From 9fee92b75650c2df1247d2730ac3309afb4a0f29 Mon Sep 17 00:00:00 2001
From: Pawel Winogrodzki <pawelwi@microsoft.com>
Date: Wed, 8 Jan 2025 02:45:42 +0100
Subject: [PATCH 1/6] Made `PackageBuild.yml` accept arbitrary input sources.
 (#11794)

---
 .pipelines/prchecks/PackageBuildPRCheck.yml   | 48 ++++++++++++++++---
 .pipelines/templates/PackageBuild.yml         | 40 ++++++----------
 .../templatesWithCheckout/SodiffCheck.yml     | 13 ++---
 3 files changed, 59 insertions(+), 42 deletions(-)

diff --git a/.pipelines/prchecks/PackageBuildPRCheck.yml b/.pipelines/prchecks/PackageBuildPRCheck.yml
index ea1426f5c3a..c3d412d897f 100644
--- a/.pipelines/prchecks/PackageBuildPRCheck.yml
+++ b/.pipelines/prchecks/PackageBuildPRCheck.yml
@@ -80,9 +80,11 @@ extends:
                       # GCC fails to build as a regular package.
                       ignoredSpecs: ["gcc"]
 
-                  - script: echo "##vso[task.setvariable variable=toolchainArtifactName;isOutput=true]$(ob_artifactBaseName)"
+                  - script: |
+                      echo "##vso[task.setvariable variable=toolchainArtifactName;isOutput=true]$(ob_artifactBaseName)"
+                      echo "##vso[task.setvariable variable=toolchainTarballName;isOutput=true]toolchain_built_rpms_all.tar.gz"
                     name: "ToolchainArtifactName"
-                    displayName: "Set variable for published artifact name"
+                    displayName: "Set variables for published toolchain tarball"
 
                   # 1. Automatic publishing won't work if 'isCustom: true' is set on the pool. We cannot do 'isCustom: false' because
                   #    then OneBranch attempts to perform additional actions (adding build tags for instance), which require additional permissions
@@ -104,24 +106,38 @@ extends:
                   isCustom: true
                   name: ${{ configuration.agentPool }}
                 variables:
+                  inputArtifactsLocation: $(Agent.TempDirectory)
                   ob_artifactBaseName: $(rpmsArtifactNameBase)_${{ configuration.name }}_$(System.JobAttempt)
                   ob_outputDirectory: $(Build.ArtifactStagingDirectory)
+                  outputRPMsTarballName: "rpms.tar.gz"
                   toolchainArtifactName: $[ stageDependencies.Toolchain_${{ configuration.name }}.Build.outputs['ToolchainArtifactName.toolchainArtifactName'] ]
+                  toolchainTarballName: $[ stageDependencies.Toolchain_${{ configuration.name }}.Build.outputs['ToolchainArtifactName.toolchainTarballName'] ]
                 steps:
+                  - task: DownloadPipelineArtifact@2
+                    displayName: "Download toolchain"
+                    inputs:
+                      artifact: $(toolchainArtifactName)
+                      patterns: "**/$(toolchainTarballName)"
+                      targetPath: $(inputArtifactsLocation)
+
                   - template: .pipelines/templates/PackageBuild.yml@self
                     parameters:
                       checkBuildRetries: "1"
-                      customToolchainArtifactName: $(toolchainArtifactName)
+                      customToolchainTarballName: $(toolchainTarballName)
+                      inputArtifactsFolder: $(inputArtifactsLocation)
                       isCheckBuild: true
                       isQuickRebuildPackages: true
                       isUseCCache: true
                       maxCPU: "${{ configuration.maxCPUs }}"
                       outputArtifactsFolder: $(ob_outputDirectory)
+                      outputRPMsTarballName: $(outputRPMsTarballName)
                       pipArtifactFeeds: "mariner/Mariner-Pypi-Feed"
                       selfRepoName: self
                       testSuiteName: "[${{ configuration.name }}] Package test"
 
-                  - script: echo "##vso[task.setvariable variable=rpmsArtifactName;isOutput=true]$(ob_artifactBaseName)"
+                  - script: |
+                      echo "##vso[task.setvariable variable=rpmsArtifactName;isOutput=true]$(ob_artifactBaseName)"
+                      echo "##vso[task.setvariable variable=rpmsTarballName;isOutput=true]$(outputRPMsTarballName)"
                     name: "RPMsArtifactName"
                     displayName: "Set variable for published artifact name"
 
