Patch CVE-2024-3817 in terraform's vendored go-getter (#8862)

Author: dmcilvaney

SPECS/terraform/CVE-2024-3817.patch

@@ -0,0 +1,36 @@
+From aa98faf317f26cd461740fd79bf67abb9890fa07 Mon Sep 17 00:00:00 2001
+From: Mark Collao <[email protected]>
+Date: Fri, 12 Apr 2024 14:06:23 -0500
+Subject: [PATCH] escape user provide string to git
+
+Modified to apply to vendored code by: Daniel McIlvaney <[email protected]>
+ - Adjusted paths to work for vendored version
+ - Removed test code since it is not included in vendor trace
+---
+ vendor/github.com/hashicorp/go-getter/get_git.go | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/vendor/github.com/hashicorp/go-getter/get_git.go b/vendor/github.com/hashicorp/go-getter/get_git.go
+index db89ede..5227db7 100644
+--- a/vendor/github.com/hashicorp/go-getter/get_git.go
++++ b/vendor/github.com/hashicorp/go-getter/get_git.go
+@@ -200,7 +200,7 @@ func (g *GitGetter) clone(ctx context.Context, dst, sshKeyFile string, u *url.UR
+ 		args = append(args, "--depth", strconv.Itoa(depth))
+ 		args = append(args, "--branch", ref)
+ 	}
+-	args = append(args, u.String(), dst)
++	args = append(args, "--", u.String(), dst)
+
+ 	cmd := exec.CommandContext(ctx, "git", args...)
+ 	setupGitEnv(cmd, sshKeyFile)
+@@ -289,7 +289,7 @@ func findDefaultBranch(ctx context.Context, dst string) string {
+ // default branch. "master" is returned if no HEAD symref exists.
+ func findRemoteDefaultBranch(ctx context.Context, u *url.URL) string {
+ 	var stdoutbuf bytes.Buffer
+-	cmd := exec.CommandContext(ctx, "git", "ls-remote", "--symref", u.String(), "HEAD")
++	cmd := exec.CommandContext(ctx, "git", "ls-remote", "--symref", "--", u.String(), "HEAD")
+ 	cmd.Stdout = &stdoutbuf
+ 	err := cmd.Run()
+ 	matches := lsRemoteSymRefRegexp.FindStringSubmatch(stdoutbuf.String())
+--
+2.33.8

SPECS/terraform/terraform.spec

@@ -1,7 +1,7 @@
 Summary:        Infrastructure as code deployment management tool
 Name:           terraform
 Version:        1.3.2
-Release:        13%{?dist}
+Release:        14%{?dist}
 License:        MPLv2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -28,10 +28,11 @@ Source0:        https://github.com/hashicorp/terraform/archive/refs/tags/v%{vers
 #       - For the value of "--mtime" use the date "2021-04-26 00:00Z" to simplify future updates.
 Source1:        %{name}-%{version}-vendor.tar.gz
 Patch0:         CVE-2023-44487.patch
+Patch1:         CVE-2024-3817.patch
 
 %global debug_package %{nil}
 %define our_gopath %{_topdir}/.gopath
-BuildRequires:  golang <= 1.18.8
+BuildRequires:  golang
 
 %description
 Terraform is an infrastructure as code deployment management tool
@@ -61,6 +62,9 @@ install -p -m 755 -t %{buildroot}%{_bindir} ./terraform
 %{_bindir}/terraform
 
 %changelog
+* Mon Apr 22 2024 Daniel McIlvaney <[email protected]> - 1.3.2-14
+- Patch CVE-2024-3817 in vendored hashicorp/go-getter
+
 * Thu Feb 01 2024 Daniel McIlvaney <[email protected]> - 1.3.2-13
 - Address CVE-2023-44487 by patching vendored golang.org/x/net