Patch helm for CVE-2026-35206

azurelinux-security · azurelinux-security · commit 97d359e4d2d2 · 2026-04-13T18:51:31.000Z
diff --git a/SPECS/helm/CVE-2026-35206.patch b/SPECS/helm/CVE-2026-35206.patch
@@ -0,0 +1,72 @@
+From 16e3f5f89b13152057ae9a90f95c3128f3164e04 Mon Sep 17 00:00:00 2001
+From: George Jenkins <gvjenkins@gmail.com>
+Date: Fri, 6 Mar 2026 08:01:01 -0800
+Subject: [PATCH] fix: Chart dot-name path bug
+
+Signed-off-by: George Jenkins <gvjenkins@gmail.com>
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/helm/helm/commit/8fb76d6ab555577e98e23b7500009537a471feee.patch
+---
+ pkg/chart/metadata.go   |  3 +++
+ pkg/chartutil/expand.go | 18 ++++++++++++++++++
+ 2 files changed, 21 insertions(+)
+
+diff --git a/pkg/chart/metadata.go b/pkg/chart/metadata.go
+index a08a97c..0e78fda 100644
+--- a/pkg/chart/metadata.go
++++ b/pkg/chart/metadata.go
+@@ -112,6 +112,9 @@ func (md *Metadata) Validate() error {
+ 		return ValidationError("chart.metadata.name is required")
+ 	}
+ 
++	if md.Name == "." || md.Name == ".." {
++		return ValidationErrorf("chart.metadata.name %q is not allowed", md.Name)
++	}
+ 	if md.Name != filepath.Base(md.Name) {
+ 		return ValidationErrorf("chart.metadata.name %q is invalid", md.Name)
+ 	}
+diff --git a/pkg/chartutil/expand.go b/pkg/chartutil/expand.go
+index 7ae1ae6..af1dfa3 100644
+--- a/pkg/chartutil/expand.go
++++ b/pkg/chartutil/expand.go
+@@ -17,6 +17,7 @@ limitations under the License.
+ package chartutil
+ 
+ import (
++	"fmt"
+ 	"io"
+ 	"os"
+ 	"path/filepath"
+@@ -51,12 +52,29 @@ func Expand(dir string, r io.Reader) error {
+ 		return errors.New("chart name not specified")
+ 	}
+ 
++	// Reject chart names that are POSIX path dot-segments or dot-dot segments or contain path separators.
++	// A dot-segment name (e.g. ".") causes SecureJoin to resolve to the root
++	// directory and extraction then to write files directly into that extraction root
++	// instead of a per-chart subdirectory.
++	if chartName == "." || chartName == ".." {
++		return fmt.Errorf("chart name %q is not allowed", chartName)
++	}
++	if chartName != filepath.Base(chartName) {
++		return fmt.Errorf("chart name %q must not contain path separators", chartName)
++	}
++
+ 	// Find the base directory
+ 	chartdir, err := securejoin.SecureJoin(dir, chartName)
+ 	if err != nil {
+ 		return err
+ 	}
+ 
++	// Defense-in-depth: the chart directory must be a subdirectory of dir,
++	// never dir itself.
++	if chartdir == dir {
++		return fmt.Errorf("chart name %q resolves to the extraction root", chartName)
++	}
++
+ 	// Copy all files verbatim. We don't parse these files because parsing can remove
+ 	// comments.
+ 	for _, file := range files {
+-- 
+2.45.4
+
diff --git a/SPECS/helm/helm.spec b/SPECS/helm/helm.spec
@@ -2,7 +2,7 @@
 
 Name:          helm
 Version:       3.14.2
-Release:       10%{?dist}
+Release:       11%{?dist}
 Summary:       The Kubernetes Package Manager
 Group:         Applications/Networking
 License:       Apache 2.0
@@ -32,6 +32,7 @@ Patch4:        CVE-2025-53547.patch
 Patch5:        CVE-2025-55198.patch
 Patch6:        CVE-2025-47911.patch
 Patch7:        CVE-2025-58190.patch
+Patch8:        CVE-2026-35206.patch
 BuildRequires: golang
 
 %description
@@ -61,6 +62,9 @@ install -m 755 ./helm %{buildroot}%{_bindir}
 go test -v ./cmd/helm
 
 %changelog
+* Mon Apr 13 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 3.14.2-11
+- Patch for CVE-2026-35206
+
 * Thu Feb 12 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 3.14.2-10
 - Patch for CVE-2025-58190, CVE-2025-47911
 
