Updated telegraf to 1.26.0 to fix CVE-2022-23471

SPECS/telegraf/generate_source_tarball.sh

@@ -0,0 +1,94 @@
+#!/bin/bash
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+
+set -e
+
+get_param() {
+    if [ -n "$2" ] && [ "${2:0:1}" != "-" ]; then
+        echo "$2"
+    else
+        echo "Error: argument for ($1) is missing." >&2
+        return 1
+    fi
+}
+
+PKG_VERSION=""
+SRC_TARBALL=""
+OUT_FOLDER="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+# parameters:
+#
+# --srcTarball  : src tarball file
+# --outFolder   : folder where to copy the new tarball(s)
+# --pkgVersion  : package version
+#
+while (( "$#" )); do
+    case "$1" in
+        --srcTarball)
+        SRC_TARBALL="$(get_param "$1" "$2")"
+        shift 2
+        ;;
+        --outFolder)
+        OUT_FOLDER="$(get_param "$1" "$2")"
+        shift 2
+        ;;
+        --pkgVersion)
+        PKG_VERSION="$(get_param "$1" "$2")"
+        shift 2
+        ;;
+        -*)
+        echo "Error: unsupported flag $1." >&2
+        exit 1
+        ;;
+  esac
+done
+
+echo "--srcTarball   -> $SRC_TARBALL"
+echo "--outFolder    -> $OUT_FOLDER"
+echo "--pkgVersion   -> $PKG_VERSION"
+
+if [ -z "$PKG_VERSION" ]; then
+    echo "Error: --pkgVersion parameter cannot be empty." >&2
+    exit 1
+fi
+
+if [ ! -f "$SRC_TARBALL" ]; then
+    echo "Error: --srcTarball is not a file." >&2
+    exit 1
+fi
+
+SRC_TARBALL="$(realpath "$SRC_TARBALL")"
+OUT_FOLDER="$(realpath "$OUT_FOLDER")"
+
+echo "Creating a tempdir."
+tmpdir=$(mktemp -d)
+function cleanup {
+    echo "Clean-up: removing tempdir ($tmpdir)."
+    rm -rf "$tmpdir"
+}
+trap cleanup EXIT
+
+pushd "$tmpdir" > /dev/null
+
+NAME_VER="telegraf-$PKG_VERSION"
+VENDOR_TARBALL="$(realpath "$OUT_FOLDER/$NAME_VER-vendor.tar.gz")"
+
+echo "Unpacking the source tarball."
+tar -xf "$SRC_TARBALL"
+
+cd "$NAME_VER"
+echo "Getting the vendored modules."
+go mod vendor
+
+mkdir -p "$OUT_FOLDER"
+
+echo "Tar vendored modules."
+tar  --sort=name \
+     --mtime="2021-04-26 00:00Z" \
+     --owner=0 --group=0 --numeric-owner \
+     --pax-option=exthdr.name=%d/PaxHeaders/%f,delete=atime,delete=ctime \
+     -cf "$VENDOR_TARBALL" vendor
+
+echo "Telegraf vendored modules are available at ($VENDOR_TARBALL)."
+echo "SHA256: $(sha256sum "$VENDOR_TARBALL")."

SPECS/telegraf/telegraf.signatures.json

@@ -1,6 +1,6 @@
 {
  "Signatures": {
-  "telegraf-1.25.2.tar.gz": "e7038dc5be123a7e8906100d48f145d806030dafbcdb4dbd52f0343b6d1837e0",
-  "telegraf-1.25.2-vendor.tar.gz": "1ed2944aa65471e7ce539bc30c23d4aaeef05e73ffb6eab6a266f788fe8444b8"
+  "telegraf-1.26.0.tar.gz": "ee6933a16930dfd8b32832f0ed9e0393bb14cdb973abc1a773bfb58976470ea8",
+  "telegraf-1.26.0-vendor.tar.gz": "fc29d1b8b635b7cf71aba435b5d16041846bb4604d6e75f6f4b64b8868ffed18"
  }
 }

SPECS/telegraf/telegraf.spec

@@ -1,33 +1,15 @@
 Summary:        agent for collecting, processing, aggregating, and writing metrics.
 Name:           telegraf
-Version:        1.25.2
-Release:        3%{?dist}
+Version:        1.26.0
+Release:        1%{?dist}
 License:        MIT
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 Group:          Development/Tools
 URL:            https://github.com/influxdata/telegraf
-#Source0:       %{url}/archive/v%{version}.tar.gz
-Source0:        %{name}-%{version}.tar.gz
+Source0:        %{url}/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
+# Use the generate_source_tarbbal.sh script to get the vendored sources.
 Source1:        %{name}-%{version}-vendor.tar.gz
-# Below is a manually created tarball, no download link.
-# We're using pre-populated Go modules from this tarball, since network is disabled during build time.
-# How to re-build this file:
-#   1. wget %{url}/archive/v%{version}.tar.gz -O %%{name}-%%{version}.tar.gz
-#   2. tar -xf %%{name}-%%{version}.tar.gz
-#   3. cd %%{name}-%%{version}
-#   4. go mod vendor
-#   5. tar  --sort=name \
-#           --mtime="2021-04-26 00:00Z" \
-#           --owner=0 --group=0 --numeric-owner \
-#           --pax-option=exthdr.name=%d/PaxHeaders/%f,delete=atime,delete=ctime \
-#           -cf %%{name}-%%{version}-vendor.tar.gz vendor
-#
-#   NOTES:
-#       - You require GNU tar version 1.28+.
-#       - The additional options enable generation of a tarball with the same hash every time regardless of the environment.
-#         See: https://reproducible-builds.org/docs/archives/
-#       - For the value of "--mtime" use the date "2021-04-26 00:00Z" to simplify future updates.
 Patch0:         add-extra-metrics.patch
 BuildRequires:  golang
 BuildRequires:  systemd-devel
@@ -59,7 +41,10 @@ mkdir -pv %{buildroot}%{_sysconfdir}/%{name}/%{name}.d
 install -m 755 -D %{name} %{buildroot}%{_bindir}/%{name}
 install -m 755 -D scripts/%{name}.service %{buildroot}%{_unitdir}/%{name}.service
 install -m 755 -D etc/logrotate.d/%{name} %{buildroot}%{_sysconfdir}/logrotate.d/%{name}
-install -m 755 -D etc/telegraf.conf %{buildroot}%{_sysconfdir}/%{name}/telegraf.conf
+
+# Provide empty config file.
+./%{name} config > telegraf.conf
+install -m 755 -D telegraf.conf %{buildroot}%{_sysconfdir}/%{name}/telegraf.conf
 
 %pre
 getent group telegraf >/dev/null || groupadd -r telegraf
@@ -90,6 +75,9 @@ fi
 %dir %{_sysconfdir}/%{name}/telegraf.d
 
 %changelog
+* Wed Mar 29 2023 Pawel Winogrodzki <pawelwi@microsoft.com> - 1.26.0-1
+- Updating to version 1.26.0 to address CVEs in vendored sources for "containerd".
+
 * Tue Mar 28 2023 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 1.25.2-3
 - Bump release to rebuild with go 1.19.7
 

cgmanifest.json

@@ -28087,8 +28087,8 @@
         "type": "other",
         "other": {
           "name": "telegraf",
-          "version": "1.25.2",
-          "downloadUrl": "https://github.com/influxdata/telegraf/archive/v1.25.2.tar.gz"
+          "version": "1.26.0",
+          "downloadUrl": "https://github.com/influxdata/telegraf/archive/v1.26.0.tar.gz"
         }
       }
     },