@@ -142,15 +158,25 @@ extends:
                   isCustom: true
                   name: ${{ configuration.agentPool }}
                 variables:
+                  inputArtifactsLocation: $(Agent.TempDirectory)
                   ob_artifactBaseName: $(toolchainTestsArtifactNameBase)_${{ configuration.name }}_$(System.JobAttempt)
                   ob_outputDirectory: $(Build.ArtifactStagingDirectory)
                   testListFromToolchain: $[ stageDependencies.Toolchain_${{ configuration.name }}.Build.outputs['CalculateToolchainPackageRetestList.toolchainPackageRetestList'] ]
                   toolchainArtifactName: $[ stageDependencies.Toolchain_${{ configuration.name }}.Build.outputs['ToolchainArtifactName.toolchainArtifactName'] ]
+                  toolchainTarballName: $[ stageDependencies.Toolchain_${{ configuration.name }}.Build.outputs['ToolchainArtifactName.toolchainTarballName'] ]
                 steps:
+                  - task: DownloadPipelineArtifact@2
+                    displayName: "Download toolchain"
+                    inputs:
+                      artifact: $(toolchainArtifactName)
+                      patterns: "**/$(toolchainTarballName)"
+                      targetPath: $(inputArtifactsLocation)
+
                   - template: .pipelines/templates/PackageBuild.yml@self
                     parameters:
                       checkBuildRetries: "1"
-                      customToolchainArtifactName: $(toolchainArtifactName)
+                      customToolchainTarballName: $(toolchainTarballName)
+                      inputArtifactsFolder: $(inputArtifactsLocation)
                       isAllowToolchainRebuilds: true
                       isCheckBuild: true
                       isQuickRebuildPackages: true
@@ -179,8 +205,18 @@ extends:
                   isCustom: true
                   name: ${{ configuration.agentPool }}
                 variables:
+                  inputArtifactsLocation: $(Agent.TempDirectory)
                   rpmsArtifactName: $[ stageDependencies.RPMs_${{ configuration.name }}.BuildAndTest.outputs['RPMsArtifactName.rpmsArtifactName'] ]
+                  rpmsTarballName: $[ stageDependencies.RPMs_${{ configuration.name }}.BuildAndTest.outputs['RPMsArtifactName.rpmsTarballName'] ]
                 steps:
+                  - task: DownloadPipelineArtifact@2
+                    displayName: "Download RPMs tarball"
+                    inputs:
+                      artifact: $(rpmsArtifactName)
+                      patterns: "**/$(rpmsTarballName)"
+                      targetPath: $(inputArtifactsLocation)
+
                   - template: .pipelines/templatesWithCheckout/SodiffCheck.yml@self
                     parameters:
-                      inputArtifactName: $(rpmsArtifactName)
+                      inputArtifactsFolder: $(inputArtifactsLocation)
+                      inputRPMsTarballName: $(rpmsTarballName)
diff --git a/.pipelines/templates/PackageBuild.yml b/.pipelines/templates/PackageBuild.yml
index 4ce30b7e65f..abb9ac1d9ca 100644
--- a/.pipelines/templates/PackageBuild.yml
+++ b/.pipelines/templates/PackageBuild.yml
@@ -14,13 +14,9 @@ parameters:
     type: number
     default: 12
 
-  - name: customToolchainArtifactName
-    type: string
-    default: ""
-
   - name: customToolchainTarballName
     type: string
-    default: "toolchain_built_rpms_all.tar.gz"
+    default: ""
 
   - name: extraPackageRepos
     type: string
@@ -30,12 +26,16 @@ parameters:
     type: boolean
     default: true
 
-  - name: inputCacheArtifacts
+  - name: inputArtifactsFolder
+    type: string
+    default: "$(Agent.TempDirectory)"
+
+  - name: inputCacheRPMsTarballs
     type: object
     default: []
     # Sample:
-    # - name: build-artifacts
-    #   rpmsTarball: cache.tar.gz
+    #   - cache.tar.gz
+    #   - cache2.tar.gz
 
   - name: isAllowToolchainRebuilds
     type: string
@@ -160,15 +160,9 @@ steps:
           artifactFeeds: "${{ parameters.pipArtifactFeeds }}"
         displayName: "Authenticate to custom pip artifact feeds"
 
-  - ${{ if parameters.customToolchainArtifactName }}:
-      - task: DownloadPipelineArtifact@2
-        displayName: "Download toolchain"
-        inputs:
-          artifact: "${{ parameters.customToolchainArtifactName }}"
-          patterns: "**/${{ parameters.customToolchainTarballName }}"
-
+  - ${{ if parameters.customToolchainTarballName }}:
       - script: |
-          toolchain_archive="$(find "$(Pipeline.Workspace)" -name "${{ parameters.customToolchainTarballName }}" -print -quit)"
+          toolchain_archive="$(find "${{ parameters.inputArtifactsFolder }}" -name "${{ parameters.customToolchainTarballName }}" -print -quit)"
           if [[ ! -f "$toolchain_archive" ]]; then
             echo "ERROR: toolchain archive not found!" >&2
             exit 1
@@ -178,17 +172,11 @@ steps:
           sudo make -C "${{ parameters.buildRepoRoot }}/toolkit" toolchain TOOLCHAIN_ARCHIVE="$toolchain_archive"
         displayName: "Populate toolchain"
 
