From 81cdf0aab3ec207f119edbdb61e0299e3a15ec5a Mon Sep 17 00:00:00 2001 From: Kanishk Bansal <103916909+Kanishk-Bansal@users.noreply.github.com> Date: Thu, 20 Mar 2025 00:08:51 +0530 Subject: [PATCH] Patch `skopeo` for CVE-2025-27144 [Medium] (#12699) Co-authored-by: Sam Meluch <109628994+sameluch@users.noreply.github.com> Co-authored-by: jslobodzian (cherry picked from commit db9d097b91f8966b17518db25e36bcaae4cc1134) --- SPECS/skopeo/CVE-2025-27144.patch | 88 +++++++++++++++++++++++++++++++ SPECS/skopeo/skopeo.spec | 6 ++- 2 files changed, 93 insertions(+), 1 deletion(-) create mode 100644 SPECS/skopeo/CVE-2025-27144.patch diff --git a/SPECS/skopeo/CVE-2025-27144.patch b/SPECS/skopeo/CVE-2025-27144.patch new file mode 100644 index 00000000000..5b897aacacb --- /dev/null +++ b/SPECS/skopeo/CVE-2025-27144.patch @@ -0,0 +1,88 @@ +From 4da065cd7a4f7263e96bc7028f674c7730177035 Mon Sep 17 00:00:00 2001 +From: Kanishk-Bansal +Date: Fri, 28 Feb 2025 19:31:53 +0000 +Subject: [PATCH] CVE-2025-27144 +Upstream Reference: https://github.com/go-jose/go-jose/commit/5253038e3b5f64a2200b5b6c72107bf9823f4358 + +--- + vendor/github.com/go-jose/go-jose/v3/jwe.go | 5 +++-- + vendor/github.com/go-jose/go-jose/v3/jws.go | 5 +++-- + vendor/gopkg.in/go-jose/go-jose.v2/jwe.go | 5 +++-- + vendor/gopkg.in/go-jose/go-jose.v2/jws.go | 5 +++-- + 4 files changed, 12 insertions(+), 8 deletions(-) + +diff --git a/vendor/github.com/go-jose/go-jose/v3/jwe.go b/vendor/github.com/go-jose/go-jose/v3/jwe.go +index 4267ac7..1ba4ae0 100644 +--- a/vendor/github.com/go-jose/go-jose/v3/jwe.go ++++ b/vendor/github.com/go-jose/go-jose/v3/jwe.go +@@ -202,10 +202,11 @@ func (parsed *rawJSONWebEncryption) sanitized() (*JSONWebEncryption, error) { + + // parseEncryptedCompact parses a message in compact format. + func parseEncryptedCompact(input string) (*JSONWebEncryption, error) { +- parts := strings.Split(input, ".") +- if len(parts) != 5 { ++ // Five parts is four separators ++ if strings.Count(input, ".") != 4 { + return nil, fmt.Errorf("go-jose/go-jose: compact JWE format must have five parts") + } ++ parts := strings.SplitN(input, ".", 5) + + rawProtected, err := base64URLDecode(parts[0]) + if err != nil { +diff --git a/vendor/github.com/go-jose/go-jose/v3/jws.go b/vendor/github.com/go-jose/go-jose/v3/jws.go +index e37007d..401fc18 100644 +--- a/vendor/github.com/go-jose/go-jose/v3/jws.go ++++ b/vendor/github.com/go-jose/go-jose/v3/jws.go +@@ -275,10 +275,11 @@ func (parsed *rawJSONWebSignature) sanitized() (*JSONWebSignature, error) { + + // parseSignedCompact parses a message in compact format. + func parseSignedCompact(input string, payload []byte) (*JSONWebSignature, error) { +- parts := strings.Split(input, ".") +- if len(parts) != 3 { ++ // Three parts is two separators ++ if strings.Count(input, ".") != 2 { + return nil, fmt.Errorf("go-jose/go-jose: compact JWS format must have three parts") + } ++ parts := strings.SplitN(input, ".", 3) + + if parts[1] != "" && payload != nil { + return nil, fmt.Errorf("go-jose/go-jose: payload is not detached") +diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/jwe.go b/vendor/gopkg.in/go-jose/go-jose.v2/jwe.go +index a8966ab..faebb8d 100644 +--- a/vendor/gopkg.in/go-jose/go-jose.v2/jwe.go ++++ b/vendor/gopkg.in/go-jose/go-jose.v2/jwe.go +@@ -201,10 +201,11 @@ func (parsed *rawJSONWebEncryption) sanitized() (*JSONWebEncryption, error) { + + // parseEncryptedCompact parses a message in compact format. + func parseEncryptedCompact(input string) (*JSONWebEncryption, error) { +- parts := strings.Split(input, ".") +- if len(parts) != 5 { ++ // Five parts is four separators ++ if strings.Count(input, ".") != 4 { + return nil, fmt.Errorf("go-jose/go-jose: compact JWE format must have five parts") + } ++ parts := strings.SplitN(input, ".", 5) + + rawProtected, err := base64.RawURLEncoding.DecodeString(parts[0]) + if err != nil { +diff --git a/vendor/gopkg.in/go-jose/go-jose.v2/jws.go b/vendor/gopkg.in/go-jose/go-jose.v2/jws.go +index 1a24fa4..717f04a 100644 +--- a/vendor/gopkg.in/go-jose/go-jose.v2/jws.go ++++ b/vendor/gopkg.in/go-jose/go-jose.v2/jws.go +@@ -275,10 +275,11 @@ func (parsed *rawJSONWebSignature) sanitized() (*JSONWebSignature, error) { + + // parseSignedCompact parses a message in compact format. + func parseSignedCompact(input string, payload []byte) (*JSONWebSignature, error) { +- parts := strings.Split(input, ".") +- if len(parts) != 3 { ++ // Three parts is two separators ++ if strings.Count(input, ".") != 2 { + return nil, fmt.Errorf("go-jose/go-jose: compact JWS format must have three parts") + } ++ parts := strings.SplitN(input, ".", 3) + + if parts[1] != "" && payload != nil { + return nil, fmt.Errorf("go-jose/go-jose: payload is not detached") +-- +2.45.2 + diff --git a/SPECS/skopeo/skopeo.spec b/SPECS/skopeo/skopeo.spec index 1ed20eece13..6bb9610adc1 100644 --- a/SPECS/skopeo/skopeo.spec +++ b/SPECS/skopeo/skopeo.spec @@ -1,7 +1,7 @@ Summary: Inspect container images and repositories on registries Name: skopeo Version: 1.14.4 -Release: 3%{?dist} +Release: 4%{?dist} License: Apache-2.0 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -12,6 +12,7 @@ Patch0: CVE-2022-2879.patch Patch1: CVE-2024-6104.patch Patch2: CVE-2023-45288.patch Patch3: CVE-2024-9676.patch +Patch4: CVE-2025-27144.patch %global debug_package %{nil} %define our_gopath %{_topdir}/.gopath @@ -51,6 +52,9 @@ make test-unit-local %{_mandir}/man1/%%{name}* %changelog +* Sat Mar 01 2025 Kanishk Bansal - 1.14.4-4 +- Fix CVE-2025-27144 with an upstream patch + * Mon Nov 11 2024 Rohit Rawat - 1.14.4-3 - Fix CVE-2023-45288 and CVE-2024-9676