From 9d47a42836b0053fd0cb3fe27227bf4db6f9e897 Mon Sep 17 00:00:00 2001
From: "Sreenivasulu Malavathula (HCL Technologies Ltd)"
 <v-smalavathu@microsoft.com>
Date: Thu, 20 Feb 2025 16:23:10 -0600
Subject: [PATCH] [Medium] reaper: Fix CVE-2024-52798 (#12308)

Signed-off-by: Sreenivasulu Malavathula <v-smalavathu@microsoft.com>
Co-authored-by: Riken Maharjan <106988478+rikenm1@users.noreply.github.com>
Co-authored-by: jslobodzian <joslobo@microsoft.com>
(cherry picked from commit 1fe7fd9173ee82ce0f8611699f4ad29bf6c21e0c)
---
 SPECS/reaper/CVE-2024-52798.patch | 46 +++++++++++++++++++++++++++++++
 SPECS/reaper/reaper.spec          | 11 ++++++++
 2 files changed, 57 insertions(+)
 create mode 100644 SPECS/reaper/CVE-2024-52798.patch

diff --git a/SPECS/reaper/CVE-2024-52798.patch b/SPECS/reaper/CVE-2024-52798.patch
new file mode 100644
index 00000000000..a367211547a
--- /dev/null
+++ b/SPECS/reaper/CVE-2024-52798.patch
@@ -0,0 +1,46 @@
+From 4d91e1915e5e1c9a0e65cb9e47fae3867438ac47 Mon Sep 17 00:00:00 2001
+From: Sreenivasulu Malavathula <v-smalavathu@microsoft.com>
+Date: Sun, 9 Feb 2025 09:15:14 -0600
+Subject: [PATCH] Address CVE-2024-52798
+
+---
+ src/ui/node_modules/path-to-regexp/index.js | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/src/ui/node_modules/path-to-regexp/index.js b/src/ui/node_modules/path-to-regexp/index.js
+index 39b7caac..4922e0a3 100644
+--- a/src/ui/node_modules/path-to-regexp/index.js
++++ b/src/ui/node_modules/path-to-regexp/index.js
+@@ -72,20 +72,26 @@ function pathToRegexp(path, keys, options) {
+   path = path.replace(
+     /\\.|(\/)?(\.)?:(\w+)(\(.*?\))?(\*)?(\?)?|[.*]|\/\(/g,
+     function (match, slash, format, key, capture, star, optional, offset) {
+-      pos = offset + match.length;
+-
+       if (match[0] === '\\') {
+         backtrack += match;
++	pos += 2;
+         return match;
+       }
+
+       if (match === '.') {
+         backtrack += '\\.';
+         extraOffset += 1;
++	pos += 1;
+         return '\\.';
+       }
+
+-      backtrack = slash || format ? '' : path.slice(pos, offset);
++      if (slash || format) {
++        backtrack = '';
++      } else {
++        backtrack += path.slice(pos, offset);
++      }
++
++      pos = offset + match.length;
+
+       if (match === '*') {
+         extraOffset += 3;
+--
+2.45.2
+
diff --git a/SPECS/reaper/reaper.spec b/SPECS/reaper/reaper.spec
index b2c8857d161..bae30540a65 100755
--- a/SPECS/reaper/reaper.spec
+++ b/SPECS/reaper/reaper.spec
@@ -45,6 +45,11 @@ Patch9:         CVE-2024-48949.patch
 Patch10:        CVE-2024-45590.patch
 Patch11:        CVE-2024-21538.patch
 Patch12:        CVE-2020-28458.patch
+<<<<<<< HEAD
+=======
+Patch13:        CVE-2024-52798.patch
+Patch14:        CVE-2020-24025.patch
+>>>>>>> 1fe7fd917 ([Medium] reaper: Fix CVE-2024-52798 (#12308))
 
 BuildRequires:  git
 BuildRequires:  javapackages-tools
@@ -182,6 +187,12 @@ fi
 %{_unitdir}/cassandra-%{name}.service
 
 %changelog
+<<<<<<< HEAD
+=======
+* Mon Feb 17 2025 Kanishk Bansal <kanbansal@microsoft.com> - 3.1.1-16
+- Patch CVE-2020-24025 and CVE-2024-52798 
+
+>>>>>>> 1fe7fd917 ([Medium] reaper: Fix CVE-2024-52798 (#12308))
 * Sat Nov 16 2024 Sudipta Pandit <sudpandit@microsoft.com> - 3.1.1-15
 - Patch CVE-2024-21538 in node modules
 - Patch CVE-2020-28458 in bower components