-  - ${{ each inputCacheArtifact in parameters.inputCacheArtifacts }}:
-      - task: DownloadPipelineArtifact@2
-        displayName: "Download input cache RPM from ${{ inputCacheArtifact.name }}"
-        inputs:
-          artifact: "${{ inputCacheArtifact.name }}"
-          patterns: "**/${{ inputCacheArtifact.rpmsTarball }}"
-
+  - ${{ each inputCacheRPMsTarball in parameters.inputCacheRPMsTarballs }}:
       - script: |
-          rpms_archive="$(find "$(Pipeline.Workspace)" -name "${{ inputCacheArtifact.rpmsTarball }}" -print -quit)"
+          rpms_archive="$(find "${{ parameters.inputArtifactsFolder }}" -name "${{ inputCacheRPMsTarball }}" -print -quit)"
           if [[ ! -f "$rpms_archive" ]]; then
-            echo "ERROR: cache RPMs archive '${{ inputCacheArtifact.rpmsTarball }}' not found!" >&2
+            echo "ERROR: cache RPMs archive '${{ inputCacheRPMsTarball }}' not found!" >&2
             exit 1
           fi
 
@@ -200,7 +188,7 @@ steps:
         check_build_retries_arg="CHECK_BUILD_RETRIES=${{ parameters.checkBuildRetries }}"
       fi
 
-      if [[ -n "${{ parameters.customToolchainArtifactName }}" ]]; then
+      if [[ -n "${{ parameters.customToolchainTarballName }}" ]]; then
         toolchain_archive_arg="TOOLCHAIN_ARCHIVE=$(toolchainArchive)"
       fi
 
diff --git a/.pipelines/templatesWithCheckout/SodiffCheck.yml b/.pipelines/templatesWithCheckout/SodiffCheck.yml
index 76971d60407..58ed7295167 100644
--- a/.pipelines/templatesWithCheckout/SodiffCheck.yml
+++ b/.pipelines/templatesWithCheckout/SodiffCheck.yml
@@ -6,8 +6,9 @@ parameters:
     type: string
     default: "$(Build.SourcesDirectory)"
 
-  - name: inputArtifactName
+  - name: inputArtifactsFolder
     type: string
+    default: "$(Agent.TempDirectory)"
 
   - name: inputRPMsTarballName
     type: string
@@ -26,19 +27,11 @@ parameters:
     default: "$(Agent.TempDirectory)/SourcesWorkspace"
 
 steps:
-  - task: DownloadPipelineArtifact@2
-    displayName: "Download sources for signing"
-    inputs:
-      artifact: ${{ parameters.inputArtifactName }}
-      patterns: |
-        **/${{ parameters.inputRPMsTarballName }}
-      targetPath: "$(Agent.TempDirectory)"
-
   - script: |
       set -e
 
       mkdir -p "${{ parameters.sourcesWorkspace }}"
-      find "$(Agent.TempDirectory)" -name "${{ parameters.inputRPMsTarballName }}" -print0 | xargs -0 -n 1 tar -C "${{ parameters.sourcesWorkspace }}" -xkf
+      find "${{ parameters.inputArtifactsFolder }}" -name "${{ parameters.inputRPMsTarballName }}" -print0 | xargs -0 -n 1 tar -C "${{ parameters.sourcesWorkspace }}" -xkf
     displayName: "Extract sources tarball"
 
   - script: |

From 98b7fda4cf0b8e1377711063d9f34c1a8e727c50 Mon Sep 17 00:00:00 2001
From: Muhammad Falak R Wani <falakreyaz@gmail.com>
Date: Thu, 9 Jan 2025 01:26:32 +0530
Subject: [PATCH 2/6] socat: address CVE-2024-54661 (#11730)

Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
Co-authored-by: jslobodzian <joslobo@microsoft.com>
---
 SPECS/socat/CVE-2024-54661.patch | 37 ++++++++++++++++++++++++++++++++
 SPECS/socat/socat.spec           |  8 +++++--
 2 files changed, 43 insertions(+), 2 deletions(-)
 create mode 100644 SPECS/socat/CVE-2024-54661.patch

