From a921f9c76727a0f82fd6b577f9fb0c0f36f051fc Mon Sep 17 00:00:00 2001 From: Kanishk Bansal <103916909+Kanishk-Bansal@users.noreply.github.com> Date: Wed, 12 Mar 2025 00:26:50 +0530 Subject: [PATCH] Patch `containerized-data-importer` for CVE-2025-27144 [Medium] (#12680) Co-authored-by: jslobodzian (cherry picked from commit 6eeb483916fa349f3138615d4046eb4051d8c00d) --- .../CVE-2025-27144.patch | 50 +++++++++++++++++++ .../containerized-data-importer.spec | 6 ++- 2 files changed, 55 insertions(+), 1 deletion(-) create mode 100644 SPECS/containerized-data-importer/CVE-2025-27144.patch diff --git a/SPECS/containerized-data-importer/CVE-2025-27144.patch b/SPECS/containerized-data-importer/CVE-2025-27144.patch new file mode 100644 index 00000000000..6015ed48ca9 --- /dev/null +++ b/SPECS/containerized-data-importer/CVE-2025-27144.patch @@ -0,0 +1,50 @@ +From fa324fa38481f9d2da9109cb5983326f62ff7507 Mon Sep 17 00:00:00 2001 +From: Kanishk-Bansal +Date: Fri, 28 Feb 2025 07:45:53 +0000 +Subject: [PATCH] CVE-2025-27144 +Upstream Ref: https://github.com/go-jose/go-jose/commit/c9ed84d8f0cfadcfad817150158caca6fcbc518b + +--- + vendor/gopkg.in/square/go-jose.v2/jwe.go | 5 +++-- + vendor/gopkg.in/square/go-jose.v2/jws.go | 5 +++-- + 2 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/vendor/gopkg.in/square/go-jose.v2/jwe.go b/vendor/gopkg.in/square/go-jose.v2/jwe.go +index b5a6dcd..cd1de9e 100644 +--- a/vendor/gopkg.in/square/go-jose.v2/jwe.go ++++ b/vendor/gopkg.in/square/go-jose.v2/jwe.go +@@ -201,10 +201,11 @@ func (parsed *rawJSONWebEncryption) sanitized() (*JSONWebEncryption, error) { + + // parseEncryptedCompact parses a message in compact format. + func parseEncryptedCompact(input string) (*JSONWebEncryption, error) { +- parts := strings.Split(input, ".") +- if len(parts) != 5 { ++ // Five parts is four separators ++ if strings.Count(input, ".") != 4 { + return nil, fmt.Errorf("square/go-jose: compact JWE format must have five parts") + } ++ parts := strings.SplitN(input, ".", 5) + + rawProtected, err := base64.RawURLEncoding.DecodeString(parts[0]) + if err != nil { +diff --git a/vendor/gopkg.in/square/go-jose.v2/jws.go b/vendor/gopkg.in/square/go-jose.v2/jws.go +index 7e261f9..a8d55fb 100644 +--- a/vendor/gopkg.in/square/go-jose.v2/jws.go ++++ b/vendor/gopkg.in/square/go-jose.v2/jws.go +@@ -275,10 +275,11 @@ func (parsed *rawJSONWebSignature) sanitized() (*JSONWebSignature, error) { + + // parseSignedCompact parses a message in compact format. + func parseSignedCompact(input string, payload []byte) (*JSONWebSignature, error) { +- parts := strings.Split(input, ".") +- if len(parts) != 3 { ++ // Three parts is two separators ++ if strings.Count(input, ".") != 2 { + return nil, fmt.Errorf("square/go-jose: compact JWS format must have three parts") + } ++ parts := strings.SplitN(input, ".", 3) + + if parts[1] != "" && payload != nil { + return nil, fmt.Errorf("square/go-jose: payload is not detached") +-- +2.45.2 + diff --git a/SPECS/containerized-data-importer/containerized-data-importer.spec b/SPECS/containerized-data-importer/containerized-data-importer.spec index 9a5c8999578..74a17afa199 100644 --- a/SPECS/containerized-data-importer/containerized-data-importer.spec +++ b/SPECS/containerized-data-importer/containerized-data-importer.spec @@ -18,7 +18,7 @@ Summary: Container native virtualization Name: containerized-data-importer Version: 1.55.0 -Release: 22%{?dist} +Release: 23%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Mariner @@ -39,6 +39,7 @@ Patch2: CVE-2022-41717.patch Patch3: CVE-2022-32149.patch Patch4: CVE-2024-28180.patch Patch5: CVE-2024-45338.patch +Patch6: CVE-2025-27144.patch %description Containerized-Data-Importer (CDI) is a persistent storage management add-on for Kubernetes @@ -206,6 +207,9 @@ install -m 0644 _out/manifests/release/cdi-cr.yaml %{buildroot}%{_datadir}/cdi/m %{_datadir}/cdi/manifests %changelog +* Fri Feb 28 2025 Kanishk Bansal - 1.55.0-23 +- Fix CVE-2025-27144 + * Mon Jan 06 2025 Sumedh Sharma - 1.55.0-22 - Add patch for CVE-2024-45338