[Cherry-pick]: add quotes windows path for CVE (#7029)

* add quotes windows path (#7028) * update changelog * update version to v0.43.1 (#7030) * fix changelog
grafana · Sep 19, 2024 · 2f7c207 · 2f7c207
1 parent 66cbb8c
commit 2f7c207
Show file tree

Hide file tree

Showing 5 changed files with 12 additions and 5 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,13 @@ This document contains a historical list of changes between releases. Only
 changes that impact end-user behavior are listed; changes to documentation or
 internal API changes are not present.
 
+v0.43.1 (2024-09-19)
+-------------------------
+
+### Security fixes
+
+- Add quotes to windows service path to prevent path interception attack. (@wildum)
+
 v0.43.0 (2024-09-11)
 -------------------------
 

diff --git a/docs/sources/_index.md b/docs/sources/_index.md
@@ -9,7 +9,7 @@ title: Grafana Agent
 description: Grafana Agent is a flexible, performant, vendor-neutral, telemetry collector
 weight: 350
 cascade:
-  AGENT_RELEASE: v0.43.0
+  AGENT_RELEASE: v0.43.1
   OTEL_VERSION: v0.96.0
 refs:
   variants:

diff --git a/packaging/grafana-agent-flow/windows/install_script.nsis b/packaging/grafana-agent-flow/windows/install_script.nsis
@@ -97,7 +97,7 @@ Section "install"
   Call InitializeRegistry
 
   # Create the service.
-  nsExec::ExecToLog 'sc create "Grafana Agent Flow" start= delayed-auto binpath= "$INSTDIR\grafana-agent-service-windows-amd64.exe"'
+  nsExec::ExecToLog 'sc create "Grafana Agent Flow" start= delayed-auto binpath= "\"$INSTDIR\grafana-agent-service-windows-amd64.exe\""'
   Pop $0
 
   # Start the service.
@@ -135,7 +135,7 @@ Function InitializeRegistry
   nsExec::ExecToLog 'Reg.exe query "${REGKEY}" /reg:64 /ve'
   Pop $0
   ${If} $0 == 1
-    nsExec::ExecToLog 'Reg.exe add "${REGKEY}" /reg:64 /ve /d "$INSTDIR\grafana-agent-flow-windows-amd64.exe"'
+    nsExec::ExecToLog 'Reg.exe add "${REGKEY}" /reg:64 /ve /d "\"$INSTDIR\grafana-agent-flow-windows-amd64.exe\""'
     Pop $0 # Ignore return result
   ${EndIf}
 

diff --git a/static/operator/defaults.go b/static/operator/defaults.go
@@ -2,7 +2,7 @@ package operator
 
 // Supported versions of the Grafana Agent.
 var (
-	DefaultAgentVersion   = "v0.43.0"
+	DefaultAgentVersion   = "v0.43.1"
 	DefaultAgentBaseImage = "grafana/agent"
 	DefaultAgentImage     = DefaultAgentBaseImage + ":" + DefaultAgentVersion
 )

diff --git a/tools/gen-versioned-files/agent-version.txt b/tools/gen-versioned-files/agent-version.txt
@@ -1 +1 @@
-v0.43.0
+v0.43.1