diff --git a/SPECS/socat/CVE-2024-54661.patch b/SPECS/socat/CVE-2024-54661.patch
new file mode 100644
index 00000000000..33c0f20e99e
--- /dev/null
+++ b/SPECS/socat/CVE-2024-54661.patch
@@ -0,0 +1,37 @@
+From be474a81dc2d9010ac16f9690f97cf7ff68b36d7 Mon Sep 17 00:00:00 2001
+From: Muhammad Falak R Wani <falakreyaz@gmail.com>
+Date: Sun, 29 Dec 2024 17:47:45 +0530
+Subject: [PATCH] CVE-2024-54661: Arbitrary file overwrite in readline.sh
+
+Link: https://repo.or.cz/socat.git/commit/4ee1f31cf80019c5907876576d6dfd49368d660f
+Author:	Gerhard Rieger <gerhard@dest-unreach.org>
+Signed-off-by: Muhammad Falak R Wani <falakreyaz@gmail.com>
+---
+ readline.sh | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/readline.sh b/readline.sh
+index b6f8438..1045303 100755
+--- a/readline.sh
++++ b/readline.sh
+@@ -22,9 +22,15 @@ if [ "$withhistfile" ]; then
+ else
+     HISTOPT=
+ fi
+-mkdir -p /tmp/$USER || exit 1
+ #
+ #
+ 
+-exec socat -d readline"$HISTOPT",noecho='[Pp]assword:' exec:"$PROGRAM",sigint,pty,setsid,ctty,raw,echo=0,stderr 2>/tmp/$USER/stderr2
++if test -w .; then
++    STDERR=./socat-readline.${1##*/}.log
++    rm -f $STDERR
++else
++    STDERR=/dev/null
++fi
++
++exec socat -d readline"$HISTOPT",noecho='[Pp]assword:' exec:"$PROGRAM",sigint,pty,setsid,ctty,raw,echo=0,stderr 2>$STDERR
+ 
+-- 
+2.40.1
+
diff --git a/SPECS/socat/socat.spec b/SPECS/socat/socat.spec
index f6902ed92ab..2c1e8e6d5c7 100644
--- a/SPECS/socat/socat.spec
+++ b/SPECS/socat/socat.spec
@@ -1,19 +1,20 @@
 Summary:        Multipurpose relay (SOcket CAT)
 Name:           socat
 Version:        1.7.4.3
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        GPL2
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 Group:          Applications/Internet
 URL:            http://www.dest-unreach.org/socat
 Source0:        http://www.dest-unreach.org/socat/download/%{name}-%{version}.tar.gz
+Patch0:         CVE-2024-54661.patch
 
 %description
 Socat is a command line based utility that establishes two bidirectional byte streams and transfers data between them. Because the streams can be constructed from a large set of different types of data sinks and sources (see address types), and because lots of address options may be applied to the streams, socat can be used for many different purposes.
 
 %prep
-%setup -q
+%autosetup -p1
 
 %build
 ./configure --prefix=%{_prefix} --sysconfdir=%{_sysconfdir}
@@ -36,6 +37,9 @@ make %{?_smp_mflags} test
 %{_mandir}/man1/*
 
 %changelog
+* Sun Dec 29 2024 Muhammad Falak <mwani@microsoft.com> - 1.7.4.3-2
+- Patch CVE-2024-54661
+
 * Mon Jan 24 2022 Neha Agarwal <nehaagarwal@microsoft.com> - 1.7.4.3-1
 - Update to version 1.7.4.3.
 

From 07463a4aa268d24bccaa526f6b5e27dfe4fcb52c Mon Sep 17 00:00:00 2001
From: Sumedh Alok Sharma <sumsharma@microsoft.com>
Date: Thu, 9 Jan 2025 01:28:02 +0530
Subject: [PATCH 3/6] Patch terraform for CVE-2024-45338 (#11780)

Co-authored-by: jslobodzian <joslobo@microsoft.com>
---
 SPECS/terraform/CVE-2024-45338.patch | 80 ++++++++++++++++++++++++++++
 SPECS/terraform/terraform.spec       |  6 ++-
 2 files changed, 85 insertions(+), 1 deletion(-)
 create mode 100644 SPECS/terraform/CVE-2024-45338.patch

