|os.O_TRUNC, fmode) + if err != nil { + return err + } + defer dstF.Close() + ++ if fileSizeLimit > 0 { ++ src = io.LimitReader(src, fileSizeLimit) ++ } ++ + _, err = io.Copy(dstF, src) + if err != nil { + return err +diff --git a/vendor/github.com/hashicorp/go-getter/get_gcs.go b/vendor/github.com/hashicorp/go-getter/get_gcs.go +index abf2f1d4f..0c2f96995 100644 +--- a/vendor/github.com/hashicorp/go-getter/get_gcs.go ++++ b/vendor/github.com/hashicorp/go-getter/get_gcs.go +@@ -25,6 +25,12 @@ type GCSGetter struct { + // Timeout sets a deadline which all GCS operations should + // complete within. Zero value means no timeout. + Timeout time.Duration ++ ++ // FileSizeLimit limits the size of an single ++ // decompressed file. ++ // ++ // The zero value means no limit. ++ FileSizeLimit int64 + } + + func (g *GCSGetter) ClientMode(u *url.URL) (ClientMode, error) { +@@ -179,7 +185,8 @@ func (g *GCSGetter) getObject(ctx context.Context, client *storage.Client, dst, + return err + } + +- return copyReader(dst, rc, 0666, g.client.umask()) ++ // There is no limit set for the size of an object from GCS ++ return copyReader(dst, rc, 0666, g.client.umask(), 0) + } + + func (g *GCSGetter) parseURL(u *url.URL) (bucket, path, fragment string, err error) { +diff --git a/vendor/github.com/hashicorp/go-getter/get_s3.go b/vendor/github.com/hashicorp/go-getter/get_s3.go +index 7e0d853ba..94291947c 100644 +--- a/vendor/github.com/hashicorp/go-getter/get_s3.go ++++ b/vendor/github.com/hashicorp/go-getter/get_s3.go +@@ -23,7 +23,9 @@ type S3Getter struct { + getter + + // Timeout sets a deadline which all S3 operations should +- // complete within. Zero value means no timeout. ++ // complete within. ++ // ++ // The zero value means timeout. + Timeout time.Duration + } + +@@ -207,7 +209,8 @@ func (g *S3Getter) getObject(ctx context.Context, client *s3.S3, dst, bucket, ke + } + defer body.Close() + +- return copyReader(dst, body, 0666, g.client.umask()) ++ // There is no limit set for the size of an object from S3 ++ return copyReader(dst, body, 0666, g.client.umask(), 0) + } + + func (g *S3Getter) getAWSConfig(region string, url *url.URL, creds *credentials.Credentials) *aws.Config { + +From b38771f0162e6ef445f793c8c62efc31d56d4297 Mon Sep 17 00:00:00 2001 +From: Seth Hoenig +Date: Thu, 9 Feb 2023 17:10:25 +0000 +Subject: [PATCH] decompressors: add LimitedDecompressors helper + +This PR adds helper function LimitedDecompressors(filesLimit, fileSizeLimit) +for creating the same suite of decompressors as Decompressors, but all configured +with the given filesLimit and fileSizeLimit (where applicable). +--- + decompress.go | 47 ++++++++++++++++++++++++++++--------------- + 2 files changed, 81 insertions(+), 16 deletions(-) + +diff --git a/vendor/github.com/hashicorp/go-getter/decompress.go b/vendor/github.com/hashicorp/go-getter/decompress.go +index 9db9e15c0..c0ca99bef 100644 +--- a/vendor/github.com/hashicorp/go-getter/decompress.go ++++ b/vendor/github.com/hashicorp/go-getter/decompress.go +@@ -18,21 +18,24 @@ type Decompressor interface { + Decompress(dst, src string, dir bool, umask os.FileMode) error + } + +-// Decompressors is the mapping of extension to the Decompressor implementation +-// that will decompress that extension/type. +-var Decompressors map[string]Decompressor +- +-func init() { +- tarDecompressor := new(TarDecompressor) +- tbzDecompressor := new(TarBzip2Decompressor) +- tgzDecompressor := new(TarGzipDecompressor) +- txzDecompressor := new(TarXzDecompressor) +- tzstDecompressor := new(TarZstdDecompressor) ++// LimitedDecompressors creates the set of Decompressors, but with each compressor configured ++// with the given filesLimit and/or fileSizeLimit where applicable. ++func LimitedDecompressors(filesLimit int, fileSizeLimit int64) map[string]Decompressor { ++ tarDecompressor := &TarDecompressor{FilesLimit: filesLimit, FileSizeLimit: fileSizeLimit} ++ tbzDecompressor := &TarBzip2Decompressor{FilesLimit: filesLimit, FileSizeLimit: fileSizeLimit} ++ tgzDecompressor := &TarGzipDecompressor{FilesLimit: filesLimit, FileSizeLimit: fileSizeLimit} ++ txzDecompressor := &TarXzDecompressor{FilesLimit: filesLimit, FileSizeLimit: fileSizeLimit} ++ tzstDecompressor := &TarZstdDecompressor{FilesLimit: filesLimit, FileSizeLimit: fileSizeLimit} ++ bzipDecompressor := &Bzip2Decompressor{FileSizeLimit: fileSizeLimit} ++ gzipDecompressor := &GzipDecompressor{FileSizeLimit: fileSizeLimit} ++ xzDecompressor := &XzDecompressor{FileSizeLimit: fileSizeLimit} ++ zipDecompressor := &ZipDecompressor{FilesLimit: filesLimit, FileSizeLimit: fileSizeLimit} ++ zstDecompressor := &ZstdDecompressor{FileSizeLimit: fileSizeLimit} + +- Decompressors = map[string]Decompressor{ +- "bz2": new(Bzip2Decompressor), +- "gz": new(GzipDecompressor), +- "xz": new(XzDecompressor), ++ return map[string]Decompressor{ ++ "bz2": bzipDecompressor, ++ "gz": gzipDecompressor, ++ "xz": xzDecompressor, + "tar": tarDecompressor, + "tar.bz2": tbzDecompressor, + "tar.gz": tgzDecompressor, +@@ -42,11 +45,23 @@ func init() { + "tgz": tgzDecompressor, + "txz": txzDecompressor, + "tzst": tzstDecompressor, +- "zip": new(ZipDecompressor), +- "zst": new(ZstdDecompressor), ++ "zip": zipDecompressor, ++ "zst": zstDecompressor, + } + } + ++const ( ++ noFilesLimit = 0 ++ noFileSizeLimit = 0 ++) ++ ++// Decompressors is the mapping of extension to the Decompressor implementation ++// configured with default settings that will decompress that extension/type. ++// ++// Note: these decompressors by default do not limit the number of files or the ++// maximum file size created by the decompressed payload. ++var Decompressors = LimitedDecompressors(noFilesLimit, noFileSizeLimit) ++ + // containsDotDot checks if the filepath value v contains a ".." entry. + // This will check filepath components by splitting along / or \. This + // function is copied directly from the Go net/http implementation. diff --git a/SPECS/terraform/terraform.spec b/SPECS/terraform/terraform.spec index 71921630f92..66400d80d1b 100644 --- a/SPECS/terraform/terraform.spec +++ b/SPECS/terraform/terraform.spec @@ -1,7 +1,7 @@ Summary: Infrastructure as code deployment management tool Name: terraform Version: 1.3.2 -Release: 21%{?dist} +Release: 22%{?dist} License: MPLv2.0 Vendor: Microsoft Corporation Distribution: Mariner @@ -35,6 +35,7 @@ Patch4: CVE-2022-32149.patch Patch5: CVE-2023-4782.patch Patch6: CVE-2024-24786.patch Patch7: CVE-2024-45338.patch +Patch8: CVE-2023-0475.patch %global debug_package %{nil} %define our_gopath %{_topdir}/.gopath @@ -44,10 +45,7 @@ BuildRequires: golang Terraform is an infrastructure as code deployment management tool %prep -%autosetup -N -# Apply vendor before patching -tar --no-same-owner -xf %{SOURCE1} -%autopatch -p1 +%autosetup -p1 -n %{name}-%{version} -a1 %build export GOPATH=%{our_gopath} @@ -68,6 +66,9 @@ install -p -m 755 -t %{buildroot}%{_bindir} ./terraform %{_bindir}/terraform %changelog +* Tue Jan 21 2025 Sandeep Karambelkar - 1.3.2-22 +- Add Patch for CVE-2023-0475 + * Mon Jan 06 2025 Sumedh Sharma - 1.3.2-21 - Add patch for CVE-2024-45338