vitess: Fix CVE-2024-45339 (#12172)

Co-authored-by: kavyasree <[email protected]> Co-authored-by: jslobodzian <[email protected]> (cherry picked from commit 45a3dcf)
microsoft · Feb 2, 2025 · 64a24e5 · 64a24e5
1 parent 03b17c4
commit 64a24e5
Show file tree

Hide file tree

Showing 2 changed files with 125 additions and 1 deletion.
diff --git a/SPECS/vitess/CVE-2024-45339.patch b/SPECS/vitess/CVE-2024-45339.patch
@@ -0,0 +1,120 @@
+From afd4339ec8682b92eb6bcc870d138106ffd5f58d Mon Sep 17 00:00:00 2001
+From: kavyasree <[email protected]>
+Date: Fri, 31 Jan 2025 21:16:51 +0530
+Subject: [PATCH] Patch CVE-2024-45339
+
+Reference: https://github.com/golang/glog/pull/74
+
+---
+ vendor/github.com/golang/glog/glog_file.go | 60 ++++++++++++++++------
+ 1 file changed, 44 insertions(+), 16 deletions(-)
+
+diff --git a/vendor/github.com/golang/glog/glog_file.go b/vendor/github.com/golang/glog/glog_file.go
+index e7d125c..6d239fa 100644
+--- a/vendor/github.com/golang/glog/glog_file.go
++++ b/vendor/github.com/golang/glog/glog_file.go
+@@ -118,32 +118,53 @@ var onceLogDirs sync.Once
+ // contains tag ("INFO", "FATAL", etc.) and t.  If the file is created
+ // successfully, create also attempts to update the symlink for that tag, ignoring
+ // errors.
+-func create(tag string, t time.Time) (f *os.File, filename string, err error) {
++func create(tag string, t time.Time, dir string) (f *os.File, filename string, err error) {
++	if dir != "" {
++		f, name, err := createInDir(dir, tag, t)
++		if err == nil {
++			return f, name, err
++		}
++		return nil, "", fmt.Errorf("log: cannot create log: %v", err)
++	}
++
+ 	onceLogDirs.Do(createLogDirs)
+ 	if len(logDirs) == 0 {
+ 		return nil, "", errors.New("log: no log dirs")
+ 	}
+-	name, link := logName(tag, t)
+ 	var lastErr error
+ 	for _, dir := range logDirs {
+-		fname := filepath.Join(dir, name)
+-		f, err := os.Create(fname)
++		f, name, err := createInDir(dir, tag, t)
+ 		if err == nil {
+-			symlink := filepath.Join(dir, link)
+-			os.Remove(symlink)        // ignore err
+-			os.Symlink(name, symlink) // ignore err
+-			if *logLink != "" {
+-				lsymlink := filepath.Join(*logLink, link)
+-				os.Remove(lsymlink)         // ignore err
+-				os.Symlink(fname, lsymlink) // ignore err
+-			}
+-			return f, fname, nil
++			return f, name, err
+ 		}
+ 		lastErr = err
+ 	}
+ 	return nil, "", fmt.Errorf("log: cannot create log: %v", lastErr)
+ }
+
++func createInDir(dir, tag string, t time.Time) (f *os.File, name string, err error) {
++	name, link := logName(tag, t)
++	fname := filepath.Join(dir, name)
++	// O_EXCL is important here, as it prevents a vulnerability. The general idea is that logs often
++	// live in an insecure directory (like /tmp), so an unprivileged attacker could create fname in
++	// advance as a symlink to a file the logging process can access, but the attacker cannot. O_EXCL
++	// fails the open if it already exists, thus prevent our this code from opening the existing file
++	// the attacker points us to.
++	f, err = os.OpenFile(fname, os.O_RDWR|os.O_CREATE|os.O_EXCL, 0666)
++	if err == nil {
++		symlink := filepath.Join(dir, link)
++		os.Remove(symlink)        // ignore err
++		os.Symlink(name, symlink) // ignore err
++		if *logLink != "" {
++			lsymlink := filepath.Join(*logLink, link)
++			os.Remove(lsymlink)         // ignore err
++			os.Symlink(fname, lsymlink) // ignore err
++		}
++		return f, fname, nil
++	}
++	return nil, "", err
++}
++
+ // flushSyncWriter is the interface satisfied by logging destinations.
+ type flushSyncWriter interface {
+ 	Flush() error
+@@ -247,6 +268,7 @@ type syncBuffer struct {
+ 	names  []string
+ 	sev    logsink.Severity
+ 	nbytes uint64 // The number of bytes written to this file
++	madeAt time.Time
+ }
+
+ func (sb *syncBuffer) Sync() error {
+@@ -254,9 +276,14 @@ func (sb *syncBuffer) Sync() error {
+ }
+
+ func (sb *syncBuffer) Write(p []byte) (n int, err error) {
++	// Rotate the file if it is too large, but ensure we only do so,
++	// if rotate doesn't create a conflicting filename.
+ 	if sb.nbytes+uint64(len(p)) >= MaxSize {
+-		if err := sb.rotateFile(time.Now()); err != nil {
+-			return 0, err
++		now := timeNow()
++		if now.After(sb.madeAt.Add(1*time.Second)) || now.Second() != sb.madeAt.Second() {
++			if err := sb.rotateFile(now); err != nil {
++				return 0, err
++			}
+ 		}
+ 	}
+ 	n, err = sb.Writer.Write(p)
+@@ -274,7 +301,8 @@ const footer = "\nCONTINUED IN NEXT FILE\n"
+ func (sb *syncBuffer) rotateFile(now time.Time) error {
+ 	var err error
+ 	pn := "<none>"
+-	file, name, err := create(sb.sev.String(), now)
++	file, name, err := create(sb.sev.String(), now, "")
++	sb.madeAt = now
+
+ 	if sb.file != nil {
+ 		// The current log file becomes the previous log at the end of
+-- 
+2.34.1
+
diff --git a/SPECS/vitess/vitess.spec b/SPECS/vitess/vitess.spec
@@ -3,7 +3,7 @@
 
 Name:           vitess
 Version:        19.0.4
-Release:        3%{?dist}
+Release:        4%{?dist}
 Summary:        Database clustering system for horizontal scaling of MySQL
 # Upstream license specification: MIT and Apache-2.0
 License:        MIT and ASL 2.0
@@ -27,6 +27,7 @@ Source0:        %{name}-%{version}.tar.gz
 #
 Source1:        %{name}-%{version}-vendor.tar.gz
 Patch0:         CVE-2017-14623.patch 
+Patch1:		CVE-2024-45339.patch
 BuildRequires: golang < 1.23
 
 %description
@@ -104,6 +105,9 @@ go check -t go/cmd \
 %{_bindir}/*
 
 %changelog
+* Fri Jan 31 2025 Kavya Sree Kaitepalli <[email protected]> -19.0.4-4
+- Patch for CVE-2024-45339
+
 * Tue Oct 15 2024 Muhammad Falak <[email protected]> - 19.0.4-3
 - Pin golang version to <= 1.22