diff --git a/SPECS/terraform/CVE-2024-45338.patch b/SPECS/terraform/CVE-2024-45338.patch
new file mode 100644
index 00000000000..c2fb46031c5
--- /dev/null
+++ b/SPECS/terraform/CVE-2024-45338.patch
@@ -0,0 +1,80 @@
+From 8e66b04771e35c4e4125e8c60334b34e2423effb Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <roland@golang.org>
+Date: Wed, 04 Dec 2024 09:35:55 -0800
+Subject: [PATCH] html: use strings.EqualFold instead of lowering ourselves
+
+Instead of using strings.ToLower and == to check case insensitive
+equality, just use strings.EqualFold, even when the strings are only
+ASCII. This prevents us unnecessarily lowering extremely long strings,
+which can be a somewhat expensive operation, even if we're only
+attempting to compare equality with five characters.
+
+Thanks to Guido Vranken for reporting this issue.
+
+Fixes golang/go#70906
+Fixes CVE-2024-45338
+
+Change-Id: I323b919f912d60dab6a87cadfdcac3e6b54cd128
+Reviewed-on: https://go-review.googlesource.com/c/net/+/637536
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+Auto-Submit: Gopher Robot <gobot@golang.org>
+Reviewed-by: Roland Shoemaker <roland@golang.org>
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+---
+ vendor/golang.org/x/net/html/doctype.go | 2 +-
+ vendor/golang.org/x/net/html/foreign.go | 3 +--
+ vendor/golang.org/x/net/html/parse.go   | 4 ++--
+ 3 files changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go
+index c484e5a..bca3ae9 100644
+--- a/vendor/golang.org/x/net/html/doctype.go
++++ b/vendor/golang.org/x/net/html/doctype.go
+@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) {
+ 			}
+ 		}
+ 		if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" &&
+-			strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" {
++			strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") {
+ 			quirks = true
+ 		}
+ 	}
+diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go
+index 9da9e9d..e8515d8 100644
+--- a/vendor/golang.org/x/net/html/foreign.go
++++ b/vendor/golang.org/x/net/html/foreign.go
+@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool {
+ 		if n.Data == "annotation-xml" {
+ 			for _, a := range n.Attr {
+ 				if a.Key == "encoding" {
+-					val := strings.ToLower(a.Val)
+-					if val == "text/html" || val == "application/xhtml+xml" {
++					if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") {
+ 						return true
+ 					}
+ 				}
+diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go
+index 038941d..cb012d8 100644
+--- a/vendor/golang.org/x/net/html/parse.go
++++ b/vendor/golang.org/x/net/html/parse.go
+@@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool {
+ 			if p.tok.DataAtom == a.Input {
+ 				for _, t := range p.tok.Attr {
+ 					if t.Key == "type" {
+-						if strings.ToLower(t.Val) == "hidden" {
++						if strings.EqualFold(t.Val, "hidden") {
+ 							// Skip setting framesetOK = false
+ 							return true
+ 						}
+@@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool {
+ 			return inHeadIM(p)
+ 		case a.Input:
+ 			for _, t := range p.tok.Attr {
+-				if t.Key == "type" && strings.ToLower(t.Val) == "hidden" {
++				if t.Key == "type" && strings.EqualFold(t.Val, "hidden") {
+ 					p.addElement()
+ 					p.oe.pop()
+ 					return true
+-- 
+2.25.1
+
diff --git a/SPECS/terraform/terraform.spec b/SPECS/terraform/terraform.spec
index bb409a78f64..71921630f92 100644
--- a/SPECS/terraform/terraform.spec
+++ b/SPECS/terraform/terraform.spec
@@ -1,7 +1,7 @@
 Summary:        Infrastructure as code deployment management tool
 Name:           terraform
 Version:        1.3.2
-Release:        20%{?dist}
+Release:        21%{?dist}
 License:        MPLv2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -34,6 +34,7 @@ Patch3:         CVE-2024-6104.patch
 Patch4:         CVE-2022-32149.patch
 Patch5:         CVE-2023-4782.patch
 Patch6:         CVE-2024-24786.patch
+Patch7:         CVE-2024-45338.patch
 
 %global debug_package %{nil}
 %define our_gopath %{_topdir}/.gopath
@@ -67,6 +68,9 @@ install -p -m 755 -t %{buildroot}%{_bindir} ./terraform
 %{_bindir}/terraform
 
 %changelog
+* Mon Jan 06 2025 Sumedh Sharma <sumsharma@microsoft.com> - 1.3.2-21
+- Add patch for CVE-2024-45338
+
 * Wed Dec 04 2024 bhapathak <bhapathak@microsoft.com> - 1.3.2-20
 - Patch CVE-2024-24786
 

From bd7017f898c82c4460adcd99d14dd38118f6850d Mon Sep 17 00:00:00 2001
From: Sumedh Alok Sharma <sumsharma@microsoft.com>
Date: Thu, 9 Jan 2025 01:30:31 +0530
Subject: [PATCH 4/6] Patch influxdb for CVE-2024-45338 (#11766)

Co-authored-by: jslobodzian <joslobo@microsoft.com>
---
 SPECS/influxdb/CVE-2024-45338.patch | 80 +++++++++++++++++++++++++++++
 SPECS/influxdb/influxdb.spec        |  6 ++-
 2 files changed, 85 insertions(+), 1 deletion(-)
 create mode 100644 SPECS/influxdb/CVE-2024-45338.patch

