[AUTO-CHERRYPICK] [High] patch reaper for CVE-2025-48387 & CVE-2024-6484 - branch main (#13989)

Co-authored-by: jykanase <[email protected]>

Author: CBL-Mariner-Bot

SPECS/reaper/CVE-2024-6484.patch

@@ -0,0 +1,69 @@
+From 620b02881ae264fe9cffb008626f1c11de4447d4 Mon Sep 17 00:00:00 2001
+From: Sergey Odinokov <[email protected]>
+Date: Tue, 18 Mar 2025 12:00:44 +0700
+Subject: [PATCH] Fix CVE-2024-6484 vulnerability by disabling further event
+ handling
+
+Upstream Link: https://github.com/odinserj/bootstrap/commit/0ea568be7ff0c1f72a693f5d782277a9e9872077
+---
+ src/ui/bower_components/bootstrap/dist/js/bootstrap.js | 2 +-
+ src/ui/bower_components/bootstrap/js/carousel.js       | 2 +-
+ src/ui/node_modules/bootstrap/dist/js/bootstrap.js     | 2 +-
+ src/ui/node_modules/bootstrap/js/carousel.js           | 2 +-
+ 4 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/ui/bower_components/bootstrap/dist/js/bootstrap.js b/src/ui/bower_components/bootstrap/dist/js/bootstrap.js
+index 8a2e99a5..3bf1104b 100644
+--- a/src/ui/bower_components/bootstrap/dist/js/bootstrap.js
++++ b/src/ui/bower_components/bootstrap/dist/js/bootstrap.js
+@@ -508,7 +508,7 @@ if (typeof jQuery === 'undefined') {
+     var href
+     var $this   = $(this)
+     var $target = $($this.attr('data-target') || (href = $this.attr('href')) && href.replace(/.*(?=#[^\s]+$)/, '')) // strip for ie7
+-    if (!$target.hasClass('carousel')) return
++    if (!$target.hasClass('carousel')) return false
+     var options = $.extend({}, $target.data(), $this.data())
+     var slideIndex = $this.attr('data-slide-to')
+     if (slideIndex) options.interval = false
+diff --git a/src/ui/bower_components/bootstrap/js/carousel.js b/src/ui/bower_components/bootstrap/js/carousel.js
+index 6ff954c9..f878dcda 100644
+--- a/src/ui/bower_components/bootstrap/js/carousel.js
++++ b/src/ui/bower_components/bootstrap/js/carousel.js
+@@ -209,7 +209,7 @@
+     var href
+     var $this   = $(this)
+     var $target = $($this.attr('data-target') || (href = $this.attr('href')) && href.replace(/.*(?=#[^\s]+$)/, '')) // strip for ie7
+-    if (!$target.hasClass('carousel')) return
++    if (!$target.hasClass('carousel')) return false
+     var options = $.extend({}, $target.data(), $this.data())
+     var slideIndex = $this.attr('data-slide-to')
+     if (slideIndex) options.interval = false
+diff --git a/src/ui/node_modules/bootstrap/dist/js/bootstrap.js b/src/ui/node_modules/bootstrap/dist/js/bootstrap.js
+index 170bd608..71087569 100644
+--- a/src/ui/node_modules/bootstrap/dist/js/bootstrap.js
++++ b/src/ui/node_modules/bootstrap/dist/js/bootstrap.js
+@@ -517,7 +517,7 @@ if (typeof jQuery === 'undefined') {
+     var target  = $this.attr('data-target') || href
+     var $target = $(document).find(target)
+
+-    if (!$target.hasClass('carousel')) return
++    if (!$target.hasClass('carousel')) return false
+
+     var options = $.extend({}, $target.data(), $this.data())
+     var slideIndex = $this.attr('data-slide-to')
+diff --git a/src/ui/node_modules/bootstrap/js/carousel.js b/src/ui/node_modules/bootstrap/js/carousel.js
+index a5fcac31..54a44fcf 100644
+--- a/src/ui/node_modules/bootstrap/js/carousel.js
++++ b/src/ui/node_modules/bootstrap/js/carousel.js
+@@ -217,7 +217,7 @@
+     var target  = $this.attr('data-target') || href
+     var $target = $(document).find(target)
+
+-    if (!$target.hasClass('carousel')) return
++    if (!$target.hasClass('carousel')) return false
+
+     var options = $.extend({}, $target.data(), $this.data())
+     var slideIndex = $this.attr('data-slide-to')
+-- 
+2.34.1
+

