Skip to content

[AUTO-CHERRYPICK] Patch ig for CVE-2025-27144 [Medium] - branch 3.0-dev #13037

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jslobodzian merged 1 commit into from
Mar 27, 2025
Merged

[AUTO-CHERRYPICK] Patch ig for CVE-2025-27144 [Medium] - branch 3.0-dev #13037

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
51 changes: 51 additions & 0 deletions SPECS/ig/CVE-2025-27144.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
From 2bc5b8e5cd3b02064b046513ca7e0b6b773f6762 Mon Sep 17 00:00:00 2001
From: Kanishk-Bansal <kbkanishk975@gmail.com>
Date: Thu, 13 Mar 2025 19:28:52 +0000
Subject: [PATCH] CVE-2025-27144

Upstream Reference: https://github.com/go-jose/go-jose/commit/99b346cec4e86d102284642c5dcbe9bb0cacfc22

---
github.com/go-jose/go-jose/v4/jwe.go | 5 +++--
github.com/go-jose/go-jose/v4/jws.go | 5 +++--
2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/vendor/github.com/go-jose/go-jose/v4/jwe.go b/vendor/github.com/go-jose/go-jose/v4/jwe.go
index 89f03ee..9f1322d 100644
--- a/vendor/github.com/go-jose/go-jose/v4/jwe.go
+++ b/vendor/github.com/go-jose/go-jose/v4/jwe.go
@@ -288,10 +288,11 @@ func ParseEncryptedCompact(
keyAlgorithms []KeyAlgorithm,
contentEncryption []ContentEncryption,
) (*JSONWebEncryption, error) {
- parts := strings.Split(input, ".")
- if len(parts) != 5 {
+ // Five parts is four separators
+ if strings.Count(input, ".") != 4 {
return nil, fmt.Errorf("go-jose/go-jose: compact JWE format must have five parts")
}
+ parts := strings.SplitN(input, ".", 5)

rawProtected, err := base64.RawURLEncoding.DecodeString(parts[0])
if err != nil {
diff --git a/vendor/github.com/go-jose/go-jose/v4/jws.go b/vendor/github.com/go-jose/go-jose/v4/jws.go
index 3a91230..d09d8ba 100644
--- a/vendor/github.com/go-jose/go-jose/v4/jws.go
+++ b/vendor/github.com/go-jose/go-jose/v4/jws.go
@@ -327,10 +327,11 @@ func parseSignedCompact(
payload []byte,
signatureAlgorithms []SignatureAlgorithm,
) (*JSONWebSignature, error) {
- parts := strings.Split(input, ".")
- if len(parts) != 3 {
+ // Three parts is two separators
+ if strings.Count(input, ".") != 2 {
return nil, fmt.Errorf("go-jose/go-jose: compact JWS format must have three parts")
}
+ parts := strings.SplitN(input, ".", 3)

if parts[1] != "" && payload != nil {
return nil, fmt.Errorf("go-jose/go-jose: payload is not detached")
--
2.45.2

6 changes: 5 additions & 1 deletion SPECS/ig/ig.spec
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,14 +1,15 @@
Summary: The eBPF tool and systems inspection framework for Kubernetes, containers and Linux hosts.
Name: ig
Version: 0.37.0
Release: 1%{?dist}
Release: 2%{?dist}
License: Apache 2.0 and GPL 2.0 for eBPF code
Vendor: Microsoft Corporation
Distribution: Azure Linux
Group: Tools/Container
URL: https://github.com/inspektor-gadget/inspektor-gadget
Source0: https://github.com/inspektor-gadget/inspektor-gadget/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
Source1: %{name}-%{version}-govendor-v1.tar.gz
Patch0: CVE-2025-27144.patch
BuildRequires: golang >= 1.23


Expand Down Expand Up @@ -65,6 +66,9 @@ fi
%{_bindir}/ig

%changelog
* Fri Mar 14 2025 Kanishk Bansal <kanbansal@microsoft.com> - 0.37.0-2
- Add patch for CVE-2025-27144

* Mon Feb 03 2025 Francis Laniel <flaniel@linux.microsoft.com> - 0.37.0-1
- Bump to version 0.37.0
- Drop patch for CVE-2024-45338 as it was fixed in golang.org/x/net 0.33.0 and ig uses 0.34.0.
Expand Down
Loading