diff --git a/SPECS/influxdb/CVE-2024-45338.patch b/SPECS/influxdb/CVE-2024-45338.patch
new file mode 100644
index 00000000000..c2fb46031c5
--- /dev/null
+++ b/SPECS/influxdb/CVE-2024-45338.patch
@@ -0,0 +1,80 @@
+From 8e66b04771e35c4e4125e8c60334b34e2423effb Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <roland@golang.org>
+Date: Wed, 04 Dec 2024 09:35:55 -0800
+Subject: [PATCH] html: use strings.EqualFold instead of lowering ourselves
+
+Instead of using strings.ToLower and == to check case insensitive
+equality, just use strings.EqualFold, even when the strings are only
+ASCII. This prevents us unnecessarily lowering extremely long strings,
+which can be a somewhat expensive operation, even if we're only
+attempting to compare equality with five characters.
+
+Thanks to Guido Vranken for reporting this issue.
+
+Fixes golang/go#70906
+Fixes CVE-2024-45338
+
+Change-Id: I323b919f912d60dab6a87cadfdcac3e6b54cd128
+Reviewed-on: https://go-review.googlesource.com/c/net/+/637536
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+Auto-Submit: Gopher Robot <gobot@golang.org>
+Reviewed-by: Roland Shoemaker <roland@golang.org>
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+---
+ vendor/golang.org/x/net/html/doctype.go | 2 +-
+ vendor/golang.org/x/net/html/foreign.go | 3 +--
+ vendor/golang.org/x/net/html/parse.go   | 4 ++--
+ 3 files changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go
+index c484e5a..bca3ae9 100644
+--- a/vendor/golang.org/x/net/html/doctype.go
++++ b/vendor/golang.org/x/net/html/doctype.go
+@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) {
+ 			}
+ 		}
+ 		if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" &&
+-			strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" {
++			strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") {
+ 			quirks = true
+ 		}
+ 	}
+diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go
+index 9da9e9d..e8515d8 100644
+--- a/vendor/golang.org/x/net/html/foreign.go
++++ b/vendor/golang.org/x/net/html/foreign.go
+@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool {
+ 		if n.Data == "annotation-xml" {
+ 			for _, a := range n.Attr {
+ 				if a.Key == "encoding" {
+-					val := strings.ToLower(a.Val)
+-					if val == "text/html" || val == "application/xhtml+xml" {
++					if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") {
+ 						return true
+ 					}
+ 				}
+diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go
+index 038941d..cb012d8 100644
+--- a/vendor/golang.org/x/net/html/parse.go
++++ b/vendor/golang.org/x/net/html/parse.go
+@@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool {
+ 			if p.tok.DataAtom == a.Input {
+ 				for _, t := range p.tok.Attr {
+ 					if t.Key == "type" {
+-						if strings.ToLower(t.Val) == "hidden" {
++						if strings.EqualFold(t.Val, "hidden") {
+ 							// Skip setting framesetOK = false
+ 							return true
+ 						}
+@@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool {
+ 			return inHeadIM(p)
+ 		case a.Input:
+ 			for _, t := range p.tok.Attr {
+-				if t.Key == "type" && strings.ToLower(t.Val) == "hidden" {
++				if t.Key == "type" && strings.EqualFold(t.Val, "hidden") {
+ 					p.addElement()
+ 					p.oe.pop()
+ 					return true
+-- 
+2.25.1
+
diff --git a/SPECS/influxdb/influxdb.spec b/SPECS/influxdb/influxdb.spec
index 82a3858e772..1d0574464f2 100644
--- a/SPECS/influxdb/influxdb.spec
+++ b/SPECS/influxdb/influxdb.spec
@@ -18,7 +18,7 @@
 Summary:        Scalable datastore for metrics, events, and real-time analytics
 Name:           influxdb
 Version:        2.6.1
-Release:        18%{?dist}
+Release:        19%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -58,6 +58,7 @@ Source6:        influxdb-user.conf
 Patch0:         CVE-2024-6104.patch
 Patch1:         CVE-2022-32149.patch
 Patch2:         CVE-2024-24786.patch
+Patch3:         CVE-2024-45338.patch
 BuildRequires:  clang
 BuildRequires:  golang <= 1.18.8
 BuildRequires:  kernel-headers
@@ -147,6 +148,9 @@ go test ./...
 %{_tmpfilesdir}/influxdb.conf
 
 %changelog
+* Fri Jan 03 2025 Sumedh Sharma <sumsharma@microsoft.com> - 2.6.1-19
+- Add patch for CVE-2024-45338
+
 * Mon Dec 09 2024 Kavya Sree Kaitepalli <kkaitepalli@microsoft.com> - 2.6.1-18
 - Patch for CVE-2024-24786
 

From ee194d9ed7b0d839685e61840c784eba4dfd0a7b Mon Sep 17 00:00:00 2001
From: Sumedh Alok Sharma <sumsharma@microsoft.com>
Date: Thu, 9 Jan 2025 01:31:07 +0530
Subject: [PATCH 5/6] Patch containerized-data-importer for CVE-2024-45338
 (#11778)

Co-authored-by: jslobodzian <joslobo@microsoft.com>
---
 .../CVE-2024-45338.patch                      | 80 +++++++++++++++++++
 .../containerized-data-importer.spec          |  6 +-
 2 files changed, 85 insertions(+), 1 deletion(-)
 create mode 100644 SPECS/containerized-data-importer/CVE-2024-45338.patch

