From 8500dcf39423a3a6d3c2bb385f85ecc87cd2cd45 Mon Sep 17 00:00:00 2001
From: Jeremy Stanley <fungi@yuggoth.org>
Date: Sun, 11 Jun 2023 18:56:54 +0000
Subject: [PATCH] Patch acme.sh/4659 for arbitrary command execution

Temporarily cherry-pick the commits which fix "acme.sh runs
arbitrary commands from a remote server"
https://github.com/acmesh-official/acme.sh/issues/4659 as trivial
backports on top of their 3.0.5 release until such time as we can
upgrade. This addresses a remote code execution vulnerability (no
CVE assigned yet) which could be exploited by the ACME protocol
operator, in our case the admins of the Let's Encrypt certificate
authority.

Change-Id: Ib052901a7aa08a9fdbd01d623f4b5d3eee938401
---
 .../roles/letsencrypt-acme-sh-install/tasks/main.yaml     | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/playbooks/roles/letsencrypt-acme-sh-install/tasks/main.yaml b/playbooks/roles/letsencrypt-acme-sh-install/tasks/main.yaml
index 2db5c2cf97..c441f8b629 100644
--- a/playbooks/roles/letsencrypt-acme-sh-install/tasks/main.yaml
+++ b/playbooks/roles/letsencrypt-acme-sh-install/tasks/main.yaml
@@ -2,12 +2,20 @@
   git:
     repo: https://github.com/acmesh-official/acme.sh
     dest: /opt/acme.sh
+    # Pinned due to https://github.com/acmesh-official/acme.sh/issues/4416
     version: 3.0.5
   register: clone_acmesh_result
   until: clone_acmesh_result is not failed
   retries: 3
   delay: 2
 
+# Temporary https://github.com/acmesh-official/acme.sh/issues/4659 fix
+# until we can upgrade to 3.0.6 or later
+- name: Patch for issue 4659
+  shell: |
+    git -C /opt/acme.sh cherry-pick 4c30250
+    git -C /opt/acme.sh cherry-pick 327e2fb
+
 - name: Install letsencrypt group
   group:
     name: letsencrypt