SPECS/reaper/CVE-2025-48387.patch

@@ -0,0 +1,85 @@
+From 14f532dae3732b4bdba2821d31d6bce663cf8dd5 Mon Sep 17 00:00:00 2001
+From: jykanase <[email protected]>
+Date: Tue, 10 Jun 2025 07:51:46 +0000
+Subject: [PATCH] CVE-2025-48387
+
+Upstream Patch Reference: https://github.com/mafintosh/tar-fs/commit/647447b572bc135c41035e82ca7b894f02b17f0f
+---
+ .../bower/lib/node_modules/tar-fs/index.js    | 39 +++++++++++--------
+ 1 file changed, 22 insertions(+), 17 deletions(-)
+
+diff --git a/tmp_local/lib/node_modules/bower/lib/node_modules/tar-fs/index.js b/tmp_local/lib/node_modules/bower/lib/node_modules/tar-fs/index.js
+index 3fd93bc..7659b01 100644
+--- a/tmp_local/lib/node_modules/bower/lib/node_modules/tar-fs/index.js
++++ b/tmp_local/lib/node_modules/bower/lib/node_modules/tar-fs/index.js
+@@ -266,16 +266,20 @@ exports.extract = function (cwd, opts) {
+     var onlink = function () {
+       if (win32) return next() // skip links on win for now before it can be tested
+       xfs.unlink(name, function () {
+-        var dst = path.join(cwd, path.join('/', header.linkname))
++        var link = path.join(cwd, path.join('/', header.linkname))
+ 
+-        xfs.link(dst, name, function (err) {
+-          if (err && err.code === 'EPERM' && opts.hardlinkAsFilesFallback) {
+-            stream = xfs.createReadStream(dst)
+-            return onfile()
+-          }
++      fs.realpath(link, function (err, dst) {
++          if (err || !inCwd(dst)) return next(new Error(name + ' is not a valid hardlink'))
+ 
+-          stat(err)
+-        })
++          xfs.link(dst, name, function (err) {
++            if (err && err.code === 'EPERM' && opts.hardlinkAsFilesFallback) {
++              stream = xfs.createReadStream(dst)
++              return onfile()
++            }
++
++            stat(err)
++          })
++	})
+       })
+     }
+ 
+@@ -297,19 +301,19 @@ exports.extract = function (cwd, opts) {
+       })
+     }
+ 
+-    if (header.type === 'directory') {
+-      stack.push([name, header.mtime])
+-      return mkdirfix(name, {
+-        fs: xfs, own: own, uid: header.uid, gid: header.gid
+-      }, stat)
+-    }
+-
+-    var dir = path.dirname(name)
++    var dir = path.join(name, '.') === path.join(cwd, '.') ? cwd : path.dirname(name)
+ 
+     validate(xfs, dir, path.join(cwd, '.'), function (err, valid) {
+       if (err) return next(err)
+       if (!valid) return next(new Error(dir + ' is not a valid path'))
+ 
++      if (header.type === 'directory') {
++        stack.push([name, header.mtime])
++        return mkdirfix(name, {
++          fs: xfs, own: own, uid: header.uid, gid: header.gid
++        }, stat)
++      }
++
+       mkdirfix(dir, {
+         fs: xfs, own: own, uid: header.uid, gid: header.gid
+       }, function (err) {
+@@ -336,8 +340,9 @@ exports.extract = function (cwd, opts) {
+ 
+ function validate (fs, name, root, cb) {
+   if (name === root) return cb(null, true)
++
+   fs.lstat(name, function (err, st) {
+-    if (err && err.code !== 'ENOENT') return cb(err)
++    if (err && err.code !== 'ENOENT' && err.code !== 'EPERM') return cb(err)
+     if (err || st.isDirectory()) return validate(fs, path.join(name, '..'), root, cb)
+     cb(null, false)
+   })
+-- 
+2.45.2
+

SPECS/reaper/reaper.spec

@@ -6,7 +6,7 @@
 Summary:        Reaper for cassandra is a tool for running Apache Cassandra repairs against single or multi-site clusters.
 Name:           reaper
 Version:        3.1.1
-Release:        18%{?dist}
+Release:        19%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -49,6 +49,8 @@ Patch13:        CVE-2024-52798.patch
 Patch14:        CVE-2020-24025.patch
 Patch15:        CVE-2024-28863.patch
 Patch16:        CVE-2024-12905.patch
+Patch17:        CVE-2024-6484.patch
+Patch18:        CVE-2025-48387.patch
 
 BuildRequires:  git
 BuildRequires:  javapackages-tools
@@ -114,7 +116,12 @@ popd
 pushd $tmp_local_dir/n/versions/node/14.18.0/lib/node_modules/
 %autopatch -p1 15
 popd
-%autopatch -p1 16
+%autopatch -p1 -m 16
+
+# Removed for CVE-2024-6484.patch as they are unused and contain
+# vulnerabilities that are not easily patched out.
+rm src/ui/bower_components/bootstrap/dist/js/bootstrap.min.js
+rm src/ui/node_modules/bootstrap/dist/js/bootstrap.min.js
 
 rsync -azvhr $tmp_local_dir/ "%{_prefix}/local"
 rm -rf $tmp_local_dir
@@ -192,6 +199,9 @@ fi
 %{_unitdir}/cassandra-%{name}.service
 
 %changelog
+* Thu Jun 05 2025 Jyoti Kanase <[email protected]> - 3.1.1-19
+- Patch CVE-2024-6484 and CVE-2025-48387
+
 * Fri Apr 04 2025 Sandeep Karambelkar ([email protected]> - 3.1.1-18
 - Add patch to fix CVE-2024-12905