diff --git a/SPECS/containerized-data-importer/CVE-2024-45338.patch b/SPECS/containerized-data-importer/CVE-2024-45338.patch
new file mode 100644
index 00000000000..c2fb46031c5
--- /dev/null
+++ b/SPECS/containerized-data-importer/CVE-2024-45338.patch
@@ -0,0 +1,80 @@
+From 8e66b04771e35c4e4125e8c60334b34e2423effb Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <roland@golang.org>
+Date: Wed, 04 Dec 2024 09:35:55 -0800
+Subject: [PATCH] html: use strings.EqualFold instead of lowering ourselves
+
+Instead of using strings.ToLower and == to check case insensitive
+equality, just use strings.EqualFold, even when the strings are only
+ASCII. This prevents us unnecessarily lowering extremely long strings,
+which can be a somewhat expensive operation, even if we're only
+attempting to compare equality with five characters.
+
+Thanks to Guido Vranken for reporting this issue.
+
+Fixes golang/go#70906
+Fixes CVE-2024-45338
+
+Change-Id: I323b919f912d60dab6a87cadfdcac3e6b54cd128
+Reviewed-on: https://go-review.googlesource.com/c/net/+/637536
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+Auto-Submit: Gopher Robot <gobot@golang.org>
+Reviewed-by: Roland Shoemaker <roland@golang.org>
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+---
+ vendor/golang.org/x/net/html/doctype.go | 2 +-
+ vendor/golang.org/x/net/html/foreign.go | 3 +--
+ vendor/golang.org/x/net/html/parse.go   | 4 ++--
+ 3 files changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go
+index c484e5a..bca3ae9 100644
+--- a/vendor/golang.org/x/net/html/doctype.go
++++ b/vendor/golang.org/x/net/html/doctype.go
+@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) {
+ 			}
+ 		}
+ 		if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" &&
+-			strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" {
++			strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") {
+ 			quirks = true
+ 		}
+ 	}
+diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go
+index 9da9e9d..e8515d8 100644
+--- a/vendor/golang.org/x/net/html/foreign.go
++++ b/vendor/golang.org/x/net/html/foreign.go
+@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool {
+ 		if n.Data == "annotation-xml" {
+ 			for _, a := range n.Attr {
+ 				if a.Key == "encoding" {
+-					val := strings.ToLower(a.Val)
+-					if val == "text/html" || val == "application/xhtml+xml" {
++					if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") {
+ 						return true
+ 					}
+ 				}
+diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go
+index 038941d..cb012d8 100644
+--- a/vendor/golang.org/x/net/html/parse.go
++++ b/vendor/golang.org/x/net/html/parse.go
+@@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool {
+ 			if p.tok.DataAtom == a.Input {
+ 				for _, t := range p.tok.Attr {
+ 					if t.Key == "type" {
+-						if strings.ToLower(t.Val) == "hidden" {
++						if strings.EqualFold(t.Val, "hidden") {
+ 							// Skip setting framesetOK = false
+ 							return true
+ 						}
+@@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool {
+ 			return inHeadIM(p)
+ 		case a.Input:
+ 			for _, t := range p.tok.Attr {
+-				if t.Key == "type" && strings.ToLower(t.Val) == "hidden" {
++				if t.Key == "type" && strings.EqualFold(t.Val, "hidden") {
+ 					p.addElement()
+ 					p.oe.pop()
+ 					return true
+-- 
+2.25.1
+
diff --git a/SPECS/containerized-data-importer/containerized-data-importer.spec b/SPECS/containerized-data-importer/containerized-data-importer.spec
index fc6de401ba8..9a5c8999578 100644
--- a/SPECS/containerized-data-importer/containerized-data-importer.spec
+++ b/SPECS/containerized-data-importer/containerized-data-importer.spec
@@ -18,7 +18,7 @@
 Summary:        Container native virtualization
 Name:           containerized-data-importer
 Version:        1.55.0
-Release:        21%{?dist}
+Release:        22%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -38,6 +38,7 @@ Patch1:         CVE-2024-3727.patch
 Patch2:         CVE-2022-41717.patch
 Patch3:         CVE-2022-32149.patch
 Patch4:         CVE-2024-28180.patch
+Patch5:         CVE-2024-45338.patch
 
 %description
 Containerized-Data-Importer (CDI) is a persistent storage management add-on for Kubernetes
@@ -205,6 +206,9 @@ install -m 0644 _out/manifests/release/cdi-cr.yaml %{buildroot}%{_datadir}/cdi/m
 %{_datadir}/cdi/manifests
 
 %changelog
+* Mon Jan 06 2025 Sumedh Sharma <sumsharma@microsoft.com> - 1.55.0-22
+- Add patch for CVE-2024-45338
+
 * Mon Sep 09 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 1.55.0-21
 - Bump release to rebuild with go 1.22.7
 

From 7b739b6039357b4b6b37547570afb64272571865 Mon Sep 17 00:00:00 2001
From: Sumedh Alok Sharma <sumsharma@microsoft.com>
Date: Thu, 9 Jan 2025 01:31:32 +0530
Subject: [PATCH 6/6] Patch kubernetes for CVE-2024-45338 (#11765)

Co-authored-by: jslobodzian <joslobo@microsoft.com>
---
 SPECS/kubernetes/CVE-2024-45338.patch | 80 +++++++++++++++++++++++++++
 SPECS/kubernetes/kubernetes.spec      |  6 +-
 2 files changed, 85 insertions(+), 1 deletion(-)
 create mode 100644 SPECS/kubernetes/CVE-2024-45338.patch

