From fffaac5dc85fe3f4311eb1e9f33921f98398c6e7 Mon Sep 17 00:00:00 2001 From: Kanishk-Bansal Date: Sun, 2 Mar 2025 19:41:51 +0000 Subject: [PATCH] Patch cert-manager for CVE-2025-22868 & CVE-2025-22869 [High] --- SPECS/cert-manager/CVE-2025-22868.patch | 38 +++++++ SPECS/cert-manager/CVE-2025-22869.patch | 140 ++++++++++++++++++++++++ SPECS/cert-manager/cert-manager.spec | 8 +- 3 files changed, 185 insertions(+), 1 deletion(-) create mode 100644 SPECS/cert-manager/CVE-2025-22868.patch create mode 100644 SPECS/cert-manager/CVE-2025-22869.patch diff --git a/SPECS/cert-manager/CVE-2025-22868.patch b/SPECS/cert-manager/CVE-2025-22868.patch new file mode 100644 index 00000000000..c4f136f3ca1 --- /dev/null +++ b/SPECS/cert-manager/CVE-2025-22868.patch @@ -0,0 +1,38 @@ +From 681b4d8edca1bcfea5bce685d77ea7b82ed3e7b3 Mon Sep 17 00:00:00 2001 +From: Neal Patel +Date: Thu, 30 Jan 2025 14:10:09 -0500 +Subject: [PATCH] jws: split token into fixed number of parts + +Thanks to 'jub0bs' for reporting this issue. + +Fixes #71490 +Fixes CVE-2025-22868 + +Change-Id: I2552731f46d4907f29aafe7863c558387b6bd6e2 +Reviewed-on: https://go-review.googlesource.com/c/oauth2/+/652155 +Auto-Submit: Gopher Robot +Reviewed-by: Damien Neil +Reviewed-by: Roland Shoemaker +LUCI-TryBot-Result: Go LUCI +--- + vendor/golang.org/x/oauth2/jws/jws.go | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/vendor/golang.org/x/oauth2/jws/jws.go b/vendor/golang.org/x/oauth2/jws/jws.go +index 95015648b..6f03a49d3 100644 +--- a/vendor/golang.org/x/oauth2/jws/jws.go ++++ b/vendor/golang.org/x/oauth2/jws/jws.go +@@ -165,11 +165,11 @@ func Encode(header *Header, c *ClaimSet, key *rsa.PrivateKey) (string, error) { + // Verify tests whether the provided JWT token's signature was produced by the private key + // associated with the supplied public key. + func Verify(token string, key *rsa.PublicKey) error { +- parts := strings.Split(token, ".") +- if len(parts) != 3 { ++ if strings.Count(token, ".") != 2 { + return errors.New("jws: invalid token received, token must have 3 parts") + } + ++ parts := strings.SplitN(token, ".", 3) + signedContent := parts[0] + "." + parts[1] + signatureString, err := base64.RawURLEncoding.DecodeString(parts[2]) + if err != nil { diff --git a/SPECS/cert-manager/CVE-2025-22869.patch b/SPECS/cert-manager/CVE-2025-22869.patch new file mode 100644 index 00000000000..c0415fddb0e --- /dev/null +++ b/SPECS/cert-manager/CVE-2025-22869.patch @@ -0,0 +1,140 @@ +From 041b89a18f81265899e42e6801f830c101a96120 Mon Sep 17 00:00:00 2001 +From: Kanishk-Bansal +Date: Sun, 2 Mar 2025 13:46:00 +0000 +Subject: [PATCH] CVE-2025-22869 + +Upstream Reference : https://github.com/golang/crypto/commit/7292932d45d55c7199324ab0027cc86e8198aa22 + +ssh: limit the size of the internal packet queue while waiting for KEX + +In the SSH protocol, clients and servers execute the key exchange to +generate one-time session keys used for encryption and authentication. +The key exchange is performed initially after the connection is +established and then periodically after a configurable amount of data. +While a key exchange is in progress, we add the received packets to an +internal queue until we receive SSH_MSG_KEXINIT from the other side. +This can result in high memory usage if the other party is slow to +respond to the SSH_MSG_KEXINIT packet, or memory exhaustion if a +malicious client never responds to an SSH_MSG_KEXINIT packet during a +large file transfer. +We now limit the internal queue to 64 packets: this means 2MB with the +typical 32KB packet size. +When the internal queue is full we block further writes until the +pending key exchange is completed or there is a read or write error. + +Thanks to Yuichi Watanabe for reporting this issue. + +Change-Id: I1ce2214cc16e08b838d4bc346c74c72addafaeec +Reviewed-on: https://go-review.googlesource.com/c/crypto/+/652135 +Reviewed-by: Neal Patel +Auto-Submit: Gopher Robot +Reviewed-by: Roland Shoemaker +LUCI-TryBot-Result: Go LUCI + +--- + vendor/golang.org/x/crypto/ssh/handshake.go | 47 ++++++++++++++++----- + 1 file changed, 37 insertions(+), 10 deletions(-) + +diff --git