diff --git a/SPECS/helm/CVE-2026-35206.patch b/SPECS/helm/CVE-2026-35206.patch new file mode 100644 index 00000000000..6d21af2e4c5 --- /dev/null +++ b/SPECS/helm/CVE-2026-35206.patch @@ -0,0 +1,72 @@ +From 16e3f5f89b13152057ae9a90f95c3128f3164e04 Mon Sep 17 00:00:00 2001 +From: George Jenkins +Date: Fri, 6 Mar 2026 08:01:01 -0800 +Subject: [PATCH] fix: Chart dot-name path bug + +Signed-off-by: George Jenkins +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: https://github.com/helm/helm/commit/8fb76d6ab555577e98e23b7500009537a471feee.patch +--- + pkg/chart/metadata.go | 3 +++ + pkg/chartutil/expand.go | 18 ++++++++++++++++++ + 2 files changed, 21 insertions(+) + +diff --git a/pkg/chart/metadata.go b/pkg/chart/metadata.go +index a08a97c..0e78fda 100644 +--- a/pkg/chart/metadata.go ++++ b/pkg/chart/metadata.go +@@ -112,6 +112,9 @@ func (md *Metadata) Validate() error { + return ValidationError("chart.metadata.name is required") + } + ++ if md.Name == "." || md.Name == ".." { ++ return ValidationErrorf("chart.metadata.name %q is not allowed", md.Name) ++ } + if md.Name != filepath.Base(md.Name) { + return ValidationErrorf("chart.metadata.name %q is invalid", md.Name) + } +diff --git a/pkg/chartutil/expand.go b/pkg/chartutil/expand.go +index 7ae1ae6..af1dfa3 100644 +--- a/pkg/chartutil/expand.go ++++ b/pkg/chartutil/expand.go +@@ -17,6 +17,7 @@ limitations under the License. + package chartutil + + import ( ++ "fmt" + "io" + "os" + "path/filepath" +@@ -51,12 +52,29 @@ func Expand(dir string, r io.Reader) error { + return errors.New("chart name not specified") + } + ++ // Reject chart names that are POSIX path dot-segments or dot-dot segments or contain path separators. ++ // A dot-segment name (e.g. ".") causes SecureJoin to resolve to the root ++ // directory and extraction then to write files directly into that extraction root ++ // instead of a per-chart subdirectory. ++ if chartName == "." || chartName == ".." { ++ return fmt.Errorf("chart name %q is not allowed", chartName) ++ } ++ if chartName != filepath.Base(chartName) { ++ return fmt.Errorf("chart name %q must not contain path separators", chartName) ++ } ++ + // Find the base directory + chartdir, err := securejoin.SecureJoin(dir, chartName) + if err != nil { + return err + } + ++ // Defense-in-depth: the chart directory must be a subdirectory of dir, ++ // never dir itself. ++ if chartdir == dir { ++ return fmt.Errorf("chart name %q resolves to the extraction root", chartName) ++ } ++ + // Copy all files verbatim. We don't parse these files because parsing can remove + // comments. + for _, file := range files { +-- +2.45.4 + diff --git a/SPECS/helm/helm.spec b/SPECS/helm/helm.spec index a8502c8ea66..4bd65a177ed 100644 --- a/SPECS/helm/helm.spec +++ b/SPECS/helm/helm.spec @@ -2,7 +2,7 @@ Name: helm Version: 3.14.2 -Release: 10%{?dist} +Release: 11%{?dist} Summary: The Kubernetes Package Manager Group: Applications/Networking License: Apache 2.0 @@ -32,6 +32,7 @@ Patch4: CVE-2025-53547.patch Patch5: CVE-2025-55198.patch Patch6: CVE-2025-47911.patch Patch7: CVE-2025-58190.patch +Patch8: CVE-2026-35206.patch BuildRequires: golang %description @@ -61,6 +62,9 @@ install -m 755 ./helm %{buildroot}%{_bindir} go test -v ./cmd/helm %changelog +* Mon Apr 13 2026 Azure Linux Security Servicing Account - 3.14.2-11 +- Patch for CVE-2026-35206 + * Thu Feb 12 2026 Azure Linux Security Servicing Account - 3.14.2-10 - Patch for CVE-2025-58190, CVE-2025-47911