diff --git a/SPECS/kubernetes/CVE-2024-45338.patch b/SPECS/kubernetes/CVE-2024-45338.patch
new file mode 100644
index 00000000000..f091755ef68
--- /dev/null
+++ b/SPECS/kubernetes/CVE-2024-45338.patch
@@ -0,0 +1,80 @@
+From 8e66b04771e35c4e4125e8c60334b34e2423effb Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <roland@golang.org>
+Date: Wed, 04 Dec 2024 09:35:55 -0800
+Subject: [PATCH] html: use strings.EqualFold instead of lowering ourselves
+
+Instead of using strings.ToLower and == to check case insensitive
+equality, just use strings.EqualFold, even when the strings are only
+ASCII. This prevents us unnecessarily lowering extremely long strings,
+which can be a somewhat expensive operation, even if we're only
+attempting to compare equality with five characters.
+
+Thanks to Guido Vranken for reporting this issue.
+
+Fixes golang/go#70906
+Fixes CVE-2024-45338
+
+Change-Id: I323b919f912d60dab6a87cadfdcac3e6b54cd128
+Reviewed-on: https://go-review.googlesource.com/c/net/+/637536
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+Auto-Submit: Gopher Robot <gobot@golang.org>
+Reviewed-by: Roland Shoemaker <roland@golang.org>
+Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
+---
+ vendor/golang.org/x/net/html/doctype.go | 2 +-
+ vendor/golang.org/x/net/html/foreign.go | 3 +--
+ vendor/golang.org/x/net/html/parse.go   | 4 ++--
+ 3 files changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/vendor/golang.org/x/net/html/doctype.go b/vendor/golang.org/x/net/html/doctype.go
+index c484e5a9..bca3ae9a 100644
+--- a/vendor/golang.org/x/net/html/doctype.go
++++ b/vendor/golang.org/x/net/html/doctype.go
+@@ -87,7 +87,7 @@ func parseDoctype(s string) (n *Node, quirks bool) {
+ 			}
+ 		}
+ 		if lastAttr := n.Attr[len(n.Attr)-1]; lastAttr.Key == "system" &&
+-			strings.ToLower(lastAttr.Val) == "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd" {
++			strings.EqualFold(lastAttr.Val, "http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd") {
+ 			quirks = true
+ 		}
+ 	}
+diff --git a/vendor/golang.org/x/net/html/foreign.go b/vendor/golang.org/x/net/html/foreign.go
+index 9da9e9dc..e8515d8e 100644
+--- a/vendor/golang.org/x/net/html/foreign.go
++++ b/vendor/golang.org/x/net/html/foreign.go
+@@ -40,8 +40,7 @@ func htmlIntegrationPoint(n *Node) bool {
+ 		if n.Data == "annotation-xml" {
+ 			for _, a := range n.Attr {
+ 				if a.Key == "encoding" {
+-					val := strings.ToLower(a.Val)
+-					if val == "text/html" || val == "application/xhtml+xml" {
++					if strings.EqualFold(a.Val, "text/html") || strings.EqualFold(a.Val, "application/xhtml+xml") {
+ 						return true
+ 					}
+ 				}
+diff --git a/vendor/golang.org/x/net/html/parse.go b/vendor/golang.org/x/net/html/parse.go
+index 46a89eda..5b8374bf 100644
+--- a/vendor/golang.org/x/net/html/parse.go
++++ b/vendor/golang.org/x/net/html/parse.go
+@@ -1031,7 +1031,7 @@ func inBodyIM(p *parser) bool {
+ 			if p.tok.DataAtom == a.Input {
+ 				for _, t := range p.tok.Attr {
+ 					if t.Key == "type" {
+-						if strings.ToLower(t.Val) == "hidden" {
++						if strings.EqualFold(t.Val, "hidden") {
+ 							// Skip setting framesetOK = false
+ 							return true
+ 						}
+@@ -1459,7 +1459,7 @@ func inTableIM(p *parser) bool {
+ 			return inHeadIM(p)
+ 		case a.Input:
+ 			for _, t := range p.tok.Attr {
+-				if t.Key == "type" && strings.ToLower(t.Val) == "hidden" {
++				if t.Key == "type" && strings.EqualFold(t.Val, "hidden") {
+ 					p.addElement()
+ 					p.oe.pop()
+ 					return true
+-- 
+2.25.1
+
diff --git a/SPECS/kubernetes/kubernetes.spec b/SPECS/kubernetes/kubernetes.spec
index 3b018cc3b52..b40fd5fd053 100644
--- a/SPECS/kubernetes/kubernetes.spec
+++ b/SPECS/kubernetes/kubernetes.spec
@@ -10,7 +10,7 @@
 Summary:        Microsoft Kubernetes
 Name:           kubernetes
 Version:        1.28.4
-Release:        12%{?dist}
+Release:        13%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -24,6 +24,7 @@ Patch2:         CVE-2023-5408.patch
 Patch3:         CVE-2023-45288.patch
 Patch4:         CVE-2024-28180.patch
 Patch5:         CVE-2024-24786.patch
+Patch6:         CVE-2024-45338.patch
 BuildRequires:  flex-devel
 BuildRequires:  glibc-static >= 2.35-7%{?dist}
 BuildRequires:  golang
@@ -270,6 +271,9 @@ fi
 %{_exec_prefix}/local/bin/pause
 
 %changelog
+* Fri Jan 03 2025 Sumedh Sharma <sumsharma@microsoft.com> - 1.28.4-13
+- Add patch for CVE-2024-45338
+
 * Mon Oct 14 2024 Henry Li <lihl@microsoft.com> - 1.28.4-12
 - Add patch to resolve CVE-2024-24786