[AutoPR- Security] Patch helm for CVE-2025-55198 [MEDIUM] (microsoft#14699)

azurelinux-security · web-flow · commit 15495473527b · 2025-09-22T12:50:24.000+05:30
diff --git a/SPECS/helm/CVE-2025-55198.patch b/SPECS/helm/CVE-2025-55198.patch
@@ -0,0 +1,117 @@
+From 3c6378423df820eff9d876b25297470e5bb50974 Mon Sep 17 00:00:00 2001
+From: Matt Farina <matt.farina@suse.com>
+Date: Tue, 29 Jul 2025 15:37:57 -0400
+Subject: [PATCH 1/2] Handle messy index files
+
+Signed-off-by: Matt Farina <matt.farina@suse.com>
+(cherry picked from commit 69efc0d4fbcc143e0b196253f6e82808aaa57fc3)
+(cherry picked from commit 039b0b18d3c83c9aa3a80da67f3cf1c2d965a598)
+---
+ pkg/repo/index.go      | 1 +
+ pkg/repo/index_test.go | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/pkg/repo/index.go b/pkg/repo/index.go
+index 8009c15..c55fc65 100644
+--- a/pkg/repo/index.go
++++ b/pkg/repo/index.go
+@@ -357,6 +357,7 @@ func loadIndex(data []byte, source string) (*IndexFile, error) {
+ 		for idx := len(cvs) - 1; idx >= 0; idx-- {
+ 			if cvs[idx] == nil {
+ 				log.Printf("skipping loading invalid entry for chart %q from %s: empty entry", name, source)
++				cvs = append(cvs[:idx], cvs[idx+1:]...)
+ 				continue
+ 			}
+ 			// When metadata section missing, initialize with no data
+diff --git a/pkg/repo/index_test.go b/pkg/repo/index_test.go
+index eb9e245..22e87f6 100644
+--- a/pkg/repo/index_test.go
++++ b/pkg/repo/index_test.go
+@@ -67,6 +67,7 @@ entries:
+   grafana:
+   - apiVersion: v2
+     name: grafana
++  - null
+   foo:
+   -
+   bar:
+-- 
+2.45.4
+
+
+From c1286a4ff5d56d6d4c76ba0b76297f4343af34e3 Mon Sep 17 00:00:00 2001
+From: Matt Farina <matt.farina@suse.com>
+Date: Thu, 31 Jul 2025 09:25:12 -0400
+Subject: [PATCH 2/2] fix Chart.yaml handling
+
+Signed-off-by: Matt Farina <matt.farina@suse.com>
+(cherry picked from commit f13afaacd6f8f9dca4ad914d87fabbe129692eda)
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/helm/helm/commit/ec5f59e2db56533d042a124f5bae54dd87b558e6.patch
+---
+ pkg/chartutil/dependencies.go    |  5 +++--
+ pkg/lint/rules/chartfile.go      |  3 +++
+ pkg/lint/rules/chartfile_test.go | 10 ++++++++++
+ 3 files changed, 16 insertions(+), 2 deletions(-)
+
+diff --git a/pkg/chartutil/dependencies.go b/pkg/chartutil/dependencies.go
+index 205d99e..b7c9bb3 100644
+--- a/pkg/chartutil/dependencies.go
++++ b/pkg/chartutil/dependencies.go
+@@ -16,6 +16,7 @@ limitations under the License.
+ package chartutil
+ 
+ import (
++	"fmt"
+ 	"log"
+ 	"strings"
+ 
+@@ -255,8 +256,8 @@ func processImportValues(c *chart.Chart, merge bool) error {
+ 		for _, riv := range r.ImportValues {
+ 			switch iv := riv.(type) {
+ 			case map[string]interface{}:
+-				child := iv["child"].(string)
+-				parent := iv["parent"].(string)
++				child := fmt.Sprintf("%v", iv["child"])
++				parent := fmt.Sprintf("%v", iv["parent"])
+ 
+ 				outiv = append(outiv, map[string]string{
+ 					"child":  child,
+diff --git a/pkg/lint/rules/chartfile.go b/pkg/lint/rules/chartfile.go
+index 910602b..555ec71 100644
+--- a/pkg/lint/rules/chartfile.go
++++ b/pkg/lint/rules/chartfile.go
+@@ -151,6 +151,9 @@ func validateChartVersion(cf *chart.Metadata) error {
+ 
+ func validateChartMaintainer(cf *chart.Metadata) error {
+ 	for _, maintainer := range cf.Maintainers {
++		if maintainer == nil {
++			return errors.New("a maintainer entry is empty")
++		}
+ 		if maintainer.Name == "" {
+ 			return errors.New("each maintainer requires a name")
+ 		} else if maintainer.Email != "" && !govalidator.IsEmail(maintainer.Email) {
+diff --git a/pkg/lint/rules/chartfile_test.go b/pkg/lint/rules/chartfile_test.go
+index a06d7dc..b46e220 100644
+--- a/pkg/lint/rules/chartfile_test.go
++++ b/pkg/lint/rules/chartfile_test.go
+@@ -143,6 +143,16 @@ func TestValidateChartMaintainer(t *testing.T) {
+ 			t.Errorf("validateChartMaintainer(%s, %s) to return no error, got %s", test.Name, test.Email, err.Error())
+ 		}
+ 	}
++
++	// Testing for an empty maintainer
++	badChart.Maintainers = []*chart.Maintainer{nil}
++	err := validateChartMaintainer(badChart)
++	if err == nil {
++		t.Errorf("validateChartMaintainer did not return error for nil maintainer as expected")
++	}
++	if err.Error() != "a maintainer entry is empty" {
++		t.Errorf("validateChartMaintainer returned unexpected error for nil maintainer: %s", err.Error())
++	}
+ }
+ 
+ func TestValidateChartSources(t *testing.T) {
+-- 
+2.45.4
+
diff --git a/SPECS/helm/helm.spec b/SPECS/helm/helm.spec
@@ -2,7 +2,7 @@
 
 Name:          helm
 Version:       3.14.2
-Release:       8%{?dist}
+Release:       9%{?dist}
 Summary:       The Kubernetes Package Manager
 Group:         Applications/Networking
 License:       Apache 2.0
@@ -29,6 +29,7 @@ Patch1:        CVE-2024-45338.patch
 Patch2:        CVE-2025-32386.patch
 Patch3:        CVE-2025-22872.patch
 Patch4:        CVE-2025-53547.patch
+Patch5:        CVE-2025-55198.patch
 BuildRequires: golang
 
 %description
@@ -58,6 +59,9 @@ install -m 755 ./helm %{buildroot}%{_bindir}
 go test -v ./cmd/helm
 
 %changelog
+* Fri Sep 19 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 3.14.2-9
+- Patch for CVE-2025-55198
+
 * Thu Sep 04 2025 Akhila Guruju <v-guakhila@microsoft.com> - 3.14.2-8
 - Bump release to rebuild with golang
 