a/vendor/golang.org/x/crypto/ssh/handshake.go b/vendor/golang.org/x/crypto/ssh/handshake.go +index 70a7369..e14eb6c 100644 +--- a/vendor/golang.org/x/crypto/ssh/handshake.go ++++ b/vendor/golang.org/x/crypto/ssh/handshake.go +@@ -24,6 +24,11 @@ const debugHandshake = false + // quickly. + const chanSize = 16 + ++// maxPendingPackets sets the maximum number of packets to queue while waiting ++// for KEX to complete. This limits the total pending data to maxPendingPackets ++// * maxPacket bytes, which is ~16.8MB. ++const maxPendingPackets = 64 ++ + // keyingTransport is a packet based transport that supports key + // changes. It need not be thread-safe. It should pass through + // msgNewKeys in both directions. +@@ -58,11 +63,19 @@ type handshakeTransport struct { + incoming chan []byte + readError error + +- mu sync.Mutex +- writeError error +- sentInitPacket []byte +- sentInitMsg *kexInitMsg +- pendingPackets [][]byte // Used when a key exchange is in progress. ++ mu sync.Mutex ++ // Condition for the above mutex. It is used to notify a completed key ++ // exchange or a write failure. Writes can wait for this condition while a ++ // key exchange is in progress. ++ writeCond *sync.Cond ++ writeError error ++ sentInitPacket []byte ++ sentInitMsg *kexInitMsg ++ // Used to queue writes when a key exchange is in progress. The length is ++ // limited by pendingPacketsSize. Once full, writes will block until the key ++ // exchange is completed or an error occurs. If not empty, it is emptied ++ // all at once when the key exchange is completed in kexLoop. ++ pendingPackets [][]byte + writePacketsLeft uint32 + writeBytesLeft int64 + +@@ -114,6 +127,7 @@ func newHandshakeTransport(conn keyingTransport, config *Config, clientVersion, + + config: config, + } ++ t.writeCond = sync.NewCond(&t.mu) + t.resetReadThresholds() + t.resetWriteThresholds() + +@@ -236,6 +250,7 @@ func (t *handshakeTransport) recordWriteError(err error) { + defer t.mu.Unlock() + if t.writeError == nil && err != nil { + t.writeError = err ++ t.writeCond.Broadcast() + } + } + +@@ -339,6 +354,8 @@ write: + } + } + t.pendingPackets = t.pendingPackets[:0] ++ // Unblock writePacket if waiting for KEX. ++ t.writeCond.Broadcast() + t.mu.Unlock() + } + +@@ -526,11 +543,20 @@ func (t *handshakeTransport) writePacket(p []byte) error { + } + + if t.sentInitMsg != nil { +- // Copy the packet so the writer can reuse the buffer. +- cp := make([]byte, len(p)) +- copy(cp, p) +- t.pendingPackets = append(t.pendingPackets, cp) +- return nil ++ if len(t.pendingPackets) < maxPendingPackets { ++ // Copy the packet so the writer can reuse the buffer. ++ cp := make([]byte, len(p)) ++ copy(cp, p) ++ t.pendingPackets = append(t.pendingPackets, cp) ++ return nil ++ } ++ for t.sentInitMsg != nil { ++ // Block and wait for KEX to complete or an error. ++ t.writeCond.Wait() ++ if t.writeError != nil { ++ return t.writeError ++ } ++ } + } + + if t.writeBytesLeft > 0 { +@@ -547,6 +573,7 @@ func (t *handshakeTransport) writePacket(p []byte) error { + + if err := t.pushPacket(p); err != nil { + t.writeError = err ++ t.writeCond.Broadcast() + } + + return nil +-- +2.45.2 + diff --git a/SPECS/cert-manager/cert-manager.spec b/SPECS/cert-manager/cert-manager.spec index 21b33d88f9a..09122712f63 100644 --- a/SPECS/cert-manager/cert-manager.spec +++ b/SPECS/cert-manager/cert-manager.spec @@ -1,7 +1,7 @@ Summary: Automatically provision and manage TLS certificates in Kubernetes Name: cert-manager Version: 1.11.2 -Release: 19%{?dist} +Release: 20%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Mariner @@ -32,6 +32,9 @@ Patch9: CVE-2024-45337.patch Patch10: CVE-2024-45338.patch Patch11: CVE-2024-12401.patch Patch12: CVE-2025-27144.patch +Patch13: CVE-2025-22868.patch +Patch14: CVE-2025-22869.patch + BuildRequires: golang Requires: %{name}-acmesolver Requires: %{name}-cainjector @@ -124,6 +127,9 @@ install -D -m0755 bin/webhook %{buildroot}%{_bindir}/ %{_bindir}/webhook %changelog +* Mon Mar 03 2025 Kanishk Bansal - 1.11.2-20 +- Fix CVE-2025-22868 & CVE-2025-22869 with an upstream patch + * Fri Feb 28 2025 Kanishk Bansal - 1.11.2-19 - Fix CVE-2025-27144 with an upstream patch