From a699bbd0390f629ad9f9761a7778a4adfde7f85a Mon Sep 17 00:00:00 2001 From: Kanishk Bansal <103916909+Kanishk-Bansal@users.noreply.github.com> Date: Sat, 1 Mar 2025 01:37:38 +0530 Subject: [PATCH] Patch `packer` for CVE-2025-27144 [Medium] (#12688) Co-authored-by: jslobodzian (cherry picked from commit 7550a825baed92d7931246b8eea18a3ff2014201) --- SPECS/packer/CVE-2025-27144.patch | 50 +++++++++++++++++++++++++++++++ SPECS/packer/packer.spec | 6 +++- 2 files changed, 55 insertions(+), 1 deletion(-) create mode 100644 SPECS/packer/CVE-2025-27144.patch diff --git a/SPECS/packer/CVE-2025-27144.patch b/SPECS/packer/CVE-2025-27144.patch new file mode 100644 index 00000000000..6015ed48ca9 --- /dev/null +++ b/SPECS/packer/CVE-2025-27144.patch @@ -0,0 +1,50 @@ +From fa324fa38481f9d2da9109cb5983326f62ff7507 Mon Sep 17 00:00:00 2001 +From: Kanishk-Bansal +Date: Fri, 28 Feb 2025 07:45:53 +0000 +Subject: [PATCH] CVE-2025-27144 +Upstream Ref: https://github.com/go-jose/go-jose/commit/c9ed84d8f0cfadcfad817150158caca6fcbc518b + +--- + vendor/gopkg.in/square/go-jose.v2/jwe.go | 5 +++-- + vendor/gopkg.in/square/go-jose.v2/jws.go | 5 +++-- + 2 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/vendor/gopkg.in/square/go-jose.v2/jwe.go b/vendor/gopkg.in/square/go-jose.v2/jwe.go +index b5a6dcd..cd1de9e 100644 +--- a/vendor/gopkg.in/square/go-jose.v2/jwe.go ++++ b/vendor/gopkg.in/square/go-jose.v2/jwe.go +@@ -201,10 +201,11 @@ func (parsed *rawJSONWebEncryption) sanitized() (*JSONWebEncryption, error) { + + // parseEncryptedCompact parses a message in compact format. + func parseEncryptedCompact(input string) (*JSONWebEncryption, error) { +- parts := strings.Split(input, ".") +- if len(parts) != 5 { ++ // Five parts is four separators ++ if strings.Count(input, ".") != 4 { + return nil, fmt.Errorf("square/go-jose: compact JWE format must have five parts") + } ++ parts := strings.SplitN(input, ".", 5) + + rawProtected, err := base64.RawURLEncoding.DecodeString(parts[0]) + if err != nil { +diff --git a/vendor/gopkg.in/square/go-jose.v2/jws.go b/vendor/gopkg.in/square/go-jose.v2/jws.go +index 7e261f9..a8d55fb 100644 +--- a/vendor/gopkg.in/square/go-jose.v2/jws.go ++++ b/vendor/gopkg.in/square/go-jose.v2/jws.go +@@ -275,10 +275,11 @@ func (parsed *rawJSONWebSignature) sanitized() (*JSONWebSignature, error) { + + // parseSignedCompact parses a message in compact format. + func parseSignedCompact(input string, payload []byte) (*JSONWebSignature, error) { +- parts := strings.Split(input, ".") +- if len(parts) != 3 { ++ // Three parts is two separators ++ if strings.Count(input, ".") != 2 { + return nil, fmt.Errorf("square/go-jose: compact JWS format must have three parts") + } ++ parts := strings.SplitN(input, ".", 3) + + if parts[1] != "" && payload != nil { + return nil, fmt.Errorf("square/go-jose: payload is not detached") +-- +2.45.2 + diff --git a/SPECS/packer/packer.spec b/SPECS/packer/packer.spec index 4a19b089117..acfeefe0670 100644 --- a/SPECS/packer/packer.spec +++ b/SPECS/packer/packer.spec @@ -5,7 +5,7 @@ Summary: Tool for creating identical machine images for multiple platform Name: packer Epoch: 1 Version: 1.9.5 -Release: 8%{?dist} +Release: 9%{?dist} License: MPLv2.0 Vendor: Microsoft Corporation Distribution: Mariner @@ -37,6 +37,7 @@ Patch1: CVE-2024-6104.patch Patch2: CVE-2024-24786.patch Patch3: CVE-2025-21613.patch Patch4: CVE-2024-28180.patch +Patch5: CVE-2025-27144.patch BuildRequires: golang BuildRequires: kernel-headers BuildRequires: glibc-devel @@ -70,6 +71,9 @@ go test -mod=vendor %{_bindir}/packer %changelog +* Fri Feb 28 2025 Kanishk Bansal - 1.9.5-9 +- Fix CVE-2025-27144 with an upstream patch + * Fri Jan 31 2025 Kanishk Bansal - 1.9.5-8 - Fix CVE-2024-28180